cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4468
Views
21
Helpful
3
Replies

ACI Script - Orphaned objects

mmacdonald70
Level 1
Level 1

Over the years, our ACI deployment has picked up quite a lot of orphaned policy objects.  For instance, when some people decomissioned switches or servers, they might forget to delete switch selectors, interface selectors or policy groups.

 

I have been going through trying to manually delete them when I find them but it would be nice to have a more automated way to do it.  Does anybody either:

- Already have a script to find policy object that aren't used or

- Know of the best way to do this through a script?

1 Accepted Solution

Accepted Solutions

Sergiu.Daniluk
VIP Alumni
VIP Alumni

Hi @mmacdonald70 

 

The script you are looking for is called acilint:

https://github.com/datacenter/acitoolkit/blob/master/applications/lint/acilint.py

 

How to use it:

  1. Prepare your venv:
python3 -m venv ./venv
source venv/bin/activate
pip install acitoolkit
  1. Download the file (or copy the raw output), save it into a file called acilint.py
  2. Run the script:
python acilint.py -l admin -p password -u https://1.2.3.4
  1. Enjoy the output:
Getting configuration from APIC....
Processing configuration....
Error 001: BridgeDomain 't2' in tenant 'common' has no Context assigned.
Error 001: BridgeDomain 't' in tenant 'common' has no Context assigned.
Warning 001: Tenant 'mgmt' has no Application Profile.
Warning 001: Tenant 'acitoolkit' has no Application Profile.
Warning 001: Tenant 'Ansible' has no Application Profile.
Warning 002: Tenant 'acitoolkit' has no Context.
Warning 002: Tenant 'Ansible' has no Context.
Warning 003: AppProfile 'default' in Tenant 'common'has no EPGs.

 

What does each error/warning level mean you can find here: http://datacenter.github.io/acitoolkit/docsbuild/html/acilint.html#errors-and-warnings

 

Stay safe,

Sergiu

View solution in original post

3 Replies 3

Sergiu.Daniluk
VIP Alumni
VIP Alumni

Hi @mmacdonald70 

 

The script you are looking for is called acilint:

https://github.com/datacenter/acitoolkit/blob/master/applications/lint/acilint.py

 

How to use it:

  1. Prepare your venv:
python3 -m venv ./venv
source venv/bin/activate
pip install acitoolkit
  1. Download the file (or copy the raw output), save it into a file called acilint.py
  2. Run the script:
python acilint.py -l admin -p password -u https://1.2.3.4
  1. Enjoy the output:
Getting configuration from APIC....
Processing configuration....
Error 001: BridgeDomain 't2' in tenant 'common' has no Context assigned.
Error 001: BridgeDomain 't' in tenant 'common' has no Context assigned.
Warning 001: Tenant 'mgmt' has no Application Profile.
Warning 001: Tenant 'acitoolkit' has no Application Profile.
Warning 001: Tenant 'Ansible' has no Application Profile.
Warning 002: Tenant 'acitoolkit' has no Context.
Warning 002: Tenant 'Ansible' has no Context.
Warning 003: AppProfile 'default' in Tenant 'common'has no EPGs.

 

What does each error/warning level mean you can find here: http://datacenter.github.io/acitoolkit/docsbuild/html/acilint.html#errors-and-warnings

 

Stay safe,

Sergiu

RedNectar
VIP
VIP

Hi @mmacdonald70 ,

Just a little note about some of the quirks acilint.py that @Sergiu.Daniluk mentioned.

Firstly, it is a great little utility. BUT...

  • It does not check ALL your configuration - in fact it checks NONE of your Access Policies - such as whether a VLAN Pool is assigned to a Domain or not.  It checks ONLY for certain things in Tenant configurations
  • It prints warnings about Contracts and contact Subjects being bi-directional, instead of checking that they are bi-directional - i.e. it has the warning logic the complete wrong-way around - instead of warning that your contacts are uni-directional (uni-directional  contracts should NOT be used except in specific purposes), it warns if your contacts are the normal bi-directional type that allow for the return traffic.
    • Bottom line: IGNORE all warnings about contracts being bidriectional, or re-write the code to correct it 
    • My suspicion is that this is a hang-over from when Cisco completely underestimated the amount of TCAM needed for 1st generation switches, and had to come up with weird techniques (like implementing uni-directional contracts) to preserve TCAM.
  • It falsely ASSUMES that you have assigned tags to all EPGs - and those tags are specifically the words secure or nonsecure.  This is documented in the code, but causes stupid and scary output if you are not expecting it.
    • Bottom line: IGNORE all warnings about EPGs not being assigned security clearance, or re-write the code to correct it.
    • The documentation form the code is shown below:
    def critical_001(self):
        """
        This is an example of a compliance check where all EPGs are expected
        to be tagged with either 'secure' or 'nonsecure' and secure EPGs are
        not allowed to provide or consume contracts from nonsecure EPGs.
        """
  • Contracts that are defined in the common tenant but are used in other tenants produce warnings. Not a big deal, but means that there has been no consideration given to the fact that it is possible to define contracts in the common tenant that are used by a number of different tenants.  It also marks contracts provided in the common tenant (such as a DNS contract) that is consumed in another tenant as having no consumers.
  • It does NOT test to see if there are any empty filters (filters that don't have any protocol entries)
  • It does NOT test contract subjects to see that there are any filters applied

But once you know the quirks, the output can be handy!

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

NoteToSelf: Looks like this is a good opportunity to improve this script.  #WeekendProject

 

 

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License