Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
465
Views
0
Helpful
3
Replies

Delete in ACI - how to prevent to delete too much?

waschminator
Level 1
Level 1

‎01-26-2025 12:53 PM

Hi, 

EPGs in ACI are placed in a tenant, mostly there are a lot of EPGs, BDs L3Outs within this tenant. How can i prevent that by mistake the tenant is deleted, which in turn would delelte all other objects too, that in turn generates a full network outage? is there any way that the platform itself asks if you really want to do that? at the moment you just delete and then it is gone.

Labels:
0 Helpful
3 Replies 3

AshSe
VIP
VIP

‎01-26-2025 09:56 PM

Hello @waschminator 

In Cisco ACI (Application Centric Infrastructure), there is no built-in "Are you sure?" confirmation prompt when deleting a tenant or other objects. However, there are several strategies and best practices you can implement to prevent accidental deletion of a tenant and its associated objects. Please let me know if you want me to elaborate them.

0 Helpful

waschminator
Level 1
Level 1
In response to AshSe

‎01-26-2025 10:09 PM

Hello,

yes, please elaborate. Br

0 Helpful

AshSe
VIP
VIP

‎01-27-2025 01:37 AM - edited ‎01-27-2025 01:38 AM

Hello @waschminator 

Here are various available options:

1. Role-Based Access Control (RBAC)

  • Restrict permissions for users who can delete tenants. In ACI, you can create custom roles and assign them to users or groups. For example:
    • Create a role that allows users to manage objects within a tenant (EPGs, BDs, etc.) but does not allow them to delete the tenant itself.
    • Only assign the "admin" role or equivalent permissions to trusted users who understand the impact of tenant deletion.
  • To configure RBAC:
    • Go to Admin > AAA > Security Management > Users.
    • Create or modify roles and assign them to users or groups.

2. Prevention via Scripts or Automation

Use automation tools (e.g., Python scripts with the ACI REST API) to add safeguards for tenant deletion. For example:

  • Write a script that checks for specific tags, annotations, or names (e.g., "DO_NOT_DELETE") before allowing a tenant to be deleted.
  • The script can prompt for additional confirmation or require a secondary approval process.

3. Annotations and Tags

  • Use annotations or tags to mark critical tenants. For example, you can add a tag like DO_NOT_DELETE to tenants that should not be deleted.
  • To add a tag:
    • Navigate to the tenant in the APIC GUI.
    • Go to the Annotations or Tags section.
    • Add a tag like DO_NOT_DELETE or CRITICAL.

While this does not prevent deletion directly, it provides a visual indicator to users and can be used in scripts or automation workflows to enforce safeguards.

4. Backup Configuration Regularly

  • Regularly back up your ACI configuration to ensure you can recover from accidental deletions.
  • To back up the configuration:
    • Go to Admin > Import/Export > Config Export.
    • Export the configuration to a secure location.
  • In case of accidental deletion, you can restore the tenant and its objects from the backup.

5. Audit Logs and Alerts

  • Enable audit logging to track changes in the ACI fabric, including tenant deletions. This allows you to identify who performed the deletion and when.
  • To enable audit logs:
    • Go to Admin > External Data Collectors > SysLog.
    • Configure logging to capture tenant deletion events.
  • You can also configure SNMP traps or Syslog to send alerts for critical events like tenant deletion.

6. Leverage Contracts and Dependencies

  • Create dependencies between tenants and other objects (e.g., shared services, contracts). This can make it harder to delete a tenant without first addressing the dependencies.
  • For example, if a tenant provides shared services to other tenants, deleting it will require resolving those dependencies first.

7. Train and Educate Users

  • Educate your team about the impact of tenant deletion and the importance of double-checking before making changes.
  • Encourage users to review the configuration and dependencies before deleting any object.

8. Feature Request to Cisco

  • If this is a critical concern for your organization, consider submitting a feature request to Cisco for a confirmation prompt or additional safeguards for tenant deletion. Cisco regularly updates ACI software based on customer feedback.

While ACI does not currently provide a built-in confirmation prompt for tenant deletion, implementing these strategies can help reduce the risk of accidental deletions and their impact.

Feel free if you need further guidance in running any of the above mentioned options.

 

Hope This Helps!!!

AshSe

Forum Tips: 

  1. Insert photos/images inline - don't attach.
  2. Always mark helpful and correct answers, it helps others find what they need.
  3. For a prompt reply, kindly tag @name. An email will be automatically sent to the member.

 

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License