Solved: Finding where a filter is used/in which contracts.

Ibrahim010 · ‎10-27-2022

Hi Folks,

Is there a way, via moquery perhaps, to filter where a certain filter is used and in which contract?
I have looked around and played with moquery but it doesnt seem to give me the needed results.

Thanks!

RedNectar · ‎10-27-2022

Hi @Ibrahim010 ,

Is this the kind of thing you seek?

admin@apic1:~> moquery -c vzSubj -x query-target=children | grep "^dn " | cut -c20-
uni/tn-common/oobbrc-default/subj-default/rssubjFiltAtt-default
uni/tn-common/brc-default/subj-default/rssubjFiltAtt-default
uni/tn-common/brc-AnyAnyGlobal_Ct/subj-AnyAnyGlobal_Subj/rssubjFiltAtt-default
uni/tn-common/brc-Any.IP_Ct/subj-Any.IP_Subj/rssubjFiltAtt-IP_Fltr
uni/tn-common/brc-DNS_Ct/subj-DNS_Subj/rssubjFiltAtt-icmp
uni/tn-common/brc-DNS_Ct/subj-DNS_Subj/rssubjFiltAtt-DNS_Fltr
uni/tn-common/brc-AppServices_Ct/subj-AppServices_Subj/rssubjFiltAtt-TCP5000_Fltr
uni/tn-common/brc-WebServices_Ct/subj-WebServices_Subj/rssubjFiltAtt-HTTP_Fltr
uni/tn-common/brc-WebServices_Ct/subj-WebServices_Subj/rssubjFiltAtt-HTTPS_Fltr
uni/tn-common/brc-MgmtServices_Ct/subj-MgmtServices_Subj/rssubjFiltAtt-SSH_Fltr
uni/tn-common/brc-MgmtServices_Ct/subj-MgmtServices_Subj/rssubjFiltAtt-icmp
uni/tn-common/brc-MgmtServices_Ct/subj-MgmtServices_Subj/rssubjFiltAtt-Telnet_Fltr
uni/tn-Tenant01/brc-AppServices_Ct/subj-AppServices_Subj/rssubjFiltAtt-AppServices_Fltr
uni/tn-Tenant01/brc-MgmtServices_Ct/subj-MgmtServices_Subj/rssubjFiltAtt-MgmtServices_Fltr
uni/tn-Tenant01/brc-MgmtServices_Ct/subj-MgmtServices_Subj/rssubjFiltAtt-icmp
uni/tn-Tenant06/brc-AppServices_Ct/subj-AppServices_Subj/rssubjFiltAtt-AppServices_Fltr
uni/tn-Tenant06/brc-MgmtServices_Ct/subj-MgmtServices_Subj/rssubjFiltAtt-MgmtServices_Fltr
uni/tn-Tenant06/brc-MgmtServices_Ct/subj-MgmtServices_Subj/rssubjFiltAtt-icmp
uni/tn-private-vlan/brc-ipany/subj-ip/rssubjFiltAtt-IP_Fltr
uni/tn-Tenant08/brc-WebServices_Ct/subj-WebServices_Subj/rssubjFiltAtt-WebServices_Fltr
uni/tn-Tenant08/brc-MgmtServices_Ct/subj-MgmtServices_Subj/rssubjFiltAtt-MgmtServices_Fltr
uni/tn-Tenant08/brc-MgmtServices_Ct/subj-MgmtServices_Subj/rssubjFiltAtt-icmp
uni/tn-Tenant08/brc-AppServices_Ct/subj-AppServices_Subj/rssubjFiltAtt-AppServices_Fltr
uni/tn-Tenant07/brc-AppServices_Ct/subj-AppServices_Subj/rssubjFiltAtt-AppServices_Fltr
uni/tn-Tenant07/brc-MgmtServices_Ct/subj-MgmtServices_Subj/rssubjFiltAtt-icmp
uni/tn-Tenant07/brc-MgmtServices_Ct/subj-MgmtServices_Subj/rssubjFiltAtt-MgmtServices_Fltr
uni/tn-Tenant04/brc-AppServices_Ct/subj-AppServices_Subj/rssubjFiltAtt-AppServices_Fltr
uni/tn-Tenant04/brc-MgmtServices_Ct/subj-MgmtServices_Subj/rssubjFiltAtt-MgmtServices_Fltr
uni/tn-Tenant04/brc-MgmtServices_Ct/subj-MgmtServices_Subj/rssubjFiltAtt-icmp
uni/tn-Tenant02/brc-MgmtServices_Ct/subj-MgmtServices_Subj/rssubjFiltAtt-MgmtServices_Fltr
uni/tn-Tenant02/brc-MgmtServices_Ct/subj-MgmtServices_Subj/rssubjFiltAtt-icmp
uni/tn-Tenant02/brc-AppServices_Ct/subj-AppServices_Subj/rssubjFiltAtt-AppServices_Fltr
uni/tn-Tenant05/brc-MgmtServices_Ct/subj-MgmtServices_Subj/rssubjFiltAtt-icmp
uni/tn-Tenant05/brc-MgmtServices_Ct/subj-MgmtServices_Subj/rssubjFiltAtt-MgmtServices_Fltr
uni/tn-Tenant05/brc-AppServices_Ct/subj-AppServices_Subj/rssubjFiltAtt-AppServices_Fltr
uni/tn-Tenant05/brc-WebServices_Ct/subj-WebServices_Subj/rssubjFiltAtt-WebServices_Fltr
uni/tn-Tenant02/brc-WebServer-EPG/subj-httpandhttps10.202.10.0:24_L3EPG/rssubjFiltAtt-10.202.10.0:24_L3EPG
uni/tn-Tenant02/brc-allowsshtelnetping/subj-allowsshtelnetping/rssubjFiltAtt-Allowpingsshtelnet
uni/tn-Tenant04/brc-WebServices_Ct/subj-WebServices_Subj/rssubjFiltAtt-WebServices_Fltr
uni/tn-Tenant02/brc-WebServices_Ct/subj-WebServices_Subj/rssubjFiltAtt-WebServices_Fltr
uni/tn-Tenant17/brc-AnyTraffic_Ct/subj-msc-subject/rssubjFiltAtt-AnyTraffic_Fltr

To refine to get a specific filter, say MgmtServices_Fltr in my example above, add another grep

admin@apic1:~> moquery -c vzSubj -x query-target=children | grep "^dn " | cut -c20- | grep MgmtServices_Fltr
uni/tn-Tenant01/brc-MgmtServices_Ct/subj-MgmtServices_Subj/rssubjFiltAtt-MgmtServices_Fltr
uni/tn-Tenant06/brc-MgmtServices_Ct/subj-MgmtServices_Subj/rssubjFiltAtt-MgmtServices_Fltr
uni/tn-Tenant08/brc-MgmtServices_Ct/subj-MgmtServices_Subj/rssubjFiltAtt-MgmtServices_Fltr
uni/tn-Tenant07/brc-MgmtServices_Ct/subj-MgmtServices_Subj/rssubjFiltAtt-MgmtServices_Fltr
uni/tn-Tenant04/brc-MgmtServices_Ct/subj-MgmtServices_Subj/rssubjFiltAtt-MgmtServices_Fltr
uni/tn-Tenant02/brc-MgmtServices_Ct/subj-MgmtServices_Subj/rssubjFiltAtt-MgmtServices_Fltr
uni/tn-Tenant05/brc-MgmtServices_Ct/subj-MgmtServices_Subj/rssubjFiltAtt-MgmtServices_Fltr

There you can see which tenants are using this filter in which contracts

Fun Fact

Contracts and filters are local to a tenant, except the common tenant's contracts and filters are available to ALL tenants.

SO

If you have a filter called say MgmtServices_Fltr defined in the common tenant, then you can use that filer within a contract in your tenant.

BUT

If you now define a filter called MgmtServices_Fltr in your tenant, your definition of the filter will take precedence over the one in the common tenant - and of course there is no guarantee that both filter are the same

Similarly, if you have a contract in your tenant that uses your version of MgmtServices_Fltr and you delete that filter in your tenant, then the contract does NOT throw an error, instead, it simply falls back to using the one in the common tenant.

You can rinse and repeat as they say, for contracts defined in both your tenant and the common tenant

In fact, the common tenant is the catch-all for ALL objects in your tenant, which is especially useful for the hundreds of default policies that your tenant actually requires.

Which means that you can extend this logic to all those policies etc in your tenant that default to a policy called default - that defualt policy lives in the common tenant. If you define an instance of the same policy in your tenant and name it default, it will take precedence over the default policy in the common tenant. Have fund troubleshooting that one on your customer's system!

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

View solution in original post

RedNectar · ‎10-27-2022

Hi @Ibrahim010 ,

Is this the kind of thing you seek?

admin@apic1:~> moquery -c vzSubj -x query-target=children | grep "^dn " | cut -c20-
uni/tn-common/oobbrc-default/subj-default/rssubjFiltAtt-default
uni/tn-common/brc-default/subj-default/rssubjFiltAtt-default
uni/tn-common/brc-AnyAnyGlobal_Ct/subj-AnyAnyGlobal_Subj/rssubjFiltAtt-default
uni/tn-common/brc-Any.IP_Ct/subj-Any.IP_Subj/rssubjFiltAtt-IP_Fltr
uni/tn-common/brc-DNS_Ct/subj-DNS_Subj/rssubjFiltAtt-icmp
uni/tn-common/brc-DNS_Ct/subj-DNS_Subj/rssubjFiltAtt-DNS_Fltr
uni/tn-common/brc-AppServices_Ct/subj-AppServices_Subj/rssubjFiltAtt-TCP5000_Fltr
uni/tn-common/brc-WebServices_Ct/subj-WebServices_Subj/rssubjFiltAtt-HTTP_Fltr
uni/tn-common/brc-WebServices_Ct/subj-WebServices_Subj/rssubjFiltAtt-HTTPS_Fltr
uni/tn-common/brc-MgmtServices_Ct/subj-MgmtServices_Subj/rssubjFiltAtt-SSH_Fltr
uni/tn-common/brc-MgmtServices_Ct/subj-MgmtServices_Subj/rssubjFiltAtt-icmp
uni/tn-common/brc-MgmtServices_Ct/subj-MgmtServices_Subj/rssubjFiltAtt-Telnet_Fltr
uni/tn-Tenant01/brc-AppServices_Ct/subj-AppServices_Subj/rssubjFiltAtt-AppServices_Fltr
uni/tn-Tenant01/brc-MgmtServices_Ct/subj-MgmtServices_Subj/rssubjFiltAtt-MgmtServices_Fltr
uni/tn-Tenant01/brc-MgmtServices_Ct/subj-MgmtServices_Subj/rssubjFiltAtt-icmp
uni/tn-Tenant06/brc-AppServices_Ct/subj-AppServices_Subj/rssubjFiltAtt-AppServices_Fltr
uni/tn-Tenant06/brc-MgmtServices_Ct/subj-MgmtServices_Subj/rssubjFiltAtt-MgmtServices_Fltr
uni/tn-Tenant06/brc-MgmtServices_Ct/subj-MgmtServices_Subj/rssubjFiltAtt-icmp
uni/tn-private-vlan/brc-ipany/subj-ip/rssubjFiltAtt-IP_Fltr
uni/tn-Tenant08/brc-WebServices_Ct/subj-WebServices_Subj/rssubjFiltAtt-WebServices_Fltr
uni/tn-Tenant08/brc-MgmtServices_Ct/subj-MgmtServices_Subj/rssubjFiltAtt-MgmtServices_Fltr
uni/tn-Tenant08/brc-MgmtServices_Ct/subj-MgmtServices_Subj/rssubjFiltAtt-icmp
uni/tn-Tenant08/brc-AppServices_Ct/subj-AppServices_Subj/rssubjFiltAtt-AppServices_Fltr
uni/tn-Tenant07/brc-AppServices_Ct/subj-AppServices_Subj/rssubjFiltAtt-AppServices_Fltr
uni/tn-Tenant07/brc-MgmtServices_Ct/subj-MgmtServices_Subj/rssubjFiltAtt-icmp
uni/tn-Tenant07/brc-MgmtServices_Ct/subj-MgmtServices_Subj/rssubjFiltAtt-MgmtServices_Fltr
uni/tn-Tenant04/brc-AppServices_Ct/subj-AppServices_Subj/rssubjFiltAtt-AppServices_Fltr
uni/tn-Tenant04/brc-MgmtServices_Ct/subj-MgmtServices_Subj/rssubjFiltAtt-MgmtServices_Fltr
uni/tn-Tenant04/brc-MgmtServices_Ct/subj-MgmtServices_Subj/rssubjFiltAtt-icmp
uni/tn-Tenant02/brc-MgmtServices_Ct/subj-MgmtServices_Subj/rssubjFiltAtt-MgmtServices_Fltr
uni/tn-Tenant02/brc-MgmtServices_Ct/subj-MgmtServices_Subj/rssubjFiltAtt-icmp
uni/tn-Tenant02/brc-AppServices_Ct/subj-AppServices_Subj/rssubjFiltAtt-AppServices_Fltr
uni/tn-Tenant05/brc-MgmtServices_Ct/subj-MgmtServices_Subj/rssubjFiltAtt-icmp
uni/tn-Tenant05/brc-MgmtServices_Ct/subj-MgmtServices_Subj/rssubjFiltAtt-MgmtServices_Fltr
uni/tn-Tenant05/brc-AppServices_Ct/subj-AppServices_Subj/rssubjFiltAtt-AppServices_Fltr
uni/tn-Tenant05/brc-WebServices_Ct/subj-WebServices_Subj/rssubjFiltAtt-WebServices_Fltr
uni/tn-Tenant02/brc-WebServer-EPG/subj-httpandhttps10.202.10.0:24_L3EPG/rssubjFiltAtt-10.202.10.0:24_L3EPG
uni/tn-Tenant02/brc-allowsshtelnetping/subj-allowsshtelnetping/rssubjFiltAtt-Allowpingsshtelnet
uni/tn-Tenant04/brc-WebServices_Ct/subj-WebServices_Subj/rssubjFiltAtt-WebServices_Fltr
uni/tn-Tenant02/brc-WebServices_Ct/subj-WebServices_Subj/rssubjFiltAtt-WebServices_Fltr
uni/tn-Tenant17/brc-AnyTraffic_Ct/subj-msc-subject/rssubjFiltAtt-AnyTraffic_Fltr

To refine to get a specific filter, say MgmtServices_Fltr in my example above, add another grep

admin@apic1:~> moquery -c vzSubj -x query-target=children | grep "^dn " | cut -c20- | grep MgmtServices_Fltr
uni/tn-Tenant01/brc-MgmtServices_Ct/subj-MgmtServices_Subj/rssubjFiltAtt-MgmtServices_Fltr
uni/tn-Tenant06/brc-MgmtServices_Ct/subj-MgmtServices_Subj/rssubjFiltAtt-MgmtServices_Fltr
uni/tn-Tenant08/brc-MgmtServices_Ct/subj-MgmtServices_Subj/rssubjFiltAtt-MgmtServices_Fltr
uni/tn-Tenant07/brc-MgmtServices_Ct/subj-MgmtServices_Subj/rssubjFiltAtt-MgmtServices_Fltr
uni/tn-Tenant04/brc-MgmtServices_Ct/subj-MgmtServices_Subj/rssubjFiltAtt-MgmtServices_Fltr
uni/tn-Tenant02/brc-MgmtServices_Ct/subj-MgmtServices_Subj/rssubjFiltAtt-MgmtServices_Fltr
uni/tn-Tenant05/brc-MgmtServices_Ct/subj-MgmtServices_Subj/rssubjFiltAtt-MgmtServices_Fltr

There you can see which tenants are using this filter in which contracts

Fun Fact

Contracts and filters are local to a tenant, except the common tenant's contracts and filters are available to ALL tenants.

SO

If you have a filter called say MgmtServices_Fltr defined in the common tenant, then you can use that filer within a contract in your tenant.

BUT

If you now define a filter called MgmtServices_Fltr in your tenant, your definition of the filter will take precedence over the one in the common tenant - and of course there is no guarantee that both filter are the same

Similarly, if you have a contract in your tenant that uses your version of MgmtServices_Fltr and you delete that filter in your tenant, then the contract does NOT throw an error, instead, it simply falls back to using the one in the common tenant.

You can rinse and repeat as they say, for contracts defined in both your tenant and the common tenant

In fact, the common tenant is the catch-all for ALL objects in your tenant, which is especially useful for the hundreds of default policies that your tenant actually requires.

Which means that you can extend this logic to all those policies etc in your tenant that default to a policy called default - that defualt policy lives in the common tenant. If you define an instance of the same policy in your tenant and name it default, it will take precedence over the default policy in the common tenant. Have fund troubleshooting that one on your customer's system!

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

Ibrahim010 · ‎10-28-2022

Mate, you are briljant! Thanks alot, this does it for me. Also great information on the local an common tenant filters. I was plyaing abit with the moquery and i wonder if you got a good blog to read on? I find the moquery filter not the easiest in use.. thanks again!

RedNectar · ‎10-28-2022

Hi @Ibrahim010 ,

i wonder if you got a good blog to read on?

Well. Since you asked I guess it's OK to mention

Much of my learning was gleaned from

http://networkbit.ch/cisco-aci-troubleshooting-moquery/
https://blog.joshuamorgan.com.au/post/cisco-aci-moquery-filter-operators/ Especially about the -x option

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.