04-01-2020 12:59 PM - edited 04-01-2020 01:20 PM
I am currently trying to locate over 40 EPGs that "should" contain a particular Leaf Interface Policy Group.
Solved! Go to Solution.
04-01-2020 08:39 PM - edited 04-02-2020 01:11 PM
What a challenge!
The problem is that EPGs are not directly linked to Leaf Interface Policy Groups, so there is no easy way to see the EPGs that hang off a Leaf Interface Policy Group.
However:
moquery -d uni/infra/funcprof/accportgrp-policyGroupName -c infraRsAttEntP
moquery -d uni/infra/attentp-AAEP_Name -c infraRsDomP
moquery -d uni/phys-physDomainName -c infraRtDomAtt
moquery -d uni/vmmp-VMware/dom-vmmDomainName -c infraRtDomAtt
I hope this helps
[Edit - OK I wrote the script. Here it is]
ipgName="nameOfYourPolicyGroup"
aaepDn=$(moquery -d uni/infra/funcprof/accportgrp-$ipgName -c infraRsAttEntP | egrep ^tDn | sed 's/^.*:\ //') domainList=$(moquery -d $aaepDn -c infraRsDomP | egrep ^tDn | sed 's/^.*:\ //') epgList=$(while IFS= read -r domain do moquery -d $domain -c infraRtDomAtt done <<< "$domainList" | egrep ^tDn | sed 's/^.*:\ //') print $epgList
And here's a sample run where I have two EPGs, each linked to two domains (one physical, one VMware vmm) and each domain is linked to both EPGs, so you will see each EPG appear twice in the output. Now the problem is of course, once you have determined the AAEP, you have no way of distinguishing which of the linked Domains are specific to your original Interface Policy Group, so you may see EPGs in the list that DON'T link directly back to your original Inerface Polciy Group, but you will get all the EPG that DO link back.
apic1# ipgName="T9:SA.Host_APPG"
apic1# aaepDn=$(moquery -d uni/infra/funcprof/accportgrp-$ipgName -c infraRsAttEntP | egrep ^tDn | sed 's/^.*:\ //')
apic1# domainList=$(moquery -d $aaepDn -c infraRsDomP | egrep ^tDn | sed 's/^.*:\ //')
apic1# epgList=$(while IFS= read -r domain;do;moquery -d $domain -c infraRtDomAtt;done <<< "$domainList" | egrep ^tDn | sed 's/^.*:\ //')
apic1# print $epgList
uni/tn-Tenant9/ap-2Tier_AP/epg-AppServers_EPG
uni/tn-Tenant9/ap-2Tier_AP/epg-WebServers_EPG
uni/tn-Tenant9/ap-2Tier_AP/epg-AppServers_EPG
uni/tn-Tenant9/ap-2Tier_AP/epg-WebServers_EPG
Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem
04-01-2020 01:36 PM
this may help ..
apic1# show running-config tenant [tenant_name]
04-01-2020 08:39 PM - edited 04-02-2020 01:11 PM
What a challenge!
The problem is that EPGs are not directly linked to Leaf Interface Policy Groups, so there is no easy way to see the EPGs that hang off a Leaf Interface Policy Group.
However:
moquery -d uni/infra/funcprof/accportgrp-policyGroupName -c infraRsAttEntP
moquery -d uni/infra/attentp-AAEP_Name -c infraRsDomP
moquery -d uni/phys-physDomainName -c infraRtDomAtt
moquery -d uni/vmmp-VMware/dom-vmmDomainName -c infraRtDomAtt
I hope this helps
[Edit - OK I wrote the script. Here it is]
ipgName="nameOfYourPolicyGroup"
aaepDn=$(moquery -d uni/infra/funcprof/accportgrp-$ipgName -c infraRsAttEntP | egrep ^tDn | sed 's/^.*:\ //') domainList=$(moquery -d $aaepDn -c infraRsDomP | egrep ^tDn | sed 's/^.*:\ //') epgList=$(while IFS= read -r domain do moquery -d $domain -c infraRtDomAtt done <<< "$domainList" | egrep ^tDn | sed 's/^.*:\ //') print $epgList
And here's a sample run where I have two EPGs, each linked to two domains (one physical, one VMware vmm) and each domain is linked to both EPGs, so you will see each EPG appear twice in the output. Now the problem is of course, once you have determined the AAEP, you have no way of distinguishing which of the linked Domains are specific to your original Interface Policy Group, so you may see EPGs in the list that DON'T link directly back to your original Inerface Polciy Group, but you will get all the EPG that DO link back.
apic1# ipgName="T9:SA.Host_APPG"
apic1# aaepDn=$(moquery -d uni/infra/funcprof/accportgrp-$ipgName -c infraRsAttEntP | egrep ^tDn | sed 's/^.*:\ //')
apic1# domainList=$(moquery -d $aaepDn -c infraRsDomP | egrep ^tDn | sed 's/^.*:\ //')
apic1# epgList=$(while IFS= read -r domain;do;moquery -d $domain -c infraRtDomAtt;done <<< "$domainList" | egrep ^tDn | sed 's/^.*:\ //')
apic1# print $epgList
uni/tn-Tenant9/ap-2Tier_AP/epg-AppServers_EPG
uni/tn-Tenant9/ap-2Tier_AP/epg-WebServers_EPG
uni/tn-Tenant9/ap-2Tier_AP/epg-AppServers_EPG
uni/tn-Tenant9/ap-2Tier_AP/epg-WebServers_EPG
Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem
04-02-2020 04:53 AM
Hi,
I think we should look from a different perspective at your question. What exactly you are trying to achieve?
As you can see in the very nice graphic made by INE with the ACI object model, there is no direct object relationship between the two constructs (EPG and Leaf If Policy Grp):
If you are interested more of what EPGs are per interface (or as below, filtered for a specific interface), that can be easily done through an API call:
http://apic1/api/node/class/fvRsCEpToPathEp.json?query-target-filter=eq(fvRsCEpToPathEp.tDn,"topology/pod-POD_ID/paths-LEAF_ID/pathep-[eth1/PORT_ID]")
Same can be obtain through moquery:
apic1# moquery -c fvRsCEpToPathEp -f 'fv.RsCEpToPathEp.tDn=="topology/pod-POD_ID/paths-LEAF_ID/pathep-[eth1/PORT_ID]"'
Regards,
Sergiu
04-29-2020 04:58 PM
This was a very good response as well. Appreciate the graphic that breakdown the ACI object model.
v/r
05-27-2020 11:55 AM
Another way to do this if you know where the policy group is mapped to an interface. If avoiding the GUI, log into the leaf switch and enter the following command: show endpoint interface <interface id>.
v/r
05-27-2020 01:09 PM
Not really. The command you pointed out will only show you the learned endpoints and their respective VRF. You can use the "detail" version of the command, and this will point out the EPG as well, but still you will only see the LEARNED endpoints.
So if there are EPGs allowed on the interface, with no EP learned, you will not see it listed by the command.
Stay safe,
Sergiu
05-27-2020 01:15 PM
Glad to see you are finding your own methods.
@continuedprogress101 wrote:Another way to do this if you know where the policy group is mapped to an interface. If avoiding the GUI, log into the leaf switch and enter the following command: show endpoint interface <interface id>.
v/r
However for the record and for anyone else who reads this in the future, to get the EPGs (as per the original question) you would need to add the detailed option to the command show endpoint interface <interface id>.
And of course, issuing the command from the CLI of the leaf is fine, but I find it easier to use the fabric xxx show command from the APIC so I don't have to keep jumping from switch to switch.
For instance, the following command shows the EPGs associated with interface ethernet 1/19 on both Leaf 101 and Leaf 102 - and to keep the output manageable, and because I KNOW my EPG names will contain the letters "EPG" I've filtered it through egrep to show just the leaf names and EPGs.
apic1# fabric 101,102 show endpoint interface ethernet 1/19 detail | egrep "Leaf|EPG" Node 101 (Leaf101) 16 vlan-2041 a036.9f86.e97e L eth1/19 Tenant4:2Tier_AP:AppServers_EPG Node 102 (Leaf102) 27 vlan-2042 a036.9f86.e97f L eth1/19 Tenant4:2Tier_AP:WebServers_EPG
Note that if I had not included both leaves, I would not have seen all the EPGs, because it is quite possible that not every EPG exists on every leaf.
05-27-2020 01:51 PM
Awesome point and valuable information!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide