05-24-2020 09:23 AM
Hi Guys,
Hope everyone is doing good!!
Inputs available : Src IP, Dest IP, Protocol and Port Number
Using the above inputs, I need to figure out if there are any contracts available between the EPGs and display them. Please point me to CLIs and as well as API's to achieve the same, need to come up with an automated solution.
In case if this is not directly achievable and involves multiple steps, please share them or give me some pointers
Note: I recently moved from core networking to an enterprise networking company, I am learning ACI and I need to come up with some solution ASAP.
Thanks
Sundar
05-24-2020 09:44 AM - edited 05-24-2020 10:19 PM
As the contracts are made between EPGs, you will first have to find out in which EPG each of the IP addresses resides.
For this you can use EP tracker (built in app: operations > EP Tracker)
After you have the Src EGP and Dst EPG, you can manually check for contracts (inside the EPG > Contracts) and verify which one is provided in one EGP and consumed in the other EPG.
OR, you can use this nice script: https://github.com/agccie/aci-contract-parser
python ./bootflash/contract_parser.py --vrf Tenant1:vrf1 --sepg {dn|pcTag} --depg {dn|pcTag}
Note: if both source and destination IPs for your traffic is part of the same EPG, and you do not have intra-EGP enforcement, then you do not need a contract for communication to happen.
EDIT: I made a correction to the contract_parser command (thank you Chris a.k.a @RedNectar). Also, as Chris pointed out in our discussion, if you do not have a spaghetti contracts-EPG mapping in your VRF, you can simply use only the vrf option and then search for your srcEGP and dstEPG. Example of the command and output:
fab3-leaf103# python ./bootflash/contract_parser.py --vrf Tenant1:VRF1 Key: [prio:RuleId] [vrf:{str}] action protocol src-epg [src-l4] dst-epg [dst-l4] [flags][contract:{str}] [hit=count] [9:4165] [vrf:ag:v1] permit any tn-ag/ap-app/epg-e2(16390) tn-ag/ap-app/epg-e1(32773) [contract:uni/tn-ag/brc-c1] [hit=0] [9:4166] [vrf:ag:v1] permit any tn-ag/ap-app/epg-e1(32773) tn-ag/ap-app/epg-e2(16390) [contract:uni/tn-ag/brc-c1] [hit=5,+5] [16:4113] [vrf:ag:v1] permit any epg:any tn-ag/bd-l2-only(32771) [contract:implicit] [hit=0] [16:4125] [vrf:ag:v1] permit any epg:any tn-ag/bd-bd2(49154) [contract:implicit] [hit=0] [16:4115] [vrf:ag:v1] permit arp epg:any epg:any [contract:implicit] [hit=0] [21:4114] [vrf:ag:v1] deny,log any epg:any epg:any [contract:implicit] [hit=2095] [22:4116] [vrf:ag:v1] deny,log any epg:any pfx-0.0.0.0/0(15) [contract:implicit] [hit=0]
Stay safe,
Sergiu
05-25-2020 09:57 PM
Thanks Sergiu, appreciate your reply.
Will try out the steps given and will let you know.
Thanks again
Sundar
05-31-2020 01:14 AM
Hi Sergiu,
Thanks for your reponse.
It seems the contract parser script should be executed in the APIC/Leaf, but I have only CLI/API read access, so couldn't execute this script.
I tried to convert this script, so that I can run it from outside the APIC, by replacing the IP, but icurl was not available in our enterprise linux machines, so blocker there as well.
Please let me know if there are any CLI/APIs available to achieve the same result
1. Need CLIs/APIs which can give me the EPG from the IP address
2. Need CLIs/APIs which can give me the contracts between the EPGs.
Also is there any python utility to parse the big config json file generated by APIC, I believe I can use this to fetch the contract details between the EPG's, but not the EPG and IP mappings.
Thanks again for your help.
Sundar
Thanks
Sundar
06-01-2020 02:34 PM
I added the REST API support for contract_parser.
Feel free to check it out https://github.com/msdaniluk/aci-contract-parser
Regards,
Sergiu
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide