How to fetch the contracts between EPGs?

SundarAS10448 · ‎05-24-2020

Hi Guys,

Hope everyone is doing good!!

Inputs available : Src IP, Dest IP, Protocol and Port Number

Using the above inputs, I need to figure out if there are any contracts available between the EPGs and display them. Please point me to CLIs and as well as API's to achieve the same, need to come up with an automated solution.

In case if this is not directly achievable and involves multiple steps, please share them or give me some pointers

Note: I recently moved from core networking to an enterprise networking company, I am learning ACI and I need to come up with some solution ASAP.

Thanks

Sundar

Sergiu.Daniluk · ‎05-24-2020

Hi @SundarAS10448

As the contracts are made between EPGs, you will first have to find out in which EPG each of the IP addresses resides.

For this you can use EP tracker (built in app: operations > EP Tracker)

After you have the Src EGP and Dst EPG, you can manually check for contracts (inside the EPG > Contracts) and verify which one is provided in one EGP and consumed in the other EPG.

OR, you can use this nice script: https://github.com/agccie/aci-contract-parser

python ./bootflash/contract_parser.py --vrf Tenant1:vrf1 --sepg {dn|pcTag} --depg {dn|pcTag}

Note: if both source and destination IPs for your traffic is part of the same EPG, and you do not have intra-EGP enforcement, then you do not need a contract for communication to happen.

EDIT: I made a correction to the contract_parser command (thank you Chris a.k.a @RedNectar). Also, as Chris pointed out in our discussion, if you do not have a spaghetti contracts-EPG mapping in your VRF, you can simply use only the vrf option and then search for your srcEGP and dstEPG. Example of the command and output:

fab3-leaf103# python ./bootflash/contract_parser.py --vrf Tenant1:VRF1
Key:
[prio:RuleId] [vrf:{str}] action protocol src-epg [src-l4] dst-epg [dst-l4] [flags][contract:{str}] [hit=count]

[9:4165] [vrf:ag:v1] permit any tn-ag/ap-app/epg-e2(16390) tn-ag/ap-app/epg-e1(32773) [contract:uni/tn-ag/brc-c1] [hit=0]
[9:4166] [vrf:ag:v1] permit any tn-ag/ap-app/epg-e1(32773) tn-ag/ap-app/epg-e2(16390) [contract:uni/tn-ag/brc-c1] [hit=5,+5]
[16:4113] [vrf:ag:v1] permit any epg:any tn-ag/bd-l2-only(32771) [contract:implicit] [hit=0]
[16:4125] [vrf:ag:v1] permit any epg:any tn-ag/bd-bd2(49154) [contract:implicit] [hit=0]
[16:4115] [vrf:ag:v1] permit arp epg:any epg:any [contract:implicit] [hit=0]
[21:4114] [vrf:ag:v1] deny,log any epg:any epg:any [contract:implicit] [hit=2095]
[22:4116] [vrf:ag:v1] deny,log any epg:any pfx-0.0.0.0/0(15) [contract:implicit] [hit=0]

Stay safe,

Sergiu

SundarAS10448 · ‎05-25-2020

Thanks Sergiu, appreciate your reply.

Will try out the steps given and will let you know.

Thanks again

Sundar

SundarAS10448 · ‎05-31-2020

Hi Sergiu,

Thanks for your reponse.

It seems the contract parser script should be executed in the APIC/Leaf, but I have only CLI/API read access, so couldn't execute this script.

I tried to convert this script, so that I can run it from outside the APIC, by replacing the IP, but icurl was not available in our enterprise linux machines, so blocker there as well.

Please let me know if there are any CLI/APIs available to achieve the same result

1. Need CLIs/APIs which can give me the EPG from the IP address

2. Need CLIs/APIs which can give me the contracts between the EPGs.

Also is there any python utility to parse the big config json file generated by APIC, I believe I can use this to fetch the contract details between the EPG's, but not the EPG and IP mappings.

Thanks again for your help.

Sundar

Thanks

Sundar

Sergiu.Daniluk · ‎06-01-2020

Hi @SundarAS10448

I added the REST API support for contract_parser.

Feel free to check it out https://github.com/msdaniluk/aci-contract-parser

Regards,

Sergiu