Solved: How to find ALL EPGs that assign to an interfaces or VMs Domain?

Trinh Nguyen · ‎06-25-2017

Hello Community,

I think this feature has been requested somewhere, I hope to put more traction to Cisco Dev to provide an effective way to find ALL EPGs that an interface is associate with.

As we are moving from traditional network to ACI, the number of EPGs are growing very fast with more and more devices VMs and groups need to be in EPG. With large number of EPGs, I need a way to troubleshoot and clean up unused interface-EPG association. At this time, the only ineffective way I know is in GUI by going to each EPG and find the interface.

Real case: I received an alarm an interface down has been raised because this interface used by EPG, but the alarm did not indicate what EPG. So I have to go to each EPG to find the interface:

6/25/2017 3:32 AM : LOG_LOCAL7-2-SYSTEM_MSG [F0532][soaking][interface-physical-down][critical][sys/phys-[eth132/1/19]/phys/fault-F0532] Port is down, reason <186> Jun 25 03:32:55 L122 %LOG_LOCAL7-2-SYSTEM_MSG [F0532][soaking][interface-physical-down][critical][sys/phys-[eth132/1/19]/phys/fault-F0532] Port is down, reason:notconnect(connected), used by:EPG

Apologize if this command is available and I did not find it. (Probably also a feature request for more friendly ACI cli that supports question mark in leaves. Why the question mark works in APIC, but not in leaves?)

Regards,

_Trinh

Jason Williams · ‎06-25-2017

Trinh,

Have you tried logging into the leaf and checking the VLANs allowed on the interface? You can map those VLANs to the EPGs. Example Below:

I want to see every EPG on Leaf 101 Eth1/27.

leaf101# show interface eth1/27 switchport
Name: Ethernet1/27
Switchport: Enabled
Switchport Monitor: not-a-span-dest
Operational Mode: trunk
Access Mode Vlan: 18 (default)
Trunking Native Mode VLAN: 18 (default)
Trunking VLANs Allowed: 4,17-18,32-36
FabricPath Topology List Allowed: 0
Administrative private-vlan primary host-association: none
Administrative private-vlan secondary host-association: none
Administrative private-vlan primary mapping: none
Administrative private-vlan secondary mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none

[copy the values of the Trunking VLANs Allowed and plug those values into the show vlan id <vlan_id> extended command to the see the encap VLAN and EPG names]

leaf101# show vlan id 4,17-18,32-36 extended

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
4 jw1:jw2 active Eth1/27
17 jw1:jw1 active Eth1/27
18 jw1:jw-ap:jw1 active Eth1/27
32 jw1:jw-ap:jw2 active Eth1/27
33 common:default active Eth1/27
34 jw1:web-app-db:app active Eth1/27
35 jw1:web-app-db:db active Eth1/27
36 jw1:web-app-db:web active Eth1/27

VLAN Type Vlan-mode Encap
---- ----- ---------- -------------------------------
4 enet CE vxlan-16187318
17 enet CE vxlan-15073233
18 enet CE vlan-1000
32 enet CE vlan-1902
33 enet CE vxlan-16121790
34 enet CE vlan-1910
35 enet CE vlan-1920
36 enet CE vlan-1930

The commands above also include the bridge domains.

In regards to your question below:

(Probably also a feature request for more friendly ACI cli that supports question mark in leaves. Why the question mark works in APIC, but not in leaves?)

When you log into the APIC CLI, you're placed into an NXOS-like shell by default which permits configuration via CLI. Use the bash command to enter the bash ishell. The leaves and spines use the bash ishell CLI natively. To get the same functionality of "?" input, then simply press the esc button twice. It will provide a list of possible commands. If you're looking for a CLI which has a closer resemblance to the NXOS shell, the use the vsh command on the leaf/spine and it will place you into the iNX-OS shell. iNX-OS shell on spine/leaf uses question mark to get list of possible commands.

Jason

View solution in original post

Jason Williams · ‎06-25-2017

Trinh,

Have you tried logging into the leaf and checking the VLANs allowed on the interface? You can map those VLANs to the EPGs. Example Below:

I want to see every EPG on Leaf 101 Eth1/27.

leaf101# show interface eth1/27 switchport
Name: Ethernet1/27
Switchport: Enabled
Switchport Monitor: not-a-span-dest
Operational Mode: trunk
Access Mode Vlan: 18 (default)
Trunking Native Mode VLAN: 18 (default)
Trunking VLANs Allowed: 4,17-18,32-36
FabricPath Topology List Allowed: 0
Administrative private-vlan primary host-association: none
Administrative private-vlan secondary host-association: none
Administrative private-vlan primary mapping: none
Administrative private-vlan secondary mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none

[copy the values of the Trunking VLANs Allowed and plug those values into the show vlan id <vlan_id> extended command to the see the encap VLAN and EPG names]

leaf101# show vlan id 4,17-18,32-36 extended

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
4 jw1:jw2 active Eth1/27
17 jw1:jw1 active Eth1/27
18 jw1:jw-ap:jw1 active Eth1/27
32 jw1:jw-ap:jw2 active Eth1/27
33 common:default active Eth1/27
34 jw1:web-app-db:app active Eth1/27
35 jw1:web-app-db:db active Eth1/27
36 jw1:web-app-db:web active Eth1/27

VLAN Type Vlan-mode Encap
---- ----- ---------- -------------------------------
4 enet CE vxlan-16187318
17 enet CE vxlan-15073233
18 enet CE vlan-1000
32 enet CE vlan-1902
33 enet CE vxlan-16121790
34 enet CE vlan-1910
35 enet CE vlan-1920
36 enet CE vlan-1930

The commands above also include the bridge domains.

In regards to your question below:

(Probably also a feature request for more friendly ACI cli that supports question mark in leaves. Why the question mark works in APIC, but not in leaves?)

When you log into the APIC CLI, you're placed into an NXOS-like shell by default which permits configuration via CLI. Use the bash command to enter the bash ishell. The leaves and spines use the bash ishell CLI natively. To get the same functionality of "?" input, then simply press the esc button twice. It will provide a list of possible commands. If you're looking for a CLI which has a closer resemblance to the NXOS shell, the use the vsh command on the leaf/spine and it will place you into the iNX-OS shell. iNX-OS shell on spine/leaf uses question mark to get list of possible commands.

Jason

Trinh Nguyen · ‎06-25-2017

Jason,

SCORES! Thanks for your quick answers. I got two very useful answers in one post!

I still want to press the DEV for more friendly cli in ACI: why not unique cli across APIC, Leaves, Spines; why not one cli like “show interface eth1/27 switchport EPG” to list all EPG in one interface instead of three steps. I am sure this is very useful and daily use command for every network engineer who manage ACI.

Again, thanks and best regards.

_Trinh

Marcel Zehnder · ‎06-26-2017

Trinh, it's also possible to query the API, for instance with the moquery command.

Example: All EPGs configured on leaf-103 (pod-1) interface eth1/6:

moquery -c fvRsPathAtt -x 'query-target-filter=eq(fvRsPathAtt.tDn,"topology/pod-1/paths-103/pathep-[eth1/6]")'

To receive a result in the form of "tenant/app-profile/epg" just do:

moquery -c fvRsPathAtt -x 'query-target-filter=eq(fvRsPathAtt.tDn,"topology/pod-1/paths-103/pathep-[eth1/6]")' | grep dn | sort | cut -d "/" -f2,3,4

HTH

Marcel

Trinh Nguyen · ‎06-28-2017

Hi Marcel,

Call me old-fashioned, but long live CLI NX-OS …

Year ago when I first learned Cisco IOS, the instructor kept reminding us to use “copy running-config startup-config” after making a change, or be sorry. After a few IOS upgrade, the command became “copy run start”, pretty nice; but after another few IOS later, “wr” will do the same save. How nice is that !!!

So, how many upgrade of OS do you think DEV will evolve the manage object query (which is very abstract IMO) to “show interface eth1/6 epg” or probably just “sh eth1/6 epg”?

Regards.

_Trinh

Marcel Zehnder · ‎06-28-2017

Hi Trinh

That's the beauty of an open API: Just write your own script which fits your needs - it's a couple of lines in Python and you could do something like "sepgs <leaf>/<mod>/<port>" which is even shorter than "sh eth1/6 epg" ;-)

I believe CLIs will be used if we need to check how things are done under the hood or in hardware (vsh_lc for example) but when it comes to configuring and operating networks REST-APIs are the new primary interfaces. So we should start using these new interfaces and adapt to new tools.

Regarding the ACI managed objects and MIT: In the beginning it's hard, I know - but as soon as you know the most important objects and how they are linked/related to each other life becomes so much easier :-)

Just my 2 cents

Marcel