Re: How to test different interface policy groups

klaus.kruse · ‎04-12-2023

Hello fellow networkers,

I'm loosing my mind about some task, which seems easy at first but seems impossible. I'm tasked to test if BPDU Guard (or any other policy) would work without issues. So we would like to test a different interface policy group than used normally.

BUT: We have an ACI fabric and make extensive use of Leaf interface profiles (basically every server has it's own) and Overrides (to name interfaces).

So a leaf typically has lot of attached interface profiles. I went on and retrieved list of interface profiles (deep level=1). But that doesn't help me to reach interface policy group, because it's tied to interface selector (deep level=2).

At this point my attempts to gather this via Ansible already lead to unreadable mess. I stopped here because it seems dead end, but maybe some of you already had a similar task?

Summary question: How do you test different interface policy groups?

At this point I'm thinking to use override policies for that task, basically ignoring the existing configuration. I just need to manually filter out ports belonging to VPC.

Bonus points: Infinite amount of Kudos to someone who has single API call for a per-port view of interface policy group and override policy group. It's in GUI under inventory - Pod - Leaf - Interface - Mode: Configuration - Klick on port. But API inspector is giving me a dozen API calls and I see some of them retrieving all available leaf interface profiles (did the GUI than just filters with JaveScript? Uh...)

klaus.kruse · ‎04-12-2023

Oh, I just discovered that ACI Ansible module collection has no module for override policies. I've searched through the module descriptions but "override" is nowhere mentioned. Anybody did that before?

RedNectar · ‎04-12-2023

Hi @klaus.kruse ,

Unfortunately I'm not able to answer your original question, I've only ever played around the edges of Ansible, and prefer to use very simple python to push JSON files.

BUT you mentioned in your original post (paraphrased)

We [...] make extensive use of [...] Overrides (to name interfaces).

I wanted you to know a couple of things about that.

You don't need to use Overrides to put descriptions on interfaces - you can add a description to the Access Port Block for the Interface Selector for the relevant Interface Profile - I wrote about how this works on my blog
- I don't know if that has any relevance to the Ansible model or not
From ACI v5.2(7f) onwards, you can forget about Leaf Profiles and Interface Profiles - the system will create them for you as needed, but I suspect Ansible has yet to be updated to take advantage of this.

So at the end of the day, you may be better off trying a non-Ansible approach - which leads me back to your core problem:

How do you test different interface policy groups?

I'm tasked to test if BPDU Guard (or any other policy) would work without issues. So we would like to test a different interface policy group than used normally.

ACI interfaces behave much the same way as any other switch interface, with the notable exception of BPDU handling, which are flooded throughout an EPG based on the incoming VLAN tag. You can't really "test" a particular Interface Policy Group (IPG) without actually applying it to the interface you want to test. And if applying it causes a problem, then you'd need to revert to the previous Interface Policy Group quickly.

If this is what you are trying to achieve, I'd be looking at

Creating the "alternative" IPGs that you want to test
using a python script (or postman) to swap the IPG for each interface selector
use the same python script to swap the IPG back to the old version if there is a problem

Re your Bonus

Is the command moquery -c l1PhysIf | egrep "^id\ |^descr\ " the kind of thing you are looking for?

The command could be modified to include other fields, such as:
moquery -c l1PhysIf | egrep "^id\ |^descr\ |^mode\ |adminSt\ "

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

klaus.kruse · ‎04-12-2023

Hi @RedNectar ,

Thanks a lot for your blog article. I've read it some time ago when I wondered about our override policies (which were created implicitely when interface descriptions were added). Glad to see the author himself referring to my questions

I think I will speak directly to the ACI API which some Python-Manbojambo or I just go on and create two dicts in my Playbooks: One containing the current settings and the other one with the desired settings. The current modules mostly don't allow looping over available elements but require you to name each of them explicitly.

The moquery statements unfortunately are not what I'm looking for. I'm referring to that view in APIC GUI:

RedNectar · ‎04-13-2023

Hi @klaus.kruse ,

Well. We may have come to an impasse on this. The Configuration page you show actually has disappeared in v5.2(7f) - replaced by a Configure Interfaces link that takes you to a new wizard.

Anyway - I think you will do better playing with the API - and take your venture into the "Python-Manbojambo" as a learning adventure. Don't get too frustrated and enjoy the journey.

And good luck!

Sorry I couldn't have been more help - and I hope I haven't steered your question to a dead end by responding.

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

klaus.kruse · ‎04-13-2023

Hi,

Thanks for the hint to the new configuration page. I think I need to check in our lab what changed with the new version.

Finally, I think going with the API is the way forward. I'm thinking about combining this big JSONs with Python Pandas to have a more tabular view of our fabric...