cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1165
Views
4
Helpful
5
Replies

Is there a better alternative to "show vpc map | egrep "x.x.x.x"?

sdavids5670
Level 2
Level 2

Let's say I'm on a spine switch and I lookup the location of a mac address (based on the spine's coop database).  If the spine returns the VPC IP address representing a VPC pair I was told to use 'show vpc map | egrep "x.x.x.x"' from the APIC to determine the physical leaf switches behind which I can locate the mac.  We have a fairly large fabic with quite a few VPC port-channels and that command takes a long time to run.  Just curious if there's a faster way, from the CLI, to find the switch pair when the tunnel next-hop address isn't a physical IP but one that belongs to a VPC pair.

1 Accepted Solution

Accepted Solutions

Marcel Zehnder
Spotlight
Spotlight

Hi, a pretty fast way is also to query the ipv4Addr object:
moquery -c ipv4Addr -f 'ipv4.Addr.addr=="<IP>"' | grep dn

Example:

apic# moquery -c ipv4Addr -f 'ipv4.Addr.addr=="10.3.200.97"' | grep dn
dn               : topology/pod-1/node-312/sys/ipv4/inst/dom-overlay-1/if-[lo1]/addr-[10.3.200.97/32]
dn               : topology/pod-1/node-313/sys/ipv4/inst/dom-overlay-1/if-[lo1]/addr-[10.3.200.97/32]

View solution in original post

5 Replies 5

RedNectar
VIP
VIP

Hi @sdavids5670 ,

I always recommend:

  1. Using explicit type Virtual Port Channel Security Policy (rather than consecutive or reciprocal)
    • This forces you to name EVERY Virtual Port Channel Security Policy Protection Group
  2. that you name your Virtual Port Channel Security Policy Protection Groups based on the leaf IDs used, e.g 1201..1202_VPC.Grp would be the name of the Virtual Port Channel Security Policy Protection Group deployed to leaves 1201 and 1202

If you follow these conventions, then a command like 

apic1# moquery -c fabricExplicitGEp | egrep "name|virtualIp"

may be better - although that will give you all Virtual Port Channel Security Policy Protection Groups, the output is probably more manageable than show vpc map 

Of course, if you didn't use an explicit type Virtual Port Channel Security Policy, or didn't name them as suggested, then it gets a bit trickier - let me know if the above gets you out of trouble before I put any more time into this.

Oh - and if you are using consecutive or reciprocal type Virtual Port Channel Security Policy, let me know which one.

BTW, your Virtual Port Channel Security Policy is found under Fabric > Access Policies >> Policies > Switch > Virtual Port Channel Default


LATER

OK. The challenge of ME coming up with an answer (although the show mac address answer may be better) outweighed YOUR need for an answer.  So here is a command that should get the information you want.  It's a little ugly, so you might want to create a shell script on the APIC to run it if you want to do this often

Here's the command and sample output.  You will find it easier to enter the command from a bash shell because there is a ? character in the command (although you CAN enter a ? character from the apic1# prompt if you type CTRL+v first)

apic1# bash
admin@apic1:~> icurl -ks https://localhost/api/class/fabricExplicitGEp.json?rsp-subtree=full | jq ".imdata[].fabricExplicitGEp | .attributes.virtualIp, .children[].fabricNodePEp.attributes.id | values"
"10.1.64.67/32"
"1202"
"1201"

This should list all the virtual IPs for each VPC pair, and the leaf switch ID for each VPC pair.  If you want to isolate a particular virtualIp value, add a filter - the additional bit is shown in blue below.

admin@apic1:~> icurl -ks https://localhost/api/class/fabricExplicitGEp.json?rsp-subtree=full | jq ".imdata[].fabricExplicitGEp  | select ( .attributes.virtualIp == "10.1.64.67/32") | .attributes.virtualIp, .children[].fabricNodePEp.attributes.id | values"
"10.1.64.67/32"
"1202"
"1201"

If the icurl  command is too cumbersome, you can stick with moquery 

apic1# moquery -c fabricExplicitGEp -x rsp-subtree=full -o json | jq ".imdata[].fabricExplicitGEp | .attributes.virtualIp, .children[].fabricNodePEp.attributes.id | values"
"10.1.64.67/32"
"1202"
"1201"

If you want to create a simple script file to keep that big long command stored in a simple format, do the following:

admin@apic1:~> echo 'icurl -ks https://localhost/api/class/fabricExplicitGEp.json?rsp-subtree=full | jq ".imdata[].fabricExplicitGEp | .attributes.virtualIp, .children[].fabricNodePEp.attributes.id | values"' > showvpcpairs.sh
admin@apic1:~> chmod +x showvpcpairs.sh
admin@apic1:~> ./showvpcpairs.sh
"10.1.64.67/32"
"1202"
"1201"

 

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

RedNectar
VIP
VIP

Hi @sdavids5670 ,

I've had a second thought on this

You say  "I lookup the location of a mac address" - so it seems you KNOW the MAC address, so why don't you just issue the command

fabric fistleafid-lastleafid show mac address-table address target-mac-address ?

e.g.

apic1# fabric 1201-1204 show mac address-table address 0050.569b.8afd
----------------------------------------------------------------
 Node 1201 (Leaf1201)
----------------------------------------------------------------
Legend:
	* - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC
	age - seconds since last seen,+ - primary entry using vPC Peer-Link,
	(T) - True, (F) - False
   VLAN     MAC Address      Type      age     Secure NTFY Ports/SWID.SSID.LID
---------+-----------------+--------+---------+------+----+------------------
* 61       0050.569b.8afd    dynamic      -       F    F    po11

----------------------------------------------------------------
 Node 1202 (Leaf1202)
----------------------------------------------------------------
Legend:
	* - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC
	age - seconds since last seen,+ - primary entry using vPC Peer-Link,
	(T) - True, (F) - False
   VLAN     MAC Address      Type      age     Secure NTFY Ports/SWID.SSID.LID
---------+-----------------+--------+---------+------+----+------------------
* 19       0050.569b.8afd    dynamic      -       F    F    po10

----------------------------------------------------------------
 Node 1203 (Leaf1203)
----------------------------------------------------------------
Legend:
	* - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC
	age - seconds since last seen,+ - primary entry using vPC Peer-Link,
	(T) - True, (F) - False
   VLAN     MAC Address      Type      age     Secure NTFY Ports/SWID.SSID.LID
---------+-----------------+--------+---------+------+----+------------------

----------------------------------------------------------------
 Node 1204 (Leaf1204)
----------------------------------------------------------------
Legend:
	* - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC
	age - seconds since last seen,+ - primary entry using vPC Peer-Link,
	(T) - True, (F) - False
   VLAN     MAC Address      Type      age     Secure NTFY Ports/SWID.SSID.LID
---------+-----------------+--------+---------+------+----+------------------

  

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

Marcel Zehnder
Spotlight
Spotlight

Hi, a pretty fast way is also to query the ipv4Addr object:
moquery -c ipv4Addr -f 'ipv4.Addr.addr=="<IP>"' | grep dn

Example:

apic# moquery -c ipv4Addr -f 'ipv4.Addr.addr=="10.3.200.97"' | grep dn
dn               : topology/pod-1/node-312/sys/ipv4/inst/dom-overlay-1/if-[lo1]/addr-[10.3.200.97/32]
dn               : topology/pod-1/node-313/sys/ipv4/inst/dom-overlay-1/if-[lo1]/addr-[10.3.200.97/32]

@Marcel Zehnder 

Much more elegant than my solution!

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

sdavids5670
Level 2
Level 2

This has been eye opening.  I definitely need to put this on my list of things to learn about ACI.  Thanks @RedNectar  and @Marcel Zehnder !

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License