Solved: Re: Is there a better alternative to "show vpc map | egrep "

sdavids5670 · ‎12-13-2023

Let's say I'm on a spine switch and I lookup the location of a mac address (based on the spine's coop database). If the spine returns the VPC IP address representing a VPC pair I was told to use 'show vpc map | egrep "x.x.x.x"' from the APIC to determine the physical leaf switches behind which I can locate the mac. We have a fairly large fabic with quite a few VPC port-channels and that command takes a long time to run. Just curious if there's a faster way, from the CLI, to find the switch pair when the tunnel next-hop address isn't a physical IP but one that belongs to a VPC pair.

Marcel Zehnder · ‎12-15-2023

Hi, a pretty fast way is also to query the ipv4Addr object:
moquery -c ipv4Addr -f 'ipv4.Addr.addr=="<IP>"' | grep dn

Example:

apic# moquery -c ipv4Addr -f 'ipv4.Addr.addr=="10.3.200.97"' | grep dn
dn               : topology/pod-1/node-312/sys/ipv4/inst/dom-overlay-1/if-[lo1]/addr-[10.3.200.97/32]
dn               : topology/pod-1/node-313/sys/ipv4/inst/dom-overlay-1/if-[lo1]/addr-[10.3.200.97/32]

View solution in original post

RedNectar · ‎12-13-2023

Hi @sdavids5670 ,

I always recommend:

Using explicit type Virtual Port Channel Security Policy (rather than consecutive or reciprocal)
- This forces you to name EVERY Virtual Port Channel Security Policy Protection Group
that you name your Virtual Port Channel Security Policy Protection Groups based on the leaf IDs used, e.g 1201..1202_VPC.Grp would be the name of the Virtual Port Channel Security Policy Protection Group deployed to leaves 1201 and 1202

If you follow these conventions, then a command like

apic1# moquery -c fabricExplicitGEp | egrep "name|virtualIp"

may be better - although that will give you all Virtual Port Channel Security Policy Protection Groups, the output is probably more manageable than show vpc map

Of course, if you didn't use an explicit type Virtual Port Channel Security Policy, or didn't name them as suggested, then it gets a bit trickier - let me know if the above gets you out of trouble before I put any more time into this.

Oh - and if you are using consecutive or reciprocal type Virtual Port Channel Security Policy, let me know which one.

BTW, your Virtual Port Channel Security Policy is found under Fabric > Access Policies >> Policies > Switch > Virtual Port Channel Default

LATER

OK. The challenge of ME coming up with an answer (although the show mac address answer may be better) outweighed YOUR need for an answer. So here is a command that should get the information you want. It's a little ugly, so you might want to create a shell script on the APIC to run it if you want to do this often

Here's the command and sample output. You will find it easier to enter the command from a bash shell because there is a ? character in the command (although you CAN enter a ? character from the apic1# prompt if you type CTRL+v first)

apic1# bash
admin@apic1:~> icurl -ks https://localhost/api/class/fabricExplicitGEp.json?rsp-subtree=full | jq ".imdata[].fabricExplicitGEp | .attributes.virtualIp, .children[].fabricNodePEp.attributes.id | values"
"10.1.64.67/32"
"1202"
"1201"

This should list all the virtual IPs for each VPC pair, and the leaf switch ID for each VPC pair. If you want to isolate a particular virtualIp value, add a filter - the additional bit is shown in blue below.

admin@apic1:~> icurl -ks https://localhost/api/class/fabricExplicitGEp.json?rsp-subtree=full | jq ".imdata[].fabricExplicitGEp  | select ( .attributes.virtualIp == "10.1.64.67/32") | .attributes.virtualIp, .children[].fabricNodePEp.attributes.id | values"
"10.1.64.67/32"
"1202"
"1201"

If the icurl command is too cumbersome, you can stick with moquery

apic1# moquery -c fabricExplicitGEp -x rsp-subtree=full -o json | jq ".imdata[].fabricExplicitGEp | .attributes.virtualIp, .children[].fabricNodePEp.attributes.id | values"
"10.1.64.67/32"
"1202"
"1201"

If you want to create a simple script file to keep that big long command stored in a simple format, do the following:

admin@apic1:~> echo 'icurl -ks https://localhost/api/class/fabricExplicitGEp.json?rsp-subtree=full | jq ".imdata[].fabricExplicitGEp | .attributes.virtualIp, .children[].fabricNodePEp.attributes.id | values"' > showvpcpairs.sh
admin@apic1:~> chmod +x showvpcpairs.sh
admin@apic1:~> ./showvpcpairs.sh
"10.1.64.67/32"
"1202"
"1201"

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

RedNectar · ‎12-14-2023

Hi @sdavids5670 ,

I've had a second thought on this

You say "I lookup the location of a mac address" - so it seems you KNOW the MAC address, so why don't you just issue the command

fabric fistleafid-lastleafid show mac address-table address target-mac-address ?

e.g.

apic1# fabric 1201-1204 show mac address-table address 0050.569b.8afd
----------------------------------------------------------------
 Node 1201 (Leaf1201)
----------------------------------------------------------------
Legend:
	* - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC
	age - seconds since last seen,+ - primary entry using vPC Peer-Link,
	(T) - True, (F) - False
   VLAN     MAC Address      Type      age     Secure NTFY Ports/SWID.SSID.LID
---------+-----------------+--------+---------+------+----+------------------
* 61       0050.569b.8afd    dynamic      -       F    F    po11

----------------------------------------------------------------
 Node 1202 (Leaf1202)
----------------------------------------------------------------
Legend:
	* - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC
	age - seconds since last seen,+ - primary entry using vPC Peer-Link,
	(T) - True, (F) - False
   VLAN     MAC Address      Type      age     Secure NTFY Ports/SWID.SSID.LID
---------+-----------------+--------+---------+------+----+------------------
* 19       0050.569b.8afd    dynamic      -       F    F    po10

----------------------------------------------------------------
 Node 1203 (Leaf1203)
----------------------------------------------------------------
Legend:
	* - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC
	age - seconds since last seen,+ - primary entry using vPC Peer-Link,
	(T) - True, (F) - False
   VLAN     MAC Address      Type      age     Secure NTFY Ports/SWID.SSID.LID
---------+-----------------+--------+---------+------+----+------------------

----------------------------------------------------------------
 Node 1204 (Leaf1204)
----------------------------------------------------------------
Legend:
	* - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC
	age - seconds since last seen,+ - primary entry using vPC Peer-Link,
	(T) - True, (F) - False
   VLAN     MAC Address      Type      age     Secure NTFY Ports/SWID.SSID.LID
---------+-----------------+--------+---------+------+----+------------------

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

Marcel Zehnder · ‎12-15-2023

Hi, a pretty fast way is also to query the ipv4Addr object:
moquery -c ipv4Addr -f 'ipv4.Addr.addr=="<IP>"' | grep dn

Example:

apic# moquery -c ipv4Addr -f 'ipv4.Addr.addr=="10.3.200.97"' | grep dn
dn               : topology/pod-1/node-312/sys/ipv4/inst/dom-overlay-1/if-[lo1]/addr-[10.3.200.97/32]
dn               : topology/pod-1/node-313/sys/ipv4/inst/dom-overlay-1/if-[lo1]/addr-[10.3.200.97/32]

RedNectar · ‎12-15-2023

@Marcel Zehnder

Much more elegant than my solution!

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

sdavids5670 · ‎12-15-2023

This has been eye opening. I definitely need to put this on my list of things to learn about ACI. Thanks @RedNectar and @Marcel Zehnder !

Is there a better alternative to "show vpc map | egrep "x.x.x.x"?

LATER