cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
825
Views
3
Helpful
9
Replies

Moquery to check unused EPGs

Jarurug
Level 1
Level 1

Hi All,

We have 300+ EPGs in our Environment and some of them are not used.

Is there a Moquery to list all the unused EPGs?

 

9 Replies 9

RedNectar
VIP
VIP

Hi @Jarurug ,

Maybe I should write a blogpost about how to ask a good question!

In the meantime, I'm struggling to understand what you mean by "unused EPGs"

It could mean EPGs that have no:

  • endpoints
  • static path mappings
  • provided or consumed contracts
  • physical or VMM domain associated with it
  • perhaps something else I haven't thought of

Anyway, I'm going to ASSUME you mean EPGs that have no provided or consumed contracts.

And I'm going to use icurl rather than moquery - I may translate the icurl answers to moquery later if I get time (BTW, moquery just translates your queries to icurl anyway - and not always accurately)

Because icurl uses ? and & characters in the command, you can assume all the following examples have been entered from a bash command shell, not the APIC CLI

The following will give you a list of the dn (distinguished or unique name) of every EPG in the system. 

apic#1 bash
T17@apic1:~> icurl -s http://localhost/api/node/class/fvAEPg.json | jq -r '.imdata[].fvAEPg.attributes.dn' | sort

The following will give you a list of the dn (distinguished or unique name) of every EPG in the system that either provides or consumes a contract. [Scroll right - it's a LONG command]

apic#1 bash
T17@apic1:~> icurl -s http://localhost/api/node/class/fvAEPg.json?'query-target=subtree&target-subtree-class=fvAEPg&rsp-subtree=children&rsp-subtree-class=fvRsCons&rsp-subtree-include=required&rsp-subtree-class=fvRsProv&rsp-subtree-include=required' | jq -r '.imdata[].fvAEPg.attributes.dn' | sort | uniq

If you pipe each output into a text file, you can use comm to find all EPGs that have NO provided or consumed contracts.  Below I piped all EPGs into a file called all, and the contracted EPGs into a file called contracted.  You can see that on my lab, there are six EPGs that have neither consumed or provided contracts.

apic#1 bash
T17@apic1:~> icurl -s http://localhost/api/node/class/fvAEPg.json | jq -r '.imdata[].fvAEPg.attributes.dn' | sort > all T17@apic1:~> icurl -s http://localhost/api/node/class/fvAEPg.json?'query-target=subtree&target-subtree-class=fvAEPg&rsp-subtree=children&rsp-subtree-class=fvRsCons&rsp-subtree-include=required&rsp-subtree-class=fvRsProv&rsp-subtree-include=required' | jq -r '.imdata[].fvAEPg.attributes.dn' | sort | uniq > contracted
T17@apic1:~> comm -3 all contracted # the -3 option suppresses lines that appear in both files
uni/tn-infra/ap-access/epg-default
uni/tn-infra/ap-ave-ctrl/epg-ave-ctrl
uni/tn-Tenant01/ap-2Tier_AP/epg-AppServers_EPG
uni/tn-Tenant01/ap-2Tier_AP/epg-DBServers_EPG
uni/tn-Tenant03/ap-2tier_ap/epg-WebServers_EPG
uni/tn-Tenant05/ap-2Tier_AP/epg-DBServers_EPG
uni/tn-Tenant18/ap-3Tier_AP/epg-DBServers_EPG

BTW - if you want a cool print of all EPGs and the contracts that the provide and consume, try this.

T17@apic1:~> icurl -s http://localhost/api/node/class/fvAEPg.json?'rsp-prop-include=naming-only&query-target=subtree&target-subtree-class=fvAEPg&rsp-subtree=children&rsp-subtree-class=fvRsCons&rsp-subtree-include=required&rsp-subtree-class=fvRsProv&rsp-subtree-include=required' | jq

 

 

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

RedNectar
VIP
VIP

Hi @Jarurug ,

I'm guessing you were not satified with my last answer because I gave you an icurl answer when you asked for a moquery answer.

I did say in my first answer that "I may translate the icurl answers to moquery later if I get time" 

Well, I got time and can now tell you that the many bugs in moquery make it impossible to solve this problem using moquery in exactly the same way.

But I found a work-around

The following will give you a list of the dn (distinguished or unique name) of every EPG in the system. 

apic#1 moquery -c fvAEPg -o json | jq -r '.imdata[].fvAEPg.attributes.dn' | sort

The following SHOULD give you a list of the dn (distinguished or unique name) of every EPG in the system that either provides or consumes a contract.

apic#1  moquery -c fvAEPg -o json -x "query-target=subtree target-subtree-class=fvAEPg rsp-subtree=children rsp-subtree-class=fvRsCons rsp-subtree-include=required rsp-subtree-class=fvRsProv rsp-subtree-include=required"| jq -r '.imdata[].fvAEPg.attributes.dn' | sort

Unfortunately, it lists ONLY EPGs that provide a contract.  So it may as well be simplified to:

apic#1  moquery -c fvAEPg -o json -x "query-target=subtree target-subtree-class=fvAEPg rsp-subtree=children rsp-subtree-class=fvRsProv rsp-subtree-include=required"| jq -r '.imdata[].fvAEPg.attributes.dn' | sort

And you can get all the EPGs that consume a contract using 

apic#1  moquery -c fvAEPg -o json -x "query-target=subtree target-subtree-class=fvAEPg rsp-subtree=children rsp-subtree-class=fvRsCons rsp-subtree-include=required"| jq -r '.imdata[].fvAEPg.attributes.dn' | sort

As before, if you redirect each output into a text file, combining the provided and consumed contracts list using temp file, you can use comm to find all EPGs that have NO provided or consumed contracts.  Below I piped all EPGs into a file called all, and sorted the the contracted EPGs into a file called contracted

Note the >> double redirection on the 3rd moquery command so the output gets appended to the temp file, 

apic#1 bash
T17@apic1:~> moquery -c fvAEPg -o json | jq -r '.imdata[].fvAEPg.attributes.dn' | sort > all T17@apic1:~> moquery -c fvAEPg -o json -x "query-target=subtree target-subtree-class=fvAEPg rsp-subtree=children rsp-subtree-class=fvRsProv rsp-subtree-include=required"| jq -r '.imdata[].fvAEPg.attributes.dn' | sort > temp
T17@apic1:~> moquery -c fvAEPg -o json -x "query-target=subtree target-subtree-class=fvAEPg rsp-subtree=children rsp-subtree-class=fvRsCons rsp-subtree-include=required"| jq -r '.imdata[].fvAEPg.attributes.dn' | sort >> temp
T17@apic1:~> sort temp | uniq > contracted
T17@apic1:~> comm -3 all contracted # the -3 option suppresses lines that appear in both files
uni/tn-infra/ap-access/epg-default
uni/tn-infra/ap-ave-ctrl/epg-ave-ctrl
uni/tn-Tenant01/ap-2Tier_AP/epg-AppServers_EPG
uni/tn-Tenant01/ap-2Tier_AP/epg-DBServers_EPG
uni/tn-Tenant03/ap-2tier_ap/epg-WebServers_EPG
uni/tn-Tenant05/ap-2Tier_AP/epg-DBServers_EPG
uni/tn-Tenant18/ap-3Tier_AP/epg-DBServers_EPG

Hopefully this answer will satisfy you!

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

Marcel Zehnder
Spotlight
Spotlight

Hi to get a list of EPGs with no endpoints in it, you can do the following (on a APIC):

 

moquery -c fvAEPg | grep dn | grep epg | awk '{print $3}' | sort > /tmp/all_epgs
moquery -c fvCEp | grep dn | grep epg | awk '{print $3}' | cut -d "/" -f1-4 | sort | uniq > /tmp/epgs_with_endpoints 
grep -vf /tmp/epgs_with_endpoints /tmp/all_epgs

 

HTH

If only we knew what was mean by "unused EPGs"

It could mean EPGs that have no:

  • endpoints = see Marcel's answer
  • static path mappings
  • provided or consumed contracts = see my previous answers
  • physical or VMM domain associated with it
  • perhaps something else I haven't thought of

Let's hope @Jarurug responds with some more information

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

Thanks for helping @RedNectar.

Sorry if my question was not proper. Am trying to find a Moquery to list EPGs which doesn't have any EndPoints associated with it.

 

Hi @Jarurug ,

You say: 

Sorry if my question was not proper. Am trying to find a Moquery to list EPGs which doesn't have any EndPoints associated with it.


Then I'm pretty sure @Marcel Zehnder 's answer has nailed it. And it will help others find the correct answer if you mark it correct.


However, just for fun, I'll give you the same answer using icurl and jq - just because I figured it out and others may find it helpful.  And I got a bit carried away, adding a few other options.


Find EPGs with no endpoints

The following will give you a list of the dn (distinguished or unique name) of every EPG in the system and put the list in a file called /tmp/all_epgs 

apic#1 bash
T17@apic1:~> icurl -s http://localhost/api/node/class/fvAEPg.json |
jq -r '.imdata[].fvAEPg.attributes.dn' | sort > /tmp/all_epgs

The following icurl command will give you a list of every endpoint in the system in an EPG, including its dn. That dn will begin with the dn of the EPG to which it belongs - something like

uni/tn-Tenant10/ap-2Tier_AP/epg-WebServers_EPG/cep-B4:96:91:89:16:5F 

so we use jq to separate out the dns of the EPG and send them to a different file /tmp/epgs_with_endpoints  

T17@apic1:~> icurl -s http://localhost/api/node/class/fvCEp.json?'query-target-filter=wcard(fvCEp.dn,"epg-")' |
jq -r '.imdata[].fvCEp.attributes | (.dn|capture("(?<E>.*)/cep-").E)' | sort | uniq > /tmp/epgs_with_endpoints

And finally, you can use either comm or grep to get the difference between the files.

T17@apic1:~> comm -3 /tmp/all_epgs /tmp/epgs_with_endpoints     ;# or
T17@apic1:~> grep -vf /tmp/epgs_with_endpoints /tmp/all_epgs

Don't forget to clean up!

T17@apic1:~> rm /tmp/all_epgs ;rm /tmp/epgs_with_endpoints   

Find EPGs with no static mappings

The following will give you a list of the dn (distinguished or unique name) of every EPG in the system and put the list in a file called /tmp/all_epgs 

apic#1 bash
T17@apic1:~> icurl -s http://localhost/api/node/class/fvAEPg.json |
jq -r '.imdata[].fvAEPg.attributes.dn' | sort > /tmp/all_epgs

The following icurl command will give you a list of static mapping for all EPGs, including its dn. That dn will begin with the dn of the EPG to which it belongs - something like

uni/tn-Tenant10/ap-2Tier_AP/epg-WebServers_EPG/rspathAtt-[topology/pod-1/paths-2201/pathep-[eth1/27]] 

so we use jq to separate out the dns of the EPG and send them to a different file /tmp/epgs_with_static_maps  

T17@apic1:~> icurl -s http://localhost/api/node/class/fvRsPathAtt.json?\
'query-target-filter=wcard(fvRsPathAtt.dn,"epg-")' |
jq -r '.imdata[].fvRsPathAtt.attributes | (.dn|capture("(?<E>.*)/rspathAtt-").E)' |
sort | uniq > /tmp/epgs_with_static_maps

And finally, you can use either comm or grep to get the difference between the files.

T17@apic1:~> comm -3 /tmp/all_epgs /tmp/epgs_with_static_maps     ;# or
T17@apic1:~> grep -vf /tmp/epgs_with_static_maps /tmp/all_epgs

Don't forget to clean up!

T17@apic1:~> rm /tmp/all_epgs ;rm /tmp/epgs_with_static_maps   

Find EPGs with no provided or consumed contracts

The following will give you a list of the dn (distinguished or unique name) of every EPG in the system and put the list in a file called /tmp/all_epgs 

apic#1 bash
T17@apic1:~> icurl -s http://localhost/api/node/class/fvAEPg.json |
jq -r '.imdata[].fvAEPg.attributes.dn' | sort > /tmp/all_epgs

The following icurl command will give you a list of the dn (distinguished or unique name) of every EPG in the system that either provides or consumes a contract.  We use jq to separate out the dns of the EPGs with contracts and send them to a different file /tmp/epgs_with_contracts  

T17@apic1:~> icurl -s http://localhost/api/node/class/fvAEPg.json?\
'query-target=subtree&\
target-subtree-class=fvAEPg&\
rsp-subtree=children&\
rsp-subtree-class=fvRsCons,fvRsProv&
rsp-subtree-include=required' |
jq -r '.imdata[].fvAEPg.attributes.dn' | sort | uniq > /tmp/epgs_with_contracts

And finally, you can use either comm or grep to get the difference between the files.

T17@apic1:~> comm -3 /tmp/all_epgs /tmp/epgs_with_contracts     ;# or
T17@apic1:~> grep -vf /tmp/epgs_with_contracts /tmp/all_epgs

Don't forget to clean up!

T17@apic1:~> rm /tmp/all_epgs ;rm /tmp/epgs_with_contracts   

Find EPGs with no Physical Domain or VMM Domain

The following will give you a list of the dn (distinguished or unique name) of every EPG in the system and put the list in a file called /tmp/all_epgs 

apic#1 bash
T17@apic1:~> icurl -s http://localhost/api/node/class/fvAEPg.json |
jq -r '.imdata[].fvAEPg.attributes.dn' | sort > /tmp/all_epgs

The following icurl command will give you a list of domain associations for all EPGs, including its dn. That dn will begin with the dn of the EPG to which it belongs - something like

uni/tn-Tenant10/ap-2Tier_AP/epg-WebServers_EPG/rsdomAtt-[uni/phys-T17:MappedVLANs_PhysDom 

so we use jq to separate out the dns of the EPG and send them to a different file /tmp/epgs_with_domain  

T17@apic1:~> icurl -s http://localhost/api/node/class/fvRsDomAtt.json?\
'query-target-filter=wcard(fvRsDomAtt.dn,"epg-")' |
jq -r '.imdata[].fvRsDomAtt.attributes | (.dn|capture("(?<E>.*)/rsdomAtt-").E)' |
sort | uniq > /tmp/epgs_with_domain

And finally, you can use either comm or grep to get the difference between the files.

T17@apic1:~> comm -3 /tmp/all_epgs /tmp/epgs_with_domain  ;# or
T17@apic1:~> grep -vf /tmp/epgs_with_domain /tmp/all_epgs

Don't forget to clean up!

T17@apic1:~> rm /tmp/all_epgs ;rm /tmp/epgs_with_domain 

 

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

Thanks Marcel.

I was looking for this Only(EPG with no EndPoints)

However, this EPGs which am getting from your Moquery still have Endpoints associated with it. Have checked the same with TAC but they also don't seem to have an solution for this.

Remi-Astruc
Cisco Employee
Cisco Employee

Hi @Jarurug ,

Then, in the @Marcel Zehnder 's script, just replace fvCEp with fvRsPathAtt

If that's what you needed, all the credit goes to him...

Hi Marcel, long time I've not been around, nice to see you again!

Remi Astruc

Hi @Remi-Astruc Same here, I did not have to much time for the community recently. Nice to see you!

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License