Solved: Using moquery to find EPG's that lack a specific Domain

AukeyPeach · ‎06-28-2022

Hi all,

I need to audit our env and I need to complete a search and have it return all Tenants and EPG's that have lack a specific domain, this is so we can find out where we need to update them.

The moquery I'm running at the moment is:

moquery -c fvRsDomAtt -f 'fv.RsDomAtt.dn*"epg-EPG" and fv.RsDomAtt.tDn!="uni/phys-PHY-CORE"' | grep "^tDn\|^dn"

In plain english:

Search for all Domains where the associated distinguished name is appended with epg-EPG and does NOT have PHY-CORE as a domain - The Append is no longer necessary moving forward.

This is fine, and for the most part it got me 99% of the way.

However it's not quite what I need because I've checked a few EPG's that are not appended with "EPG" and some of them lack the PHY-CORE domain that I need them to have.

So what I'm trying to do now is search for all EPG's that do NOT have the PHY-CORE domain associated with them.

Problem is, the way the query seems to operate, it's returning essentially every single EPG, but removing the entries for the PHY-CORE - So for example an EPG might have 3 Domains - Domain-1, Domain-2 and PHY-CORE

Running the following will display those EPG's with PHY-CORE omitted - What I want to find are EPG's that do NOT have PHY-CORE domain at all.

moquery -c fvRsDomAtt -f fv.RsDomAtt.tDn!="uni/phys-PHY-CORE"'

I thought perhaps an XOR operator would do the trick but sadly it didn't return anything, so this isn't what I'm after I assume.

Thank you!

Sergiu.Daniluk · ‎07-04-2022

"The otherDomains unfortunately, with uniq added, still includes EPG's that have PHY-CORE in ADDITION to other EPG's" -> that's exactly what should happen. To find the EPGs that do not have PHY-CORE, you must use the "comm" command.

Anyway, let's simplify this.

1. Find all EPGs in your APIC

moquery -c fvAEPg | grep dn | awk '{print $3}' | sort > /tmp/all_EPGs

2. Find all EPGs that have PHY-CORE:

moquery  -c infraRtDomAtt | grep dn  | grep $phyDom  | grep -oP '(?<=\[).*(?=\])' | sort   > /tmp/EPG_withDomain

3. Diff between all_EPGs and EPGs_withDom:

comm -23 /tmp/all_EPGs /tmp/EPG_withDomain

Should be pretty straight forward. Let me know if this works.

Cheers,

Sergiu

View solution in original post

Marcel Zehnder · ‎07-01-2022

Hi

This should report all EPGs without the PHY-CORE physical domain:

moquery -c fvAEPg | grep dn | awk '{print $3}' | sort > /tmp/EPGsAll &&  moquery -c fvRsDomAtt -f 'fv.RsDomAtt.dn*"phys-PHY-CORE"'| grep dn | awk '{print $3}' | awk -F '/rsdom' '{print $1}' | sort > /tmp/EPGsWithDom && comm -23 /tmp/EPGsAll /tmp/EPGsWithDom

HTH

Marcel

AukeyPeach · ‎07-04-2022

Hello Marcel,

Thank you for your contribution!

I'll be perfectly honest, I don't really understand how your query works and sadly the output it provides me is not correct.

I just wonder, does ACI hold onto a value that determines how many Domains an EPG has? I know that it does report this on the

Top level EPG page - In which is has all of the stats for the EPG, but I can't seem to find where this variable is stored.

I just wish I could write a query that says "Show me the EPG's that do not have this domain"

Sergiu.Daniluk · ‎07-04-2022

Hi @AukeyPeach

If I understand correctly, you want to list all EPGs that don't contain a specific domain.

So here is my take on this (run all the commands in bash):

1. save the domain name in a variable (will save time for later):

phyDom="My_PhyDomain"

2. Get all EPGs associated with your domain:

moquery  -c infraRtDomAtt | grep dn  | grep $phyDom  | grep -oP '(?<=\[).*(?=\])' | sort   > /tmp/EPG_withDomain

3. Get all EPGs associated to the rest of domain (note: any of these EPGs can be associated to the `nondesired` domain, meaning can be present in EPG_withDomain file)

 moquery  -c infraRtDomAtt | grep dn  | grep -v $phyDom  | grep -oP '(?<=\[).*(?=\])' | sort   > /tmp/EPG_otherDomains

4. List the EGPs associated to any domain EXCEPT the phyDom

comm -23  /tmp/EPG_otherDomains /tmp/EPG_withDomain

This command lists all lines in EPG_otherDomains that are not present in EPG_withDomain

Stay safe,

Sergiu

AukeyPeach · ‎07-04-2022

Thank you!

I will try this out now and let you know

AukeyPeach · ‎07-04-2022

Hi @Sergiu.Daniluk

I have copied this a few times, file Otherdomains is completely empty here.

Let me see If I am entering this correctly - Will update again shortly.

Sergiu.Daniluk · ‎07-04-2022

My bad. There was an additional "|" after sort. I corrected it now

AukeyPeach · ‎07-04-2022

I now understand what your moquery is doing!

So you're sending to file a list of domains that contain PHY-CORE and a list that do not contain PHY-CORE and comparing the two and seeing what comes out.

The only issue is EPG_withDomains is completely blank for some reason.

The problem im facing is, and I think this is more related to how either GREP or Moqueries work - If you were to run a moquery against the class infraRtDomAtt and then Grep out PHY-CORE - What you're left with is a list that simply has these entries omitted.

moquery -c fvRsDomAtt -f 'fv.RsDomAtt.dn*"PHY-CORE"' | grep -c dn
917

I have about 922 EPG's across our fabric - there are 917 instances where PHY-CORE is used - I only have 5 EPG's where this domain is not used - I feel so close!

Sergiu.Daniluk · ‎07-04-2022

Exactly. I am making diff between EPGs that have associated all other domains (but can contain also the "phy_core") and EPGs that have associated phy_core. This will result the EPGs that do not have phy_core associated.

Example:

EPG1 - domain1

EPG2 - domain1 and phy_core

EPG3 - phy_core.

EPG_withDomain should have EPG2 and EPG3

EPG_withOthers should have EPG1 and EPG2.

" comm -23 EPG_otherDomains EPG_withDomain " -> should return EPG1.

If one of the files are empthy, take one pipe at a time and see the results:

moquery  -c infraRtDomAtt 
moquery  -c infraRtDomAtt | grep dn 
moquery  -c infraRtDomAtt | grep dn  | grep $phyDom  
moquery  -c infraRtDomAtt | grep dn  | grep $phyDom  | grep -oP '(?<=\[).*(?=\])' | sort

Share the results.

Cheers,

Sergiu

AukeyPeach · ‎07-04-2022

Hi @Sergiu.Daniluk

Thank you for your continued support.

Does your query take into consideration that an EPG may have 1 or more domains?

For example, Tenant A will have an AP called APN_A and 3 EPGS:

EPG_1 - Domain_1, Domain_2, Domain_3

EPG_2 - Domain_1, Domain_3

EPG_3 - Domain_2, Domain_3

What I am required to do is cleanup our env as we upgrade - This has included unifying our domains, VLAN Pools, etc.

What has recently been done is a script that essentially blasted it's way through the fabric and added PHY-CORE domain to essentially everything.

However, due to a qwerk with the script, a number of tenants and EPG's within them, were missed.

I of course now need to find the specific EPG's that are missing PHY-CORE Domain.

I hope this provides some further clarity - I will certainly try your suggestions and let you know.

Thank you again,

Sergiu.Daniluk · ‎07-04-2022

"Does your query take into consideration that an EPG may have 1 or more domains?"

S.D.: the current script simply shows duplicates of the EPG, but for the scope of what you need (show EPG with missing domain), should be fine. You can however `enhance` the commands by simply adding " | uniq " after sort.

AukeyPeach · ‎07-04-2022

Hi Sergiu,

Sadly, this doesn't appear to be working.

The number of EPG's with PHY-CORE in the file withDomain is correct - But I know I'm short by 5:

moquery -c fvAEPg | grep -c dn
923 - Total number of EPGs

moquery -c infraRtDomAtt | grep dn | grep -c $phyDom
917 - Total number of domains with name PHY-CORE in use

The otherDomains unfortunately, with uniq added, still includes EPG's that have PHY-CORE in ADDITION to other EPG's

I Just need to find the 5 that do NOT have PHY-CORE

Bit of a head scratcher for me!

Sergiu.Daniluk · ‎07-04-2022

"The otherDomains unfortunately, with uniq added, still includes EPG's that have PHY-CORE in ADDITION to other EPG's" -> that's exactly what should happen. To find the EPGs that do not have PHY-CORE, you must use the "comm" command.

Anyway, let's simplify this.

1. Find all EPGs in your APIC

moquery -c fvAEPg | grep dn | awk '{print $3}' | sort > /tmp/all_EPGs

2. Find all EPGs that have PHY-CORE:

moquery  -c infraRtDomAtt | grep dn  | grep $phyDom  | grep -oP '(?<=\[).*(?=\])' | sort   > /tmp/EPG_withDomain

3. Diff between all_EPGs and EPGs_withDom:

comm -23 /tmp/all_EPGs /tmp/EPG_withDomain

Should be pretty straight forward. Let me know if this works.

Cheers,

Sergiu

AukeyPeach · ‎07-05-2022

@Sergiu.Daniluk !

I can't get over how happy I am right now - This has worked 100% !!

In hindsight the solution is beautifully simple and I only wish I could have thought about it from this POV but the idea to use files and compare them is just one my brain wasn't reaching.

I was going down this weird rabbit hole of trying to understand how ACI knows how many domains that an EPG contains, yet makes no reference to it elsewhere.

But anyway, thank you so much for your time and dedication to helping me solve this, It's saved me a few days of wall banging that's for sure!

Kind regards,

Sergiu.Daniluk · ‎07-05-2022

Uhuuu, I am also happy to hear that the solution worked ^_^

Take care,

Sergiu