cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
2702
Views
20
Helpful
3
Replies
mmacdonald70
Beginner

ACI Script - Orphaned objects

Over the years, our ACI deployment has picked up quite a lot of orphaned policy objects.  For instance, when some people decomissioned switches or servers, they might forget to delete switch selectors, interface selectors or policy groups.

 

I have been going through trying to manually delete them when I find them but it would be nice to have a more automated way to do it.  Does anybody either:

- Already have a script to find policy object that aren't used or

- Know of the best way to do this through a script?

1 ACCEPTED SOLUTION

Accepted Solutions
Sergiu.Daniluk
VIP Advocate

Hi @mmacdonald70 

 

The script you are looking for is called acilint:

https://github.com/datacenter/acitoolkit/blob/master/applications/lint/acilint.py

 

How to use it:

  1. Prepare your venv:
python3 -m venv ./venv
source venv/bin/activate
pip install acitoolkit
  1. Download the file (or copy the raw output), save it into a file called acilint.py
  2. Run the script:
python acilint.py -l admin -p password -u https://1.2.3.4
  1. Enjoy the output:
Getting configuration from APIC....
Processing configuration....
Error 001: BridgeDomain 't2' in tenant 'common' has no Context assigned.
Error 001: BridgeDomain 't' in tenant 'common' has no Context assigned.
Warning 001: Tenant 'mgmt' has no Application Profile.
Warning 001: Tenant 'acitoolkit' has no Application Profile.
Warning 001: Tenant 'Ansible' has no Application Profile.
Warning 002: Tenant 'acitoolkit' has no Context.
Warning 002: Tenant 'Ansible' has no Context.
Warning 003: AppProfile 'default' in Tenant 'common'has no EPGs.

 

What does each error/warning level mean you can find here: http://datacenter.github.io/acitoolkit/docsbuild/html/acilint.html#errors-and-warnings

 

Stay safe,

Sergiu

View solution in original post

3 REPLIES 3
Sergiu.Daniluk
VIP Advocate

Hi @mmacdonald70 

 

The script you are looking for is called acilint:

https://github.com/datacenter/acitoolkit/blob/master/applications/lint/acilint.py

 

How to use it:

  1. Prepare your venv:
python3 -m venv ./venv
source venv/bin/activate
pip install acitoolkit
  1. Download the file (or copy the raw output), save it into a file called acilint.py
  2. Run the script:
python acilint.py -l admin -p password -u https://1.2.3.4
  1. Enjoy the output:
Getting configuration from APIC....
Processing configuration....
Error 001: BridgeDomain 't2' in tenant 'common' has no Context assigned.
Error 001: BridgeDomain 't' in tenant 'common' has no Context assigned.
Warning 001: Tenant 'mgmt' has no Application Profile.
Warning 001: Tenant 'acitoolkit' has no Application Profile.
Warning 001: Tenant 'Ansible' has no Application Profile.
Warning 002: Tenant 'acitoolkit' has no Context.
Warning 002: Tenant 'Ansible' has no Context.
Warning 003: AppProfile 'default' in Tenant 'common'has no EPGs.

 

What does each error/warning level mean you can find here: http://datacenter.github.io/acitoolkit/docsbuild/html/acilint.html#errors-and-warnings

 

Stay safe,

Sergiu

View solution in original post

RedNectar
Advocate

Hi @mmacdonald70 ,

Just a little note about some of the quirks acilint.py that @Sergiu.Daniluk mentioned.

Firstly, it is a great little utility. BUT...

  • It does not check ALL your configuration - in fact it checks NONE of your Access Policies - such as whether a VLAN Pool is assigned to a Domain or not.  It checks ONLY for certain things in Tenant configurations
  • It prints warnings about Contracts and contact Subjects being bi-directional, instead of checking that they are bi-directional - i.e. it has the warning logic the complete wrong-way around - instead of warning that your contacts are uni-directional (uni-directional  contracts should NOT be used except in specific purposes), it warns if your contacts are the normal bi-directional type that allow for the return traffic.
    • Bottom line: IGNORE all warnings about contracts being bidriectional, or re-write the code to correct it 
    • My suspicion is that this is a hang-over from when Cisco completely underestimated the amount of TCAM needed for 1st generation switches, and had to come up with weird techniques (like implementing uni-directional contracts) to preserve TCAM.
  • It falsely ASSUMES that you have assigned tags to all EPGs - and those tags are specifically the words secure or nonsecure.  This is documented in the code, but causes stupid and scary output if you are not expecting it.
    • Bottom line: IGNORE all warnings about EPGs not being assigned security clearance, or re-write the code to correct it.
    • The documentation form the code is shown below:
    def critical_001(self):
        """
        This is an example of a compliance check where all EPGs are expected
        to be tagged with either 'secure' or 'nonsecure' and secure EPGs are
        not allowed to provide or consume contracts from nonsecure EPGs.
        """
  • Contracts that are defined in the common tenant but are used in other tenants produce warnings. Not a big deal, but means that there has been no consideration given to the fact that it is possible to define contracts in the common tenant that are used by a number of different tenants.  It also marks contracts provided in the common tenant (such as a DNS contract) that is consumed in another tenant as having no consumers.
  • It does NOT test to see if there are any empty filters (filters that don't have any protocol entries)
  • It does NOT test contract subjects to see that there are any filters applied

But once you know the quirks, the output can be handy!

RedNectar
aka Chris Welsh


Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem

NoteToSelf: Looks like this is a good opportunity to improve this script.  #WeekendProject