Solved: Re: ACI Script - Orphaned objects

mmacdonald70 · ‎08-30-2021

Over the years, our ACI deployment has picked up quite a lot of orphaned policy objects. For instance, when some people decomissioned switches or servers, they might forget to delete switch selectors, interface selectors or policy groups.

I have been going through trying to manually delete them when I find them but it would be nice to have a more automated way to do it. Does anybody either:

- Already have a script to find policy object that aren't used or

- Know of the best way to do this through a script?

Sergiu.Daniluk · ‎08-30-2021

Hi @mmacdonald70

The script you are looking for is called acilint:

https://github.com/datacenter/acitoolkit/blob/master/applications/lint/acilint.py

How to use it:

Prepare your venv:

python3 -m venv ./venv
source venv/bin/activate
pip install acitoolkit

Download the file (or copy the raw output), save it into a file called acilint.py
Run the script:

python acilint.py -l admin -p password -u https://1.2.3.4

Enjoy the output:

Getting configuration from APIC....
Processing configuration....
Error 001: BridgeDomain 't2' in tenant 'common' has no Context assigned.
Error 001: BridgeDomain 't' in tenant 'common' has no Context assigned.
Warning 001: Tenant 'mgmt' has no Application Profile.
Warning 001: Tenant 'acitoolkit' has no Application Profile.
Warning 001: Tenant 'Ansible' has no Application Profile.
Warning 002: Tenant 'acitoolkit' has no Context.
Warning 002: Tenant 'Ansible' has no Context.
Warning 003: AppProfile 'default' in Tenant 'common'has no EPGs.

What does each error/warning level mean you can find here: http://datacenter.github.io/acitoolkit/docsbuild/html/acilint.html#errors-and-warnings

Stay safe,

Sergiu

View solution in original post

Sergiu.Daniluk · ‎08-30-2021

Hi @mmacdonald70

The script you are looking for is called acilint:

https://github.com/datacenter/acitoolkit/blob/master/applications/lint/acilint.py

How to use it:

Prepare your venv:

python3 -m venv ./venv
source venv/bin/activate
pip install acitoolkit

Download the file (or copy the raw output), save it into a file called acilint.py
Run the script:

python acilint.py -l admin -p password -u https://1.2.3.4

Enjoy the output:

Getting configuration from APIC....
Processing configuration....
Error 001: BridgeDomain 't2' in tenant 'common' has no Context assigned.
Error 001: BridgeDomain 't' in tenant 'common' has no Context assigned.
Warning 001: Tenant 'mgmt' has no Application Profile.
Warning 001: Tenant 'acitoolkit' has no Application Profile.
Warning 001: Tenant 'Ansible' has no Application Profile.
Warning 002: Tenant 'acitoolkit' has no Context.
Warning 002: Tenant 'Ansible' has no Context.
Warning 003: AppProfile 'default' in Tenant 'common'has no EPGs.

What does each error/warning level mean you can find here: http://datacenter.github.io/acitoolkit/docsbuild/html/acilint.html#errors-and-warnings

Stay safe,

Sergiu

RedNectar · ‎08-30-2021

Hi @mmacdonald70 ,

Just a little note about some of the quirks acilint.py that @Sergiu.Daniluk mentioned.

Firstly, it is a great little utility. BUT...

It does not check ALL your configuration - in fact it checks NONE of your Access Policies - such as whether a VLAN Pool is assigned to a Domain or not. It checks ONLY for certain things in Tenant configurations
It prints warnings about Contracts and contact Subjects being bi-directional, instead of checking that they are bi-directional - i.e. it has the warning logic the complete wrong-way around - instead of warning that your contacts are uni-directional (uni-directional contracts should NOT be used except in specific purposes), it warns if your contacts are the normal bi-directional type that allow for the return traffic.
- Bottom line: IGNORE all warnings about contracts being bidriectional, or re-write the code to correct it
- My suspicion is that this is a hang-over from when Cisco completely underestimated the amount of TCAM needed for 1st generation switches, and had to come up with weird techniques (like implementing uni-directional contracts) to preserve TCAM.
It falsely ASSUMES that you have assigned tags to all EPGs - and those tags are specifically the words secure or nonsecure. This is documented in the code, but causes stupid and scary output if you are not expecting it.
- Bottom line: IGNORE all warnings about EPGs not being assigned security clearance, or re-write the code to correct it.
- The documentation form the code is shown below:

    def critical_001(self):
        """
        This is an example of a compliance check where all EPGs are expected
        to be tagged with either 'secure' or 'nonsecure' and secure EPGs are
        not allowed to provide or consume contracts from nonsecure EPGs.
        """

Contracts that are defined in the common tenant but are used in other tenants produce warnings. Not a big deal, but means that there has been no consideration given to the fact that it is possible to define contracts in the common tenant that are used by a number of different tenants. It also marks contracts provided in the common tenant (such as a DNS contract) that is consumed in another tenant as having no consumers.
It does NOT test to see if there are any empty filters (filters that don't have any protocol entries)
It does NOT test contract subjects to see that there are any filters applied

But once you know the quirks, the output can be handy!

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

Sergiu.Daniluk · ‎08-31-2021

NoteToSelf: Looks like this is a good opportunity to improve this script. #WeekendProject