Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1925
Views
0
Helpful
5
Replies

contract_parser.py (Python Script for Contracts)

Waqar675
Cisco Employee
Cisco Employee

‎02-08-2020 06:29 AM

Hi,

 

I have question regarding ACI python script (contract_parser.py), I am not seeing any hit in contract as we can see the hit counter is not incrementing.Please see the below output of script

 

Tested below three conditions:

 

1-Permit the ICMP

LEAF-101# contract_parser.py --vrf Cisco:VRF-001
Key:
[prio:RuleId] [vrf:{str}] action protocol src-epg [src-l4] dst-epg [dst-l4] [flags][contract:{str}] [hit=count]

[7:4110] [vrf:Cisco:VRF-001] permit ip icmp tn-Cisco/ap-AP/epg-EPG-002(16386) tn-Cisco/ap-AP/epg-EPG-001(49154) [contract:uni/tn-Cisco/brc-EPG-001--EPG-002] [hit=0]
[7:4104] [vrf:Cisco:VRF-001] permit ip icmp tn-Cisco/ap-AP/epg-EPG-001(49154) tn-Cisco/ap-AP/epg-EPG-002(16386) [contract:uni/tn-Cisco/brc-EPG-001--EPG-002] [hit=0]


2-Permit ICMP with Logging enabled

LEAF-101# contract_parser.py --vrf Cisco:VRF-001
Key:
[prio:RuleId] [vrf:{str}] action protocol src-epg [src-l4] dst-epg [dst-l4] [flags][contract:{str}] [hit=count]

[7:4110] [vrf:Cisco:VRF-001] log,permit ip icmp tn-Cisco/ap-AP/epg-EPG-002(16386) tn-Cisco/ap-AP/epg-EPG-001(49154) [contract:uni/tn-Cisco/brc-EPG-001--EPG-002] [hit=0]
[7:4104] [vrf:Cisco:VRF-001] log,permit ip icmp tn-Cisco/ap-AP/epg-EPG-001(49154) tn-Cisco/ap-AP/epg-EPG-002(16386) [contract:uni/tn-Cisco/brc-EPG-001--EPG-002] [hit=0]


3-Deny ICMP with Logging enabled

LEAF-101# contract_parser.py --vrf Cisco:VRF-001
Key:
[prio:RuleId] [vrf:{str}] action protocol src-epg [src-l4] dst-epg [dst-l4] [flags][contract:{str}] [hit=count]

[7:4110] [vrf:Cisco:VRF-001] deny,log ip icmp tn-Cisco/ap-AP/epg-EPG-002(16386) tn-Cisco/ap-AP/epg-EPG-001(49154) [contract:uni/tn-Cisco/brc-EPG-001--EPG-002] [hit=0]
[7:4104] [vrf:Cisco:VRF-001] deny,log ip icmp tn-Cisco/ap-AP/epg-EPG-001(49154) tn-Cisco/ap-AP/epg-EPG-002(16386) [contract:uni/tn-Cisco/brc-EPG-001--EPG-002] [hit=0]

 

Regards,

Waqar

Labels:
0 Helpful
5 Replies 5

Marcel Zehnder
Spotlight
Spotlight

‎02-09-2020 11:32 PM

Are you using policy compression in your filters?

0 Helpful

Waqar675
Cisco Employee
Cisco Employee
In response to Marcel Zehnder

‎02-10-2020 01:22 AM

Hi Marcel,

 

No, the policy compression is not enabled but i did this testing while enabling the policy compression but got the same results, although i am not seeing any hit in the implicit deny filter as well.

 

Regards,

Waqar

0 Helpful

Marcel Zehnder
Spotlight
Spotlight
In response to Waqar675

‎02-10-2020 01:30 AM

Do you see hits if you do "show system internal policy-mgr stats" on the corresponding leaf?
0 Helpful

Waqar675
Cisco Employee
Cisco Employee
In response to Marcel Zehnder

‎02-10-2020 02:00 AM

Yes, i can see hit if i do "show system internal policy-mgr stats" and the hit counter is incrementing accordingly.

0 Helpful

Marcel Zehnder
Spotlight
Spotlight
In response to Waqar675

‎02-10-2020 02:31 AM

In that case it maybe some kind of parsing error in the contract_parser script. I suggest to reach out to the author of the script (Andy Gossett): https://github.com/agccie. He is also active in the ACI-Facebook group: https://www.facebook.com/groups/1028679983855301
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents

Save 25% on Day-2 Operations Add-On License