Cisco Community
English
Register
JOIN thousands of technologists and change-makers at Transform 2020, a one-of-a-kind virtual event! RESERVE YOUR SPOT NOW
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
419
Views
20
Helpful
8
Replies
continuedprogress101
Beginner
Beginner
‎04-01-2020 12:59 PM
‎04-01-2020 12:59 PM

How can I list all the EPGs that are associated to a particular Leaf Interface Policy Group on the ACI Fabric?

I am currently trying to locate over 40 EPGs that "should" contain a particular Leaf Interface Policy Group.

0 Helpful
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
RedNectar
Collaborator
Collaborator
‎04-01-2020 08:39 PM
‎04-01-2020 08:39 PM

Re: How can I list all the EPGs that are associated to a particular Leaf Interface Policy Group on the ACI Fabric?

Hi @continuedprogress101 ,

What a challenge!

The problem is that EPGs are not directly linked to Leaf Interface Policy Groups, so there is no easy way to see the EPGs that hang off a Leaf Interface Policy Group.

However:

  1. If you navigate to your Tenant > Application Profiles > applicationProfile > Application EPGs > applicatonEPG >| [Operational] >| [Configured Access Policies] you can see the reverse - i.e. you can see which Leaf Interface Policy Groups are linked to the EPG
  2. You COULD write a script to get the information.  I'm not going to write it for you [Edit: I did though, see below], but here is the logic:
    • Query the particular policy group: E.G.
      moquery -d  uni/infra/funcprof/accportgrp-policyGroupName -c infraRsAttEntP
    • From the result of this query, extract the dn of the AAEP, then find the Domains linked to the AAEP
      moquery -d uni/infra/attentp-AAEP_Name -c infraRsDomP
    • Once you have the Domains, find the EPGs linked to the Domains
      moquery -d uni/phys-physDomainName -c infraRtDomAtt
      moquery -d uni/vmmp-VMware/dom-vmmDomainName -c infraRtDomAtt
      • And then you will have your answer

I hope this helps

[Edit - OK I wrote the script. Here it is]

 

ipgName="nameOfYourPolicyGroup"
aaepDn=$(moquery -d  uni/infra/funcprof/accportgrp-$ipgName -c infraRsAttEntP | egrep ^tDn | sed 's/^.*:\ //')
domainList=$(moquery -d $aaepDn -c infraRsDomP | egrep ^tDn | sed 's/^.*:\ //')
epgList=$(while IFS= read -r domain
do
moquery -d $domain -c infraRtDomAtt
done <<< "$domainList" | egrep ^tDn | sed 's/^.*:\ //')
print $epgList

 

And here's a sample run where I have two EPGs, each linked to two domains (one physical, one VMware vmm) and each domain is linked to both EPGs, so you will see each EPG appear twice in the output.  Now the problem is of course, once you have determined the AAEP, you have no way of distinguishing which of the linked Domains are specific to your original Interface Policy Group, so you may see EPGs in the list that DON'T link directly back to your original Inerface Polciy Group, but you will get all the EPG that DO link back.

apic1# ipgName="T9:SA.Host_APPG"
apic1# aaepDn=$(moquery -d uni/infra/funcprof/accportgrp-$ipgName -c infraRsAttEntP | egrep ^tDn | sed 's/^.*:\ //')
apic1# domainList=$(moquery -d $aaepDn -c infraRsDomP | egrep ^tDn | sed 's/^.*:\ //')
apic1# epgList=$(while IFS= read -r domain;do;moquery -d $domain -c infraRtDomAtt;done <<< "$domainList" | egrep ^tDn | sed 's/^.*:\ //')
apic1# print $epgList
uni/tn-Tenant9/ap-2Tier_AP/epg-AppServers_EPG
uni/tn-Tenant9/ap-2Tier_AP/epg-WebServers_EPG
uni/tn-Tenant9/ap-2Tier_AP/epg-AppServers_EPG
uni/tn-Tenant9/ap-2Tier_AP/epg-WebServers_EPG

 


Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem

RedNectar
aka Chris Welsh

Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem

View solution in original post

Everyone's tags (3)
Reply
8 REPLIES 8
Highlighted
omz
Rising star
Rising star
‎04-01-2020 01:36 PM
‎04-01-2020 01:36 PM

Re: How can I list all the EPGs that are associated to a particular Leaf Interface Policy Group on the ACI Fabric?

this may help ..

apic1# show running-config tenant [tenant_name]
0 Helpful
Reply
Highlighted
RedNectar
Collaborator
Collaborator
‎04-01-2020 08:39 PM
‎04-01-2020 08:39 PM

Re: How can I list all the EPGs that are associated to a particular Leaf Interface Policy Group on the ACI Fabric?

Hi @continuedprogress101 ,

What a challenge!

The problem is that EPGs are not directly linked to Leaf Interface Policy Groups, so there is no easy way to see the EPGs that hang off a Leaf Interface Policy Group.

However:

  1. If you navigate to your Tenant > Application Profiles > applicationProfile > Application EPGs > applicatonEPG >| [Operational] >| [Configured Access Policies] you can see the reverse - i.e. you can see which Leaf Interface Policy Groups are linked to the EPG
  2. You COULD write a script to get the information.  I'm not going to write it for you [Edit: I did though, see below], but here is the logic:
    • Query the particular policy group: E.G.
      moquery -d  uni/infra/funcprof/accportgrp-policyGroupName -c infraRsAttEntP
    • From the result of this query, extract the dn of the AAEP, then find the Domains linked to the AAEP
      moquery -d uni/infra/attentp-AAEP_Name -c infraRsDomP
    • Once you have the Domains, find the EPGs linked to the Domains
      moquery -d uni/phys-physDomainName -c infraRtDomAtt
      moquery -d uni/vmmp-VMware/dom-vmmDomainName -c infraRtDomAtt
      • And then you will have your answer

I hope this helps

[Edit - OK I wrote the script. Here it is]

 

ipgName="nameOfYourPolicyGroup"
aaepDn=$(moquery -d  uni/infra/funcprof/accportgrp-$ipgName -c infraRsAttEntP | egrep ^tDn | sed 's/^.*:\ //')
domainList=$(moquery -d $aaepDn -c infraRsDomP | egrep ^tDn | sed 's/^.*:\ //')
epgList=$(while IFS= read -r domain
do
moquery -d $domain -c infraRtDomAtt
done <<< "$domainList" | egrep ^tDn | sed 's/^.*:\ //')
print $epgList

 

And here's a sample run where I have two EPGs, each linked to two domains (one physical, one VMware vmm) and each domain is linked to both EPGs, so you will see each EPG appear twice in the output.  Now the problem is of course, once you have determined the AAEP, you have no way of distinguishing which of the linked Domains are specific to your original Interface Policy Group, so you may see EPGs in the list that DON'T link directly back to your original Inerface Polciy Group, but you will get all the EPG that DO link back.

apic1# ipgName="T9:SA.Host_APPG"
apic1# aaepDn=$(moquery -d uni/infra/funcprof/accportgrp-$ipgName -c infraRsAttEntP | egrep ^tDn | sed 's/^.*:\ //')
apic1# domainList=$(moquery -d $aaepDn -c infraRsDomP | egrep ^tDn | sed 's/^.*:\ //')
apic1# epgList=$(while IFS= read -r domain;do;moquery -d $domain -c infraRtDomAtt;done <<< "$domainList" | egrep ^tDn | sed 's/^.*:\ //')
apic1# print $epgList
uni/tn-Tenant9/ap-2Tier_AP/epg-AppServers_EPG
uni/tn-Tenant9/ap-2Tier_AP/epg-WebServers_EPG
uni/tn-Tenant9/ap-2Tier_AP/epg-AppServers_EPG
uni/tn-Tenant9/ap-2Tier_AP/epg-WebServers_EPG

 


Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem

RedNectar
aka Chris Welsh

Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem

View solution in original post

Everyone's tags (3)
Reply
Highlighted
msdaniluk
Rising star
Rising star
‎04-02-2020 04:53 AM
‎04-02-2020 04:53 AM

Re: How can I list all the EPGs that are associated to a particular Leaf Interface Policy Group on the ACI Fabric?

Hi,

 

I think we should look from a different perspective at your question. What exactly you are trying to achieve?

 

As you can see in the very nice graphic made by INE with the ACI object model, there is no direct object relationship between the two constructs (EPG and Leaf If Policy Grp):GIqhYBE

If you are interested more of what EPGs are per interface (or as below, filtered for a specific interface), that can be easily done through an API call:

http://apic1/api/node/class/fvRsCEpToPathEp.json?query-target-filter=eq(fvRsCEpToPathEp.tDn,"topology/pod-POD_ID/paths-LEAF_ID/pathep-[eth1/PORT_ID]")

Same can be obtain through moquery:

apic1# moquery -c fvRsCEpToPathEp -f 'fv.RsCEpToPathEp.tDn=="topology/pod-POD_ID/paths-LEAF_ID/pathep-[eth1/PORT_ID]"'

Regards,

Sergiu

Reply
Highlighted
continuedprogress101
Beginner
Beginner
‎04-29-2020 04:58 PM
‎04-29-2020 04:58 PM

Re: How can I list all the EPGs that are associated to a particular Leaf Interface Policy Group on the ACI Fabric?

This was a very good response as well. Appreciate the graphic that breakdown the ACI object model. 

 

v/r

0 Helpful
Reply
Highlighted
continuedprogress101
Beginner
Beginner
‎05-27-2020 11:55 AM
‎05-27-2020 11:55 AM

Re: How can I list all the EPGs that are associated to a particular Leaf Interface Policy Group on the ACI Fabric?

Another way to do this if you know where the policy group is mapped to an interface. If avoiding the GUI, log into the leaf switch and enter the following command: show endpoint interface <interface id>. 

 

v/r

0 Helpful
Reply
Highlighted
msdaniluk
Rising star
Rising star
‎05-27-2020 01:09 PM
‎05-27-2020 01:09 PM

Re: How can I list all the EPGs that are associated to a particular Leaf Interface Policy Group on the ACI Fabric?

Not really. The command you pointed out will only show you the learned endpoints and their respective VRF. You can use the "detail" version of the command, and this will point out the EPG as well, but still you will only see the LEARNED endpoints.

So if there are EPGs allowed on the interface, with no EP learned, you will not see it listed by the command.

 

Stay safe,

Sergiu

0 Helpful
Reply
Highlighted
RedNectar
Collaborator
Collaborator
‎05-27-2020 01:15 PM
‎05-27-2020 01:15 PM

Re: How can I list all the EPGs that are associated to a particular Leaf Interface Policy Group on the ACI Fabric?

Hi @continuedprogress101 ,

Glad to see you are finding your own methods. 

@continuedprogress101 wrote:

Another way to do this if you know where the policy group is mapped to an interface. If avoiding the GUI, log into the leaf switch and enter the following command: show endpoint interface <interface id>. 

 

v/r

However for the record and for anyone else who reads this in the future, to get the EPGs (as per the original question) you would need to add the detailed option to the command show endpoint interface <interface id>. 

And of course, issuing the command from the CLI of the leaf is fine, but I find it easier to use the fabric xxx show command from the APIC so I don't have to keep jumping from switch to switch.

For instance, the following command shows the EPGs associated with interface ethernet 1/19 on both Leaf 101 and Leaf 102 - and to keep the output manageable, and because I KNOW my EPG names will contain the letters "EPG" I've filtered it through egrep to show just the leaf names and EPGs.

 

apic1# fabric 101,102 show endpoint interface ethernet 1/19 detail | egrep "Leaf|EPG"
 Node 101 (Leaf101)
16                                        vlan-2041    a036.9f86.e97e L                     eth1/19 Tenant4:2Tier_AP:AppServers_EPG
 Node 102 (Leaf102)
27                                        vlan-2042    a036.9f86.e97f L                     eth1/19 Tenant4:2Tier_AP:WebServers_EPG

Note that if I had not included both leaves, I would not have seen all the EPGs, because it is quite possible that not every EPG exists on every leaf.

 

RedNectar
aka Chris Welsh

Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem

0 Helpful
Reply
Highlighted
continuedprogress101
Beginner
Beginner
‎05-27-2020 01:51 PM
‎05-27-2020 01:51 PM

Re: How can I list all the EPGs that are associated to a particular Leaf Interface Policy Group on the ACI Fabric?

Awesome point and valuable information!

Reply
Latest Contents
Pondering Automation: Moving On Up!
Created by Shaun Roberts on 06-01-2020 05:29 AM
0
0
0
0
  Howdy out there in automation land! I hope everyone is doing well. A reminder... Cisco Live goes live 6/2 at 9am PDT... join us online for 2 great days at CiscoLive.com/us. I will update this blog once my session is released so you readers can che... view more
Video - How to run Hyperflex health check script
Created by Mridul Shah on 05-20-2020 10:54 AM
1
5
1
5
This video shows how to run Hyperflex health check script. This tool is a utility to perform pro-active self-checks on hyperflex systems to ensure its stability and resiliency. It helps automate a list of health and pre-upgrade checks on hyperflex system... view more
Ask Me Anything event- Tenant Routed Multicast in VXLAN EVPN...
Created by ciscomoderator on 05-19-2020 09:12 AM
0
0
0
0
This special event is open only to Cisco Customers and Partners.   Many pages in the Cisco Community are accessible only to Cisco customers, partners, or logged in entitled guests. Please log in. If you still cannot access the event after you l... view more
Community Live event- Tenant Routed Multicast in VXLAN EVPN ...
Created by ciscomoderator on 05-15-2020 10:08 AM
2
10
2
10
Community Live- Tenant Routed Multicast in VXLAN EVPN Fabric (Live event - formerly known as Webcast-  Tuesday May 19, 2020 at 10 am Pacific/ 1 pm Eastern / 7 pm Paris) This special event is open only to Cisco Customers and Partners.   Man... view more
Cisco ACI: In case of incorrect Internal/external route & pi...
Created by Nilay Patel on 05-14-2020 08:13 AM
0
0
0
0
SymptomsACI - 3.x or belowIn case of incorrect external route & ping issue to external deviceDiagnosisN/ASolutionUpgrade to recommended code or try following:Step -1: Login in ACI-Leafs where EP located & boarder leafs Step -2: type "vsh" (withou... view more
CreatePlease to create content
Discussion
Blog
Document
Video
Content for Community-Ad

Cisco COVID-19 Survey