I am currently trying to locate over 40 EPGs that "should" contain a particular Leaf Interface Policy Group.
Solved! Go to Solution.
What a challenge!
The problem is that EPGs are not directly linked to Leaf Interface Policy Groups, so there is no easy way to see the EPGs that hang off a Leaf Interface Policy Group.
However:
moquery -d uni/infra/funcprof/accportgrp-policyGroupName -c infraRsAttEntP
moquery -d uni/infra/attentp-AAEP_Name -c infraRsDomP
moquery -d uni/phys-physDomainName -c infraRtDomAtt
moquery -d uni/vmmp-VMware/dom-vmmDomainName -c infraRtDomAtt
I hope this helps
[Edit - OK I wrote the script. Here it is]
ipgName="nameOfYourPolicyGroup"
aaepDn=$(moquery -d uni/infra/funcprof/accportgrp-$ipgName -c infraRsAttEntP | egrep ^tDn | sed 's/^.*:\ //') domainList=$(moquery -d $aaepDn -c infraRsDomP | egrep ^tDn | sed 's/^.*:\ //') epgList=$(while IFS= read -r domain do moquery -d $domain -c infraRtDomAtt done <<< "$domainList" | egrep ^tDn | sed 's/^.*:\ //') print $epgList
And here's a sample run where I have two EPGs, each linked to two domains (one physical, one VMware vmm) and each domain is linked to both EPGs, so you will see each EPG appear twice in the output. Now the problem is of course, once you have determined the AAEP, you have no way of distinguishing which of the linked Domains are specific to your original Interface Policy Group, so you may see EPGs in the list that DON'T link directly back to your original Inerface Polciy Group, but you will get all the EPG that DO link back.
apic1# ipgName="T9:SA.Host_APPG"
apic1# aaepDn=$(moquery -d uni/infra/funcprof/accportgrp-$ipgName -c infraRsAttEntP | egrep ^tDn | sed 's/^.*:\ //')
apic1# domainList=$(moquery -d $aaepDn -c infraRsDomP | egrep ^tDn | sed 's/^.*:\ //')
apic1# epgList=$(while IFS= read -r domain;do;moquery -d $domain -c infraRtDomAtt;done <<< "$domainList" | egrep ^tDn | sed 's/^.*:\ //')
apic1# print $epgList
uni/tn-Tenant9/ap-2Tier_AP/epg-AppServers_EPG
uni/tn-Tenant9/ap-2Tier_AP/epg-WebServers_EPG
uni/tn-Tenant9/ap-2Tier_AP/epg-AppServers_EPG
uni/tn-Tenant9/ap-2Tier_AP/epg-WebServers_EPG
Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem
Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem
this may help ..
apic1# show running-config tenant [tenant_name]
What a challenge!
The problem is that EPGs are not directly linked to Leaf Interface Policy Groups, so there is no easy way to see the EPGs that hang off a Leaf Interface Policy Group.
However:
moquery -d uni/infra/funcprof/accportgrp-policyGroupName -c infraRsAttEntP
moquery -d uni/infra/attentp-AAEP_Name -c infraRsDomP
moquery -d uni/phys-physDomainName -c infraRtDomAtt
moquery -d uni/vmmp-VMware/dom-vmmDomainName -c infraRtDomAtt
I hope this helps
[Edit - OK I wrote the script. Here it is]
ipgName="nameOfYourPolicyGroup"
aaepDn=$(moquery -d uni/infra/funcprof/accportgrp-$ipgName -c infraRsAttEntP | egrep ^tDn | sed 's/^.*:\ //') domainList=$(moquery -d $aaepDn -c infraRsDomP | egrep ^tDn | sed 's/^.*:\ //') epgList=$(while IFS= read -r domain do moquery -d $domain -c infraRtDomAtt done <<< "$domainList" | egrep ^tDn | sed 's/^.*:\ //') print $epgList
And here's a sample run where I have two EPGs, each linked to two domains (one physical, one VMware vmm) and each domain is linked to both EPGs, so you will see each EPG appear twice in the output. Now the problem is of course, once you have determined the AAEP, you have no way of distinguishing which of the linked Domains are specific to your original Interface Policy Group, so you may see EPGs in the list that DON'T link directly back to your original Inerface Polciy Group, but you will get all the EPG that DO link back.
apic1# ipgName="T9:SA.Host_APPG"
apic1# aaepDn=$(moquery -d uni/infra/funcprof/accportgrp-$ipgName -c infraRsAttEntP | egrep ^tDn | sed 's/^.*:\ //')
apic1# domainList=$(moquery -d $aaepDn -c infraRsDomP | egrep ^tDn | sed 's/^.*:\ //')
apic1# epgList=$(while IFS= read -r domain;do;moquery -d $domain -c infraRtDomAtt;done <<< "$domainList" | egrep ^tDn | sed 's/^.*:\ //')
apic1# print $epgList
uni/tn-Tenant9/ap-2Tier_AP/epg-AppServers_EPG
uni/tn-Tenant9/ap-2Tier_AP/epg-WebServers_EPG
uni/tn-Tenant9/ap-2Tier_AP/epg-AppServers_EPG
uni/tn-Tenant9/ap-2Tier_AP/epg-WebServers_EPG
Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem
Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem
Hi,
I think we should look from a different perspective at your question. What exactly you are trying to achieve?
As you can see in the very nice graphic made by INE with the ACI object model, there is no direct object relationship between the two constructs (EPG and Leaf If Policy Grp):
If you are interested more of what EPGs are per interface (or as below, filtered for a specific interface), that can be easily done through an API call:
http://apic1/api/node/class/fvRsCEpToPathEp.json?query-target-filter=eq(fvRsCEpToPathEp.tDn,"topology/pod-POD_ID/paths-LEAF_ID/pathep-[eth1/PORT_ID]")
Same can be obtain through moquery:
apic1# moquery -c fvRsCEpToPathEp -f 'fv.RsCEpToPathEp.tDn=="topology/pod-POD_ID/paths-LEAF_ID/pathep-[eth1/PORT_ID]"'
Regards,
Sergiu
This was a very good response as well. Appreciate the graphic that breakdown the ACI object model.
v/r
Another way to do this if you know where the policy group is mapped to an interface. If avoiding the GUI, log into the leaf switch and enter the following command: show endpoint interface <interface id>.
v/r
Not really. The command you pointed out will only show you the learned endpoints and their respective VRF. You can use the "detail" version of the command, and this will point out the EPG as well, but still you will only see the LEARNED endpoints.
So if there are EPGs allowed on the interface, with no EP learned, you will not see it listed by the command.
Stay safe,
Sergiu
Glad to see you are finding your own methods.
@continuedprogress101 wrote:Another way to do this if you know where the policy group is mapped to an interface. If avoiding the GUI, log into the leaf switch and enter the following command: show endpoint interface <interface id>.
v/r
However for the record and for anyone else who reads this in the future, to get the EPGs (as per the original question) you would need to add the detailed option to the command show endpoint interface <interface id>.
And of course, issuing the command from the CLI of the leaf is fine, but I find it easier to use the fabric xxx show command from the APIC so I don't have to keep jumping from switch to switch.
For instance, the following command shows the EPGs associated with interface ethernet 1/19 on both Leaf 101 and Leaf 102 - and to keep the output manageable, and because I KNOW my EPG names will contain the letters "EPG" I've filtered it through egrep to show just the leaf names and EPGs.
apic1# fabric 101,102 show endpoint interface ethernet 1/19 detail | egrep "Leaf|EPG" Node 101 (Leaf101) 16 vlan-2041 a036.9f86.e97e L eth1/19 Tenant4:2Tier_AP:AppServers_EPG Node 102 (Leaf102) 27 vlan-2042 a036.9f86.e97f L eth1/19 Tenant4:2Tier_AP:WebServers_EPG
Note that if I had not included both leaves, I would not have seen all the EPGs, because it is quite possible that not every EPG exists on every leaf.
Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem
Awesome point and valuable information!