Solved: How can I list all the EPGs that are associated to a particular Leaf Interface Policy Group on the A...

continuedprogress101 · ‎04-01-2020

I am currently trying to locate over 40 EPGs that "should" contain a particular Leaf Interface Policy Group.

RedNectar · ‎04-01-2020

What a challenge!

The problem is that EPGs are not directly linked to Leaf Interface Policy Groups, so there is no easy way to see the EPGs that hang off a Leaf Interface Policy Group.

However:

If you navigate to your Tenant > Application Profiles > applicationProfile > Application EPGs > applicatonEPG >| [Operational] >| [Configured Access Policies] you can see the reverse - i.e. you can see which Leaf Interface Policy Groups are linked to the EPG
You COULD write a script to get the information. I'm not going to write it for you [Edit: I did though, see below], but here is the logic:
- Query the particular policy group: E.G.
```
moquery -d  uni/infra/funcprof/accportgrp-policyGroupName -c infraRsAttEntP 
```
- From the result of this query, extract the dn of the AAEP, then find the Domains linked to the AAEP
```
moquery -d uni/infra/attentp-AAEP_Name -c infraRsDomP
```
- Once you have the Domains, find the EPGs linked to the Domains
```
moquery -d uni/phys-physDomainName -c infraRtDomAtt
moquery -d uni/vmmp-VMware/dom-vmmDomainName -c infraRtDomAtt
```
  - And then you will have your answer

I hope this helps

[Edit - OK I wrote the script. Here it is]

ipgName="nameOfYourPolicyGroup"
aaepDn=$(moquery -d  uni/infra/funcprof/accportgrp-$ipgName -c infraRsAttEntP | egrep ^tDn | sed 's/^.*:\ //')
domainList=$(moquery -d $aaepDn -c infraRsDomP | egrep ^tDn | sed 's/^.*:\ //')
epgList=$(while IFS= read -r domain
do
moquery -d $domain -c infraRtDomAtt
done <<< "$domainList" | egrep ^tDn | sed 's/^.*:\ //')
print $epgList

And here's a sample run where I have two EPGs, each linked to two domains (one physical, one VMware vmm) and each domain is linked to both EPGs, so you will see each EPG appear twice in the output. Now the problem is of course, once you have determined the AAEP, you have no way of distinguishing which of the linked Domains are specific to your original Interface Policy Group, so you may see EPGs in the list that DON'T link directly back to your original Inerface Polciy Group, but you will get all the EPG that DO link back.

apic1# ipgName="T9:SA.Host_APPG"
apic1# aaepDn=$(moquery -d uni/infra/funcprof/accportgrp-$ipgName -c infraRsAttEntP | egrep ^tDn | sed 's/^.*:\ //')
apic1# domainList=$(moquery -d $aaepDn -c infraRsDomP | egrep ^tDn | sed 's/^.*:\ //')
apic1# epgList=$(while IFS= read -r domain;do;moquery -d $domain -c infraRtDomAtt;done <<< "$domainList" | egrep ^tDn | sed 's/^.*:\ //')
apic1# print $epgList
uni/tn-Tenant9/ap-2Tier_AP/epg-AppServers_EPG
uni/tn-Tenant9/ap-2Tier_AP/epg-WebServers_EPG
uni/tn-Tenant9/ap-2Tier_AP/epg-AppServers_EPG
uni/tn-Tenant9/ap-2Tier_AP/epg-WebServers_EPG

Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem

RedNectar
aka Chris Welsh

Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem

View solution in original post

omz · ‎04-01-2020

this may help ..

apic1# show running-config tenant [tenant_name]

RedNectar · ‎04-01-2020

Hi @continuedprogress101 ,

What a challenge!

The problem is that EPGs are not directly linked to Leaf Interface Policy Groups, so there is no easy way to see the EPGs that hang off a Leaf Interface Policy Group.

However:

If you navigate to your Tenant > Application Profiles > applicationProfile > Application EPGs > applicatonEPG >| [Operational] >| [Configured Access Policies] you can see the reverse - i.e. you can see which Leaf Interface Policy Groups are linked to the EPG
You COULD write a script to get the information. I'm not going to write it for you [Edit: I did though, see below], but here is the logic:
- Query the particular policy group: E.G.
```
moquery -d  uni/infra/funcprof/accportgrp-policyGroupName -c infraRsAttEntP 
```
- From the result of this query, extract the dn of the AAEP, then find the Domains linked to the AAEP
```
moquery -d uni/infra/attentp-AAEP_Name -c infraRsDomP
```
- Once you have the Domains, find the EPGs linked to the Domains
```
moquery -d uni/phys-physDomainName -c infraRtDomAtt
moquery -d uni/vmmp-VMware/dom-vmmDomainName -c infraRtDomAtt
```
  - And then you will have your answer

I hope this helps

[Edit - OK I wrote the script. Here it is]

ipgName="nameOfYourPolicyGroup"
aaepDn=$(moquery -d  uni/infra/funcprof/accportgrp-$ipgName -c infraRsAttEntP | egrep ^tDn | sed 's/^.*:\ //')
domainList=$(moquery -d $aaepDn -c infraRsDomP | egrep ^tDn | sed 's/^.*:\ //')
epgList=$(while IFS= read -r domain
do
moquery -d $domain -c infraRtDomAtt
done <<< "$domainList" | egrep ^tDn | sed 's/^.*:\ //')
print $epgList

And here's a sample run where I have two EPGs, each linked to two domains (one physical, one VMware vmm) and each domain is linked to both EPGs, so you will see each EPG appear twice in the output. Now the problem is of course, once you have determined the AAEP, you have no way of distinguishing which of the linked Domains are specific to your original Interface Policy Group, so you may see EPGs in the list that DON'T link directly back to your original Inerface Polciy Group, but you will get all the EPG that DO link back.

apic1# ipgName="T9:SA.Host_APPG"
apic1# aaepDn=$(moquery -d uni/infra/funcprof/accportgrp-$ipgName -c infraRsAttEntP | egrep ^tDn | sed 's/^.*:\ //')
apic1# domainList=$(moquery -d $aaepDn -c infraRsDomP | egrep ^tDn | sed 's/^.*:\ //')
apic1# epgList=$(while IFS= read -r domain;do;moquery -d $domain -c infraRtDomAtt;done <<< "$domainList" | egrep ^tDn | sed 's/^.*:\ //')
apic1# print $epgList
uni/tn-Tenant9/ap-2Tier_AP/epg-AppServers_EPG
uni/tn-Tenant9/ap-2Tier_AP/epg-WebServers_EPG
uni/tn-Tenant9/ap-2Tier_AP/epg-AppServers_EPG
uni/tn-Tenant9/ap-2Tier_AP/epg-WebServers_EPG

Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem

RedNectar
aka Chris Welsh

Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem

View solution in original post

Sergiu.Daniluk · ‎04-02-2020

Hi,

I think we should look from a different perspective at your question. What exactly you are trying to achieve?

As you can see in the very nice graphic made by INE with the ACI object model, there is no direct object relationship between the two constructs (EPG and Leaf If Policy Grp):

If you are interested more of what EPGs are per interface (or as below, filtered for a specific interface), that can be easily done through an API call:

http://apic1/api/node/class/fvRsCEpToPathEp.json?query-target-filter=eq(fvRsCEpToPathEp.tDn,"topology/pod-POD_ID/paths-LEAF_ID/pathep-[eth1/PORT_ID]")

Same can be obtain through moquery:

apic1# moquery -c fvRsCEpToPathEp -f 'fv.RsCEpToPathEp.tDn=="topology/pod-POD_ID/paths-LEAF_ID/pathep-[eth1/PORT_ID]"'

Regards,

Sergiu

continuedprogress101 · ‎04-29-2020

This was a very good response as well. Appreciate the graphic that breakdown the ACI object model.

v/r

continuedprogress101 · ‎05-27-2020

Another way to do this if you know where the policy group is mapped to an interface. If avoiding the GUI, log into the leaf switch and enter the following command: show endpoint interface <interface id>.

v/r

Sergiu.Daniluk · ‎05-27-2020

Not really. The command you pointed out will only show you the learned endpoints and their respective VRF. You can use the "detail" version of the command, and this will point out the EPG as well, but still you will only see the LEARNED endpoints.

So if there are EPGs allowed on the interface, with no EP learned, you will not see it listed by the command.

Stay safe,

Sergiu

RedNectar · ‎05-27-2020

Hi @continuedprogress101 ,

Glad to see you are finding your own methods.

@continuedprogress101 wrote:
Another way to do this if you know where the policy group is mapped to an interface. If avoiding the GUI, log into the leaf switch and enter the following command: show endpoint interface <interface id>.

v/r

However for the record and for anyone else who reads this in the future, to get the EPGs (as per the original question) you would need to add the detailed option to the command show endpoint interface <interface id>.

And of course, issuing the command from the CLI of the leaf is fine, but I find it easier to use the fabric xxx show command from the APIC so I don't have to keep jumping from switch to switch.

For instance, the following command shows the EPGs associated with interface ethernet 1/19 on both Leaf 101 and Leaf 102 - and to keep the output manageable, and because I KNOW my EPG names will contain the letters "EPG" I've filtered it through egrep to show just the leaf names and EPGs.

apic1# fabric 101,102 show endpoint interface ethernet 1/19 detail | egrep "Leaf|EPG"
 Node 101 (Leaf101)
16                                        vlan-2041    a036.9f86.e97e L                     eth1/19 Tenant4:2Tier_AP:AppServers_EPG
 Node 102 (Leaf102)
27                                        vlan-2042    a036.9f86.e97f L                     eth1/19 Tenant4:2Tier_AP:WebServers_EPG

Note that if I had not included both leaves, I would not have seen all the EPGs, because it is quite possible that not every EPG exists on every leaf.

RedNectar
aka Chris Welsh

Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem

continuedprogress101 · ‎05-27-2020

Awesome point and valuable information!

Start

Design

Deploy

Integration

Learn

Best Practice

How can I list all the EPGs that are associated to a particular Leaf Interface Policy Group on the ACI Fabric?