ACI 故障排除：通過精通 API 優化您的 APIC 用戶體驗.pdf

《ACI 故障排除：通過精通 API 優化您的 APIC 用戶體驗.pdf》由會員分享，可在線閱讀，更多相關《ACI 故障排除：通過精通 API 優化您的 APIC 用戶體驗.pdf（79頁珍藏版）》請在三個皮匠報告上搜索。

1、#CiscoLive#CiscoLiveGabriel Monroy,CX Principal EngineerBRKDCN-2635Optimize your APIC User Experience through API MasteryACI Troubleshooting 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex App Questions?Use Cisco Webex App to chat

2、with the speaker after the sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the speaker until June 9,2023.1234https:/ 2023 Cisco and/or

3、 its affiliates.All rights reserved.Cisco PublicBRKDCN-26353#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicAgendaYou cant spell APIC without APIUnder-the-hood of an APIC ClusterCommon API Usage IssuesAPI Troubleshooting ToolsQuery Subscriptions as an ACI Troubleshooting

4、ToolBRKDCN-26354 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveGlossary of AcronymsAcronymsAcronymsDefinitionsDefinitionsACIApplication Centric InfrastructureAPICApplication Policy Infrastructure ControllerAPIApplication Programming InterfaceDMEData Management Engine(ACI

5、 Service)FNVFabric Node Vector(ACI Switch registration info)MITManagement Information TreeRVReplica Vector(Shard/Replica State)RESTRepresentational State Transfer A specific architectural style for web servicesAcronymsAcronymsDefinitionsDefinitionsextXMLApiDME that works with NGINXPDPolicy Distribut

6、or Performs Policy ValidationPEPolicy Element Main Switch Policy DMEPMPolicy Manager Main APIC Policy DMEMOManaged Object(an ACI object saved in DME DBs)DBDatabase,can be split into shards and replicated across APICsBRKDCN-26355You cant spell APIC without API 2023 Cisco and/or its affiliates.All rig

7、hts reserved.Cisco Public#CiscoLiveBefore APIsDBDB Manipulation is not user-friendlyAppUPDATE T1,T2 SET vlan=100 WHERE.SELECT*FROM.CROSS.JOIN.DELETE FROM T1,T2 WHERE.BRKDCN-26357 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhy have an API?APIChange/someAPIEndpointRead/

8、someAPIEndpointErase/someAPIEndpointDBAppApp Interface SimplificationApp LogicBRKDCN-26358 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAll ACI Interactions are via a REST APIHTTP POST/someObjectHTTP DELETE/someObjectAPICCustom script CobraSDKAPIC IntegrationNXOS Style

9、CLImoqueryGETGET=R/OPOSTPOST=Create/Modify/DeleteHTTP GET/someObjectDBDELETEDELETE=DeleteAPIC supported REST Methods:APITCP:80/443BRKDCN-26359APIC LogicDMEs 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRead the Response code200 Response+Payload400 Response+Payload200 Re

10、sponse+PayloadRespond with HTTP/S Status Codes2xx=OK4xx=Client Error5xx=Server ErrorDBAPICAPITCP:80/443BRKDCN-263510APIC LogicDMEs 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAnatomy of an APIC API Request/api/node/mo/uni/tn-CL/ap-CLApp/epg-DB.json/api/node/class/fvAEP

11、g.json/mo|class/DN|className.xml|json?options/node-IDWhich Node?*What type of Query?Distinguished name or Object ClassResponse EncodingFilters,Selectors,query modifiersAPICBRKDCN-263511DN QueryClass Query 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhat about Switches?

12、/api/class/vlanCktEpQuerying switch MOs from an APIC requires switch DME lookupsAPISwitchDMESwitchAPIDMEapic#moquery-c vlanCktEpTotal Objects shown:261#vlan.CktEpdn:topology/pod-1/node-101/sys/ctx-vxlan-x/bd-vxlan-y/vlan-vlan-777261 MOs!APICBRKDCN-263512vlanCktEp are hereContains pointer to source n

13、ode 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveThe Switches have an API too!APISwitchSwitchAPI/api/class/vlanCktEpDMEDMEQuery a Switch API to return just that Switchs Objects61 MOs!BRKDCN-263513Leaf-101#moquery-c vlanCktEpTotal Objects shown:61#vlan.CktEpdn:sys/ctx-vx

14、lan-x/bd-vxlan-y/vlan-vlan-777Source node pointer not in underlying objectSwitch CLI CMDs use its APIUnder-the-hood of an APIC Cluster 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAn APIC ClusterAPICAPICAPICFully-FitBRKDCN-263515 2023 Cisco and/or its affiliates.All rig

15、hts reserved.Cisco Public#CiscoLiveDMEShard 1Shard 32.DMEs,Shards,Replicas and TokensR1R2R3R1R2R3There are always 3 ReplicasThere are always 32 Shards*Not every DME is shardedTTTTShards use a Token Queuing System BRKDCN-263516 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLi

16、veMain APIC DMEs for“general”configurationAPICextXMLApi(4)Policy Distributor(33)Policy Manager(6)Hosts API,manages aaa fsmFirst level policy validationMain Logical Policy DB,sends policy to other APIC and Switch DMEsEvent Manager(3)Create and manage MO eventsTTTTEach handoff and replication costs to

17、kensBRKDCN-263517 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFully-Fit 3 APIC Cluster Shard LeadershipAPIC 1APIC 2APIC 3123Shard 1312Shard 2231Shard 3312Shard 32.LeaderLeaderLeaderLeaderShard Leader handles Write OperationsMultiple APICs=Distributed processingLeadersh

18、ip assigned by predetermined hashedBRKDCN-263518 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDegraded LeadershipAPIC 1APIC 2APIC 3123Shard 1312Shard 2231Shard 3312Shard 32.LeaderLeaderLeaderLeaderUnexpected LeaderLeaderShards still have the Majority of Replicas;2 out o

19、f 3Write operations still availableBRKDCN-263519 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDiverged APIC Cluster-Minority StateAPIC 1APIC 2APIC 3123Shard 1312Shard 2231Shard 3312Shard32.MinorityMinority state=RO OperationsAPIC 1 isolated from APIC 2 and 3MinorityMino

20、rityMinorityBRKDCN-263520 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDME(Policymgr SVC ID 6)Shard 1Shard 32.acidiag rvread shards and replicasapic#acidiag rvread-unexpected state;/-unexpected mutator;s-R 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 2

21、5 26 27 28 29 30 31 32r-R1231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231.6.49-R1R2R3123A boring rvreadis a healthy rvreadR1,2,3Shard 32/BRKDCN-263521 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveacidiag rvread svcID shar

22、dIDapic1#acidiag rvread-husage:acidiag rvread-h subcommand subcommand.positional arguments:subcommandoptional svcID shardID replicIDapic1#acidiag rvread 6 1(6,1,1)st:6 lm(t):1(2022-03-09T03:56:31.224+00:00)le:reSt:LEADER.(6,1,2)st:6 lm(t):2(2022-03-09T03:48:04.444+00:00)le:reSt:FOLLOWER.(6,1,3)st:6

23、lm(t):3(2022-03-09T04:21:04.208+00:00)le:reSt:FOLLOWER.-clusterTime=diff=-1099290 common=2022-04-15T21:33:22.809+00:00 local=2022-04-15T21:51:42.099+00:00 pF=avread accepts Example:svcId 6(PM)and shard 1APIC 1 is leader of Shard 1Which APIC has that Replica;APIC 1 happens to have Replica 1BRKDCN-263

24、522 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveacidiag rvread -Find Shard Leadersapic1#acidiag rvread 6|awk-F voGr print$1(6,1,1)st:6 lm(t):1(2022-03-09T03:56:31.224+00:00)le:reSt:LEADER(6,1,2)st:6 lm(t):2(2022-03-09T03:48:04.444+00:00)le:reSt:FOLLOWER(6,1,3)st:6 lm(t

25、):3(2022-03-09T04:21:04.208+00:00)le:reSt:FOLLOWER(6,2,1)st:6 lm(t):2(2022-03-09T03:56:32.244+00:00)le:reSt:LEADER(6,2,2)st:6 lm(t):3(2022-03-09T04:21:02.145+00:00)le:reSt:FOLLOWER(6,2,3)st:6 lm(t):1(2022-03-09T03:19:53.559+00:00)le:reSt:FOLLOWER.(6,31,1)st:6 lm(t):1(2022-03-09T03:56:30.094+00:00)le

26、:reSt:LEADER(6,31,2)st:6 lm(t):2(2022-03-09T03:48:28.880+00:00)le:reSt:FOLLOWER(6,31,3)st:6 lm(t):3(2022-03-09T04:21:04.214+00:00)le:reSt:FOLLOWER(6,32,1)st:6 lm(t):2(2022-03-09T03:56:36.575+00:00)le:reSt:LEADER(6,32,2)st:6 lm(t):3(2022-03-09T04:21:05.076+00:00)le:reSt:FOLLOWER(6,32,3)st:6 lm(t):1(2

27、022-03-09T03:20:05.416+00:00)le:reSt:FOLLOWER-clusterTime=diff=-1099289 common=2022-04-15T21:50:54.647+00:00 local=2022-04-15T22:09:13.936+00:00 pF=APIC 2 has R1 of Shard 2APIC 2 is Shard 2 LeaderBRKDCN-263523 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSummary of Clus

28、ter StatesData Layer DivergedData Layer Degraded LeadershipUnexpected LeadersReplica Majority reachableR/W Operations AvailableR/O OperationsUnreachable shards or replicasMinority StateFully FitExpected LeadersAll shards/replicas reachableR/W Operations AvailableRealm of API IssuesBRKDCN-263524 2023

29、 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveacidiag cluster-APICsapic#acidiag clusterAdmin password:Checking Wiring and UUID:OKChecking AD Processes:RunningChecking All Apics in Commission State:OKChecking All Apics in Active State:OKChecking Leadership Degration:Optimal l

30、eadersPing OOB IPs:APIC-1:192.168.1.1-OKAPIC-2:192.168.1.2-OKAPIC-3:192.168.1.3 OKPing Infra IPs:APIC-1:10.0.0.1-OKAPIC-2:10.0.0.2-OKAPIC-3:10.0.0.3 OKChecking APIC Versions:Same(5.2(4d)*Requires Admin Password*Requires Admin Password APIC StatesChassisUUIDShard/Replica ConvergenceINFRA and OOB Ping

31、 testsVersion VerificationBRKDCN-263525 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveacidiag cluster-APICsapic#acidiag clusterAdmin password:Checking Wiring and UUID:OKChecking AD Processes:RunningChecking All Apics in Commission State:OKChecking All Apics in Active Sta

32、te:OKChecking Fabric Nodes:OKChecking Apic Fully-Fit:OKChecking Shard Convergence:OKChecking Leadership Degration:Optimal leader for all shardsPing OOB IPs:APIC-1:172.21.208.154-OKAPIC-2:172.21.208.155-OKAPIC-3:172.21.208.156-OKPing Infra IPs:APIC-1:10.0.0.1-OKAPIC-2:10.0.0.2-OKAPIC-3:10.0.0.3-OKChe

33、cking APIC Versions:Same(5.2(4d)Checking SSL:OKFull file system(s):NoneBRKDCN-263526 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCheck acidiag manual for DME namesapic#man acidiagService IDs:.3-eventmgr4-extXMLApi5-policyelem6-policymgr7-reader8-ae9-topomgr.31-opflexp3

34、2-analytics33-policydist34-plgnhandler35-domainmgr36-licensemgrBRKDCN-263527 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveChecking Tokens of DMEsapic1#cat/debug/apic1/policymgr/ifm/debug/mo|egrep id|tokens.availableid :0tokens.available:1000id :1tokens.available:902id :

35、2tokens.available:1000id :3tokens.available:727id :4tokens.available:852cat/debug/ifm/debug/moPM Shard 1 has 902/1000 tokens availableBRKDCN-263528Common API Usage Issues 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUI Usage Issue Can I go the distance?Issue:UI across a

36、 complex topology compounds symptoms of High API UsageGeographically closer Jump ServerAPI x 10API x 10VPNs,Inspection,proxy,etc for.5s latencySub-second latencyBRKDCN-263530 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLogin Usage Issue Login per Request/api/aaaLogin.j

37、sonGETGET.per requestPOSTLogin Rate of 2 Requests/second is the default non-configurable throttle/api/aaaLogin.jsonDoubles rate of queryEach login spawns a new sessionBRKDCN-263531APIC 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveProper Login Usage Session RefreshGETGET

38、GET./api/aaaRefresh.jsonPOST.9 minutes./api/aaaLogin.jsonA successful Login returns cookie:imdata.aaaLogin.attributes.tokenGET aaaRefresh with cookie:Extends session by configured timeoutBRKDCN-263532APIC 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveProper Login Usage U

39、ser Certificate Signature.crt.keycookies:.APIC-Request-Signature=signaturesignature;APIC-Certificate-Algorithm=v1.0;APIC-Certificate-Fingerprint=fingerprint;APIC-Certificate-DN=user_cert_dnuser_cert_dn;DN of user cert object:uni/userext/user-automation/usercert-autocertBRKDCN-263533APICGET https:/a.

40、p.i.c/api/class/fvTenant.json 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveGenerating the SignatureGET https:/a.p.i.c/api/class/fvTenant.json.crt.key1.Build Payload from API Request:“GET/api/class/fvTenant.json”2.Calculate Signature with.key against Payload3.Convert Sig

41、nature to base64 format and add to cookies of request APIC-Request-Signature=signaturesignature;APIC-Certificate-Algorithm=v1.0;APIC-Certificate-Fingerprint=fingerprint;APIC-Certificate-DN=user_cert_dnuser_cert_dn;cookies:.BRKDCN-263534APIC 2023 Cisco and/or its affiliates.All rights reserved.Cisco

42、Public#CiscoLiveSigned Request CURL Example#PREREQS:CRT/KEY generated.CRT added to APIC Local User.#REQUEST:GET#Prep Request Payloadecho-n GET/api/class/fvTenant.json payload.txt#Use private key to generate signature openssl dgst-sha256-sign automation.key payload.txt payload_sig.bin#Convert signatu

43、re to base64openssl base64-A-in payload_sig.bin-out payload_sig.base64#Send the CURL with specific cookies including base64 signature and DN of APIC Local User CRT.curl-k-cookie APIC-Request-Signature=.base64_signature.APIC-Certificate-Algorithm=v1.0;APIC-Certificate-Fingerprint=fingerprint;APIC-Cer

44、tificate-DN=uni/userext/user-automation/usercert-autocert https:/a.p.i.c/api/class/fvTenant.json BRKDCN-263535 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivewith open(key_file_path,r)as f:key=f.read()x509Key=load_privatekey(FILETYPE_PEM,key)payload=method.encode(utf-8)+a

45、pi.encode(utf-8)signedDigest=sign(x509Key,payload,sha256)signature=base64.b64encode(signedDigest).decode(utf-8)cookies=APIC-Request-Signature:signature,APIC-Certificate-Algorithm:v1.0,APIC-Certificate-Fingerprint:fingerprint,APIC-Certificate-DN:cert_dn,r=requests.get(url,cookies=cookies,verify=False

46、)from OpenSSL.crypto import FILETYPE_PEM,load_privatekey,signimport requestsimport base64APIC_ADDR=https:/a.p.i.cUSERNAME=automationCERT_MO=autocertkey_file_path=fUSERNAME.keycert_dn=funi/userext/user-USERNAME/usercert-CERT_MOmethod=GETapi=/api/class/fvTenant.jsonurl=APIC_ADDR+apiSigned Request Pyth

47、on Exampleopenssl req-new-newkey rsa:1024-days 36500-nodes-x509-keyout automation.key-out automation.crt-subj/CN=Auto User/O=Cisco Live/C=USBRKDCN-263536 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTrack a Signed Request nginx logsapic1#egrep Signature/var/log/dme/log/

48、nginx.bin.log.snip.5649|2023-04-25T10:18:30.451349393-04:00|nginx|DBG4|co=doer:255:127:0 xff0000000a1c8c18:1|Requested UserCert uni/userext/user-automation/usercert-autocert Fingerprint fingerprintSignature VMtWCs3MU.Algorithm Version v1.0.Username for cert lookup+audit loggingCertificate Object to

49、verify signature againstSignature from cookies of sent RequestBRKDCN-263537 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivetopology/pod-1/node-101/sys/phys-eth1/1/dbgEtherStatstopology/pod-1/node-101/sys/phys-eth1/1/dbgEtherStatsRequest Usage Issues Optimize per Use-CaseU

50、se Case:I want to monitor Node 101 Interface StatsDN root is topologytopology,not uniuniRoot is topology,not UniPod ID and Node ID are both ParentParent ObjectsrmonEtherStatsrmonEtherStats is the className of the MO in questionInterface ID is a ParentParent ParameterBRKDCN-263538 2023 Cisco and/or i

51、ts affiliates.All rights reserved.Cisco Public#CiscoLiveRequest Usage The Flexibility of the API.1 253 54352InterfaceSwitchPod101102499500Use Case:I want to monitor Node 101 Interface StatsrmonEtherStats154Pod 1.Pod 2High CountHeavy VolumeHeavy VolumeJust Right154154Goal:Use Query Options to Filter

52、based on use caseBRKDCN-263539100K*Response Object limit5.2(6e)+*300K 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveInterface Stats Objectapic#moquery d topology/pod-1/node-101/sys/phys-eth1/1/dbgEtherStatstotalCount:1,imdata:rmonEtherStats:attributes:broadcastPkts:15964

53、,cRCAlignErrors:0,dn:topology/pod-1/node-101/sys/phys-eth1/1/dbgEtherStats,.rXNoErrors:46046,tXNoErrors:73140,.BRKDCN-263540 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivetarget-subtree-classQuery Options Usagequery-targetTarget Modifiersrsp-subtreeResponse Filtersrsp-su

54、btree-classrsp-subtree-filterrsp-subtree-includeorder-bySort and Sizingpagepage-sizetime-range/api/mo/uni/tn-CL.xml?query-target=self&rsp-subtree=noDefaultDefaults/api/class/fvTenant.xmlDefaultDefaultsquery-target-filterBRKDCN-263541 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#

55、CiscoLiveuni/tn-CL.xmlOptions DefaultsApp ProfileTenantPolicy UniverseEPGunitn-CLap-CLAppep-1ep-2?query-target=self&rsp-subtree=nofvTenantMOs returned:1ResponseBRKDCN-263542 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOptions Query Target ChildrenApp ProfileTenantPolic

56、y UniverseEPGfvApfvAp.every other childfvBdfvBdfvCtxfvCtx.and so onMOs returned:2+ap-CLAppep-1ep-2tn-CLuniuni/tn-CL.xml?query-target=childrenResponseBRKDCN-263543bdctxap 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOptions Target Subtree ClassApp ProfileTenantPolicy Uni

57、verseEPGuni/tn-CL.xml?query-target=childrenfvApfvApMOs returned:only child fvApap-CLAppep-1ep-2tn-CLuni&target-subtree-class=fvApResponseBRKDCN-263544bdctxap 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOptions Query Target SubtreeApp ProfileTenantPolicy UniverseEPGMOs

58、returned:x00+fvApfvApfvAEPgfvStPathAttfvCEpfvIp.and so onLearned MACsLearned IPsxxxxxxxxap-CLAppep-1ep-2Flat Structure!tn-CLsubnetpoluniuni/tn-CL.xml?query-target=subtreeResponseBRKDCN-263545bdctxap 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOptions Query Target Subtr

59、eeApp ProfileTenantPolicy UniverseEPGMOs returned:4fvIpfvIpfvIpfvIpLearned MACsLearned IPsxxxxxxxxap-CLAppep-1ep-2tn-CLsubnetpoluniuni/tn-CL.xml?query-target=subtreeResponse&target-subtree-class=fvIpBRKDCN-263546bdctxap 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOptio

60、ns Response SubtreeApp ProfileTenantPolicy UniverseEPGap-CLAppep-1ep-2ResponsefvTenantfvBDfvBDfvSubnetfvSubnetfvCtxfvCtxfvApfvAEPgfvCEp.MOs returned:1 parent,all branchesNested structure!tn-CLPowerful when combined with a class queryxxChildrensubnetpoluniuni/tn-CL.xmlBRKDCN-263547?query-target=self&

61、rsp-subtree=fullbdctxap 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOptions Response Subtree ClassApp ProfileTenantPolicy UniverseEPGap-CLAppep-1ep-2fvTenantfvApfvApfvAEPgfvAEPgfvCEpand so onMOs returned:1 parent,fvAp branchtn-CLFocus on branches of the class(es)specif

62、iedxxChildrensubnetpoluniuni/tn-CL.xml?rsp-subtree=full&rsp-subtree-class=fvApResponseBRKDCN-263548bdctxap 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAdvanced Options The FiltersTarget ModifiersResponse Filtersrsp-subtree-filterrsp-subtree-includeUses same syntaxquery

63、-target-filterFilter Syntaxclass/fvTenant.xml?rsp-subtree-filter=eq(fvTenant.name,CL)class/fvTenant.xml?query-target-filter=eq(fvTenant.name,CL)L.O.(class.param,“value)eq(fvAp.name,“CLapp)BRKDCN-263549 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAdvanced Options All Lo

64、gical OperatorsLogical OperatorDescriptioneqEqual toneNot equal toltLess thangtGreater thanleLess than or equal togeGreater than or equal tobwBetweennotLogical inverseandLogical ANDorLogical ORxorLogical exclusive ORtrueBoolean TRUEfalseBoolean FALSEanybitTRUE if at least one bit is setallbitsTRUE i

65、f all bits are setwcardWildcardpholderProperty holderpassivePassive holderMultiple Filter SyntaxL.O.(class.param,“value)and(ne(fvAp.name,“CLapp),ne(fvAP.name,“TRapp)BRKDCN-263550 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAdvanced Options Response Subtree IncludeTarge

66、t ModifiersResponse Filtersrsp-subtree-includeUnique Behaviorsclass/eventRecord.xml?rsp-subtree-include=countBRKDCN-263551moCountcount:528430dn:cntMOs returned:1Response 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAdvanced Options Response Subtree IncludeOperatorOperat

67、orClassClassaudit-logsaaaModLRevent-logseventRecordfault-recordsfaultRecordhealth-recordshealthRecordcountmoCount of top levelRelated MOsOperatorOperatorClassClassfaultsfaultInst,faultDelegatehealthhealthInstrelations*manystats*manytasks*very low levelChild MOsOperatorOperatorReturnsReturnssubtreeMu

68、st be used with no-scope,pulls subtree into logicno-scopedOnly return above included objects,not the parents.Flattens the result.requiredOnly return parent MO if included child object exists.Response OptionsBRKDCN-263552 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveExam

69、ple Response Subtree Include Queriesclass/fvTenant.xmlBRKDCN-263553uni/tn-CL.xml?rsp-subtree-include=audit-logs,subtree,no-scopedGet Count of all Mos under all TenantsGet audits for subtree of tn-CLuni/tn-CL.xml&rsp-subtree-include=faults,no-scopedGet live faults for subtree of tn-CL?query-target=su

70、btree?query-target=subtree&rsp-subtree-include=count 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAdvanced Options Sort and Paginateorder-bySort and Sizingpagepage-sizetime-rangeBRKDCN-263554Sort ascending or descendingclass/aaaModLR.xml?order-by=aaaUser.firstName|descP

71、aginate through chunks of responseclass/aaaModLR.xml?page=0&page-size=1000High Churn Record objects may result in duplicates 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAdvanced Options time-range Record Freeze*Sort and Sizingtime-rangeBRKDCN-263555Freeze Rolling Recor

72、dsclass/eventRecord.xml?page=0&page-size=2000&time-range=24h5.2(3)+Must start with page=0,then leaf through page+=1 to maintain freezepage-size limit of 2000timetime-range unitsrange unitssyntaxsyntaxhoursxxh hweeksxxweekweekmonthsxxmonthmonthRangeyyyy-mm-dd|yyyy-mm-ddAuto-sorts on timeAPI Troublesh

73、ooting Tools 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhen using the UI-Browser Dev Tools“Network”TabBRKDCN-263557 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBrowser Dev Tools The RequestThe full request sent by the browserBRKDCN-2635

74、58 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBrowser Dev Tools TimingTiming of different phases171ms between sending then receiving responseBRKDCN-263559 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBrowser Dev Tools Slow APIC Response66

75、000ms between sending then receiving responseBRKDCN-263560 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSystem Response Time Enable CalculationBRKDCN-263561Response Threshold=“Slow”threshold to flag a requestFrequency=how often to checkTop Slowest Requests=#of Requests

76、to track within each interval,per APIC 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveServer Response Time View Slowest RequestsSource IPHTTP Request MethodResponse CodeResponse TimeAPI EndpointTimestamp90000ms+for a faultInfo queryBRKDCN-263562 2023 Cisco and/or its affi

77、liates.All rights reserved.Cisco Public#CiscoLiveServer Response Time Threshold EventsBRKDCN-26356318 Requests exceeded defined threshold 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveNGINX Includes access.logapic1#tail/var/log/dme/log/access.log127.0.0.1(-)-07/Apr/2022:

78、20:10:59+0000GET/api/class/topInfo.xml HTTP/1.1 200 194-python-requests127.0.0.1(-)-07/Apr/2022:20:10:59+0000GET/api/class/topInfo.xml HTTP/1.1 200 194-python-requests127.0.0.1(-)-07/Apr/2022:20:10:59+0000GET/api/class/topSystem.xml HTTP/1.1 403 243-Python-urllib127.0.0.1(-)-07/Apr/2022:20:10:59+000

79、0GET/api/class/fvTenant.xml HTTP/1.1 200 15863-Python-urllib127.0.0.1(-)-07/Apr/2022:20:11:00+0000GET/api/class/topInfo.xml HTTP/1.1 200 194-python-requests/Every Request to this APIC is loggedSource IPs TimestampRequest API EndpointResponse Status CodeHTTP Request MethodClient LibraryBRKDCN-263564

80、2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAccess Log Analyzerapic1#python/tmp/accLogAnalyzer.pyapic1#cat acclogAnalysis_2022-06-07T17:50:27.outputAccess Log Time Analysis Summary:Total#of Requests:46669Time Coverage:109.416666667 Minutes(6565.0 s)Avg#of Reqs:7.11 Que

81、ries per secondBurst Summary:602 15+requests-per-second bursts found.Remote Address Summary:Remote addr 127.0.0.1 request count:10811(%23.17 of total reqs)Remote addr 192.168.2.32 request count:28431(%60.92 of total reqs).User-Agent Summary:User-agent Mozilla/5.0(Wi.request count:3398(%7.28 of total

82、 reqs)User-agent python-requests.request count:29052(%62.25 of total reqs).Response Status Summary:Response code 200 count:20008(%42.87 of total reqs)Response code 403 count:17036(%36.5 of total reqs).http:/cs.co/Access_Log_AnalyzerWho?What?Why?50k queries over 2 hoursBRKDCN-263565 2023 Cisco and/or

83、 its affiliates.All rights reserved.Cisco Public#CiscoLiveNGINX Request ThrottleRelies on NGINX Rate LimitingSet Throttle Rate in R/M or R/STrack per client IP addressDoes not affect Self(UI+CLI)Burst of Rate x 2+NoDelayThreshold cross=503 responseBRKDCN-263566 2023 Cisco and/or its affiliates.All r

84、ights reserved.Cisco Public#CiscoLiveThrottled Requests Receive 503 Responseapic1#tail/var/log/dme/log/access.log192.168.1.1(-)-03/Jan/2023:19:22:06+0000GET/api/class/eventRecord.xml.HTTP/1.1 200 494-python.192.168.1.1(-)-03/Jan/2023:19:22:06+0000GET/api/class/eventRecord.xml.HTTP/1.1 503 494-python

85、.192.168.1.1(-)-03/Jan/2023:19:22:06+0000GET/api/class/eventRecord.xml.HTTP/1.1 503 494-python.503s follow successful responsesFocus on addressing the source of the high rate of requestsapic1#tail/var/log/dme/log/error.log.limiting requests,excess:40.292 by zone httpsClientTagZone,client:h.o.s.t,req

86、uest:GET/api/class/.“2023/04/17 20:19:14 error.limiting requests,excess:40.292 by zone httpsClientTagZone,client:h.o.s.t,.request:GET/api/node/.,host:a.p.i.cBRKDCN-263567 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveResponse CodeResponse CodePossible ReasonsPossible Rea

87、sonsUnable to deliver the message Check that all APICs are fully-fit,check for DME token exhaustiontemporary overloadNGINX throttle enabled,Request Throttled;check nginx error.logResponse CodeResponse CodePossible ReasonsPossible Reasons400PD rule hit;Duplicate object,new requirement,etc401Authentic

88、ation Issue;session expired,incorrect login Domain403API signing issue;incorrect signature calculation.Auth issue;Token timeout and new session requiredCommon Response Code Reasons200All good4xx503BRKDCN-263568Query Subscriptions as an ACI Troubleshooting Tool 2023 Cisco and/or its affiliates.All ri

89、ghts reserved.Cisco Public#CiscoLiveWe are now the champions of Polling200 Response+PayloadHTTP GET/someObjectAPISwitchDMESingle transactional request,with single responseHow do I track live MO changes without a timer?BRKDCN-263570APICshow vlan extended 2023 Cisco and/or its affiliates.All rights re

90、served.Cisco Public#CiscoLiveAppLets talk WebSocketsHTTP 101 UPGRADEWS HandshakeWS OPENWS MESSAGESHandshake to OPEN channelAs App State changes,User receives MessagesKeepalives used to maintain OPENPONGPINGBRKDCN-263571 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSubsc

91、ribing to Query Results via WebSocketsHTTP 101 UPGRADEWSS/socketWS OPENfvTenant UpdatesSubscription is tied to Login SessionSend query with subscription=yessubscription=yesRefresh Subscription with subIdGET/api/subscriptionRefresh?id=GET/api/class/fvTenant?subscription=yesOpen Socket with APIC Token

92、SubscriptionIdReceive MO updatesBRKDCN-263572 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSubscription-Under the hoodAPICAPIEventMgrfvTenant UpdatesPolicyDistPolicyMgrReceive MO events that go through eventMgrTenant changesOperatorSubscriberLogical MO changes-explicit

93、config changesRecord MO changes audits,faults,eventsNo Stats MO changes frequency intensiveSubscribable MOs subject to change:epRecordBRKDCN-263573WS OPEN 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveQuery Subscription Notification Messagemypc$python apic_query_subscrip

94、tion.py-a a.p.i.c-u gmonroy-xgmonroy password:*WebSocket Subscription Status&Messages*https:/a.p.i.c/api/class/fvTenant.xml?subscription=yes&query-target=subtree&target-subtree-class=fvAEPg,fvBD-Subscription ID:72339464170766337*WebSocket Subscription Messages*.SubId in each updateSubId in each upda

95、teSubId in each messageBRKDCN-263574http:/cs.co/APIC_Websocket_Starter 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveGo Beyond Configuration,Go full DevOpsAPICsConsider MOs of importance going into a Maintenance WindowEx:Monitor fabricLooseNodesduring VMM MaintenanceUse

96、Query Subscriptions to track those MOs during maintenanceBRKDCN-263575 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFill out your session surveys!Attendees who fill out a minimum of four session surveys and the overall event survey will get Cisco Live-branded socks(whil

97、e supplies last)!These points help you get on the leaderboard and increase your chances of winning daily and grand prizesAttendees will also earn 100 points in the Cisco Live Challenge for every survey completed.BRKDCN-263576 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicContinue your educationVisit the Cisco Showcase for related demosBook your one-on-oneMeet the Engineer meetingAttend the interactive education with DevNet,Capture the Flag,and Walk-in LabsVisit the On-Demand Library for more sessions at www.CiscoL you#CiscoLive#CiscoLive