diff --git a/aci-preupgrade-validation-script.py b/aci-preupgrade-validation-script.py index f29c66b..91ca2f1 100644 --- a/aci-preupgrade-validation-script.py +++ b/aci-preupgrade-validation-script.py @@ -6053,6 +6053,31 @@ def auto_firmware_update_on_switch_check(cversion, tversion, **kwargs): return Result(result=result, headers=headers, data=data, recommended_action=recommended_action, doc_url=doc_url) + +@check_wrapper(check_title="Inband Management Policy Misconfiguration") +def inband_management_policy_misconfig_check(cversion, tversion, **kwargs): + result = PASS + headers = ["Node_ID", "Address", "Gateway"] + data = [] + recommended_action = "Contact Cisco TAC to remove any identified misconfigured 'mgmtRsInBStNode' objects" + doc_url = "https://datacenter.github.io/ACI-Pre-Upgrade-Validation-Script/validations/#inband-management-policy-misconfiguration" + + if (cversion.older_than("5.2(8d)")) and (tversion.newer_than("6.0(4c)") or tversion.same_as("6.0(4c)")): + mgmtRsInBStNodes = icurl('class', 'mgmtRsInBStNode.json?query-target-filter=or(eq(mgmtRsInBStNode.addr,"0.0.0.0"),eq(mgmtRsInBStNode.addr,"0.0.0.0/0"),eq(mgmtRsInBStNode.gw,"0.0.0.0"))') + for mgmtRsInBStNode in mgmtRsInBStNodes: + attrs = mgmtRsInBStNode["mgmtRsInBStNode"]["attributes"] + addr = attrs['addr'] + gw = attrs['gw'] + node_match = re.search(node_regex, attrs['dn']) + node_id = node_match.group("node") + data.append([node_id, addr, gw]) + else: + return Result(result=NA, msg=VER_NOT_AFFECTED) + if data: + result = FAIL_O + return Result(result=result, headers=headers, data=data, recommended_action=recommended_action, doc_url=doc_url) + + # ---- Script Execution ---- @@ -6216,6 +6241,7 @@ class CheckManager: isis_database_byte_check, configpush_shard_check, auto_firmware_update_on_switch_check, + inband_management_policy_misconfig_check, ] ssh_checks = [ diff --git a/docs/docs/validations.md b/docs/docs/validations.md index f46e03d..5a574a3 100644 --- a/docs/docs/validations.md +++ b/docs/docs/validations.md @@ -194,6 +194,7 @@ Items | Defect | This Script [ISIS DTEPs Byte Size][d27] | CSCwp15375 | :white_check_mark: | :no_entry_sign: [Policydist configpushShardCont Crash][d28] | CSCwp95515 | :white_check_mark: | :no_entry_sign: [Auto Firmware Update on Switch Discovery][d29] | CSCwe83941 | :white_check_mark: | :no_entry_sign: +[Inband Management Policy Misconfiguration][d30]| CSCwd40071 | :white_check_mark: | :no_entry_sign: [d1]: #ep-announce-compatibility [d2]: #eventmgr-db-size-defect-susceptibility @@ -224,6 +225,7 @@ Items | Defect | This Script [d27]: #isis-dteps-byte-size [d28]: #policydist-configpushshardcont-crash [d29]: #auto-firmware-update-on-switch-discovery +[d30]: #inband-management-policy-misconfiguration ## General Check Details @@ -2668,6 +2670,26 @@ To avoid this risk, consider disabling Auto Firmware Update before upgrading to This issue occurs because older switch firmware versions are not compatible with switch images 6.0(3) or newer. The APIC version is not a factor. +### Inband Management Policy Misconfiguration + +RCA: + +Due to the defect [CSCwh80837][64], starting from version 6.0(4c), an implicit deletion of `fvRsCustQosPol` was introduced under InBand EPG as QoS configuration is not applicable to management inband EPG and it was raising an invalid fault under it. This implicit deletion triggers a re-processing and pushes updates to `fvInBEpP` (Inband Endpoint Profile) on leaf nodes where the inband management policy is deployed. + +Impact: + +When upgrading from versions prior to 6.0(4c) to versions 6.0(4c) or later, if there is a misconfiguration in the inband management policies (`mgmtRsInBStNode`) with invalid values, the re-processing triggered by [CSCwh80837][64] will expose the underlying [CSCwd40071][65] defect. This results in continuous policyelem core dumps and switch reboot when attempting to add any access policies configuration to a leaf switch (such as VLANs tied to leaf profiles via physical domain, AAEP, interface policy group, or port selector). + +The invalid configuration occurs when `mgmtRsInBStNode` has "0.0.0.0" values (with no mask) for either the "addr" or "gw" fields. + +Suggestion: + +This check identifies misconfigured `mgmtRsInBStNode` objects where either "addr" or "gw" attributes are set to "0.0.0.0" when the upgrade crosses the 6.0(4c) release boundary. Contact Cisco TAC to remove any identified misconfigured objects before performing the upgrade to prevent policyelem crashes. + +!!! note + The [CSCwd40071][65] defect affects versions 5.2(5c) and later, with a fix available in 6.0(1g). However, the issue will only be triggered during upgrades crossing 6.0(4c) due to [CSCwh80837][64]. + + [0]: https://github.com/datacenter/ACI-Pre-Upgrade-Validation-Script [1]: https://www.cisco.com/c/dam/en/us/td/docs/Website/datacenter/apicmatrix/index.html [2]: https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-release-notes-list.html @@ -2731,4 +2753,6 @@ To avoid this risk, consider disabling Auto Firmware Update before upgrading to [60]: https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-743951.html#Inter [61]: https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-743951.html#EnablePolicyCompression [62]: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwe83941 -[63]: https://www.cisco.com/c/en/us/td/docs/dcn/aci/apic/all/apic-installation-aci-upgrade-downgrade/Cisco-APIC-Installation-ACI-Upgrade-Downgrade-Guide/m-auto-firmware-update.html \ No newline at end of file +[63]: https://www.cisco.com/c/en/us/td/docs/dcn/aci/apic/all/apic-installation-aci-upgrade-downgrade/Cisco-APIC-Installation-ACI-Upgrade-Downgrade-Guide/m-auto-firmware-update.html +[64]: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwh80837 +[65]: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwd40071 \ No newline at end of file diff --git a/tests/checks/inband_management_policy_misconfig_check/mgmtRsInBStNode_invalid_addr_and_gw_config.json b/tests/checks/inband_management_policy_misconfig_check/mgmtRsInBStNode_invalid_addr_and_gw_config.json new file mode 100644 index 0000000..565e715 --- /dev/null +++ b/tests/checks/inband_management_policy_misconfig_check/mgmtRsInBStNode_invalid_addr_and_gw_config.json @@ -0,0 +1,18 @@ +[ + { + "mgmtRsInBStNode": { + "attributes": { + "tDn": "topology/pod-1/node-103", + "addr": "0.0.0.0", + "configurationMode": "static", + "dn": "uni/tn-mgmt/mgmtp-default/inb-inb/rsinBStNode-[topology/pod-1/node-103]", + "gw": "0.0.0.0", + "modTs": "2024-12-20T07:45:21.454+00:00", + "rType": "mo", + "rn": "rsinBStNode-[topology/pod-1/node-103]", + "stateQual": "none", + "tType": "mo" + } + } + } +] \ No newline at end of file diff --git a/tests/checks/inband_management_policy_misconfig_check/mgmtRsInBStNode_invalid_address_config.json b/tests/checks/inband_management_policy_misconfig_check/mgmtRsInBStNode_invalid_address_config.json new file mode 100644 index 0000000..13d00cf --- /dev/null +++ b/tests/checks/inband_management_policy_misconfig_check/mgmtRsInBStNode_invalid_address_config.json @@ -0,0 +1,34 @@ +[ + { + "mgmtRsInBStNode": { + "attributes": { + "tDn": "topology/pod-1/node-103", + "addr": "0.0.0.0", + "configurationMode": "static", + "dn": "uni/tn-mgmt/mgmtp-default/inb-inb/rsinBStNode-[topology/pod-1/node-103]", + "gw": "191.1.1.1", + "modTs": "2024-12-20T07:45:21.454+00:00", + "rType": "mo", + "rn": "rsinBStNode-[topology/pod-1/node-103]", + "stateQual": "none", + "tType": "mo" + } + } + }, + { + "mgmtRsInBStNode": { + "attributes": { + "tDn": "topology/pod-1/node-104", + "addr": "0.0.0.0/0", + "configurationMode": "static", + "dn": "uni/tn-mgmt/mgmtp-default/inb-inb/rsinBStNode-[topology/pod-1/node-104]", + "gw": "191.1.1.1", + "modTs": "2024-12-20T07:45:21.454+00:00", + "rType": "mo", + "rn": "rsinBStNode-[topology/pod-1/node-104]", + "stateQual": "none", + "tType": "mo" + } + } + } +] \ No newline at end of file diff --git a/tests/checks/inband_management_policy_misconfig_check/mgmtRsInBStNode_invalid_gateway_config.json b/tests/checks/inband_management_policy_misconfig_check/mgmtRsInBStNode_invalid_gateway_config.json new file mode 100644 index 0000000..9fc4c0c --- /dev/null +++ b/tests/checks/inband_management_policy_misconfig_check/mgmtRsInBStNode_invalid_gateway_config.json @@ -0,0 +1,18 @@ +[ + { + "mgmtRsInBStNode": { + "attributes": { + "tDn": "topology/pod-1/node-103", + "addr": "191.1.1.153/24", + "configurationMode": "static", + "dn": "uni/tn-mgmt/mgmtp-default/inb-inb/rsinBStNode-[topology/pod-1/node-103]", + "gw": "0.0.0.0", + "modTs": "2024-12-20T07:45:21.454+00:00", + "rType": "mo", + "rn": "rsinBStNode-[topology/pod-1/node-103]", + "stateQual": "none", + "tType": "mo" + } + } + } +] \ No newline at end of file diff --git a/tests/checks/inband_management_policy_misconfig_check/mgmtRsInBStNode_valid_config.json b/tests/checks/inband_management_policy_misconfig_check/mgmtRsInBStNode_valid_config.json new file mode 100644 index 0000000..0637a08 --- /dev/null +++ b/tests/checks/inband_management_policy_misconfig_check/mgmtRsInBStNode_valid_config.json @@ -0,0 +1 @@ +[] \ No newline at end of file diff --git a/tests/checks/inband_management_policy_misconfig_check/test_inband_management_policy_misconfig_check.py b/tests/checks/inband_management_policy_misconfig_check/test_inband_management_policy_misconfig_check.py new file mode 100644 index 0000000..0a8c03d --- /dev/null +++ b/tests/checks/inband_management_policy_misconfig_check/test_inband_management_policy_misconfig_check.py @@ -0,0 +1,165 @@ +import os +import pytest +import logging +import importlib +from helpers.utils import read_data + +script = importlib.import_module("aci-preupgrade-validation-script") +log = logging.getLogger(__name__) +dir = os.path.dirname(os.path.abspath(__file__)) +test_function = "inband_management_policy_misconfig_check" +mgmtRsInBStNode = 'mgmtRsInBStNode.json?query-target-filter=or(eq(mgmtRsInBStNode.addr,"0.0.0.0"),eq(mgmtRsInBStNode.addr,"0.0.0.0/0"),eq(mgmtRsInBStNode.gw,"0.0.0.0"))' + +@pytest.mark.parametrize( + "icurl_outputs, cversion, tversion, expected_result, expected_data", + [ + # Current version is affected, Target version = 6.0(4c), valid data + ( + { + mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_valid_config.json") + }, + "5.2(7g)", + "6.0(4c)", + script.PASS, + [] + ), + # Current version is affected, Target version = 6.0(4c), invalid address + ( + { + mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_address_config.json"), + }, + "5.2(7f)", + "6.0(4c)", + script.FAIL_O, + [ + ["103", "0.0.0.0", "191.1.1.1"], + ["104", "0.0.0.0/0", "191.1.1.1"], + ] + ), + # Current version is affected, Target version = 6.0(4c), invalid gateway + ( + { + mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_gateway_config.json"), + }, + "5.2(7f)", + "6.0(4c)", + script.FAIL_O, + [ + ["103", "191.1.1.153/24", "0.0.0.0"], + ] + ), + # Current version is affected, Target version = 6.0(4c), invalid both data + ( + { + mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_addr_and_gw_config.json"), + }, + "5.2(7f)", + "6.0(4c)", + script.FAIL_O, + [ + ["103", "0.0.0.0", "0.0.0.0"], + ] + ), + # Current version is affected, Target version > 6.0(4c), valid data + ( + { + mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_valid_config.json"), + }, + "5.2(7f)", + "6.0(8f)", + script.PASS, + [] + ), + # Current version is affected, Target version > 6.0(4c), invalid address + ( + { + mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_address_config.json"), + }, + "5.2(7f)", + "6.0(5h)", + script.FAIL_O, + [ + ["103", "0.0.0.0", "191.1.1.1"], + ["104", "0.0.0.0/0", "191.1.1.1",] + ] + ), + # Current version is affected, Target version > 6.0(4c), invalid gateway + ( + { + mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_gateway_config.json"), + }, + "5.2(7f)", + "6.0(5j)", + script.FAIL_O, + [ + ["103", "191.1.1.153/24", "0.0.0.0"], + ] + ), + # Current version is affected, Target version > 6.0(4c), invalid both data + ( + { + mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_addr_and_gw_config.json"), + }, + "5.2(7f)", + "6.0(6c)", + script.FAIL_O, + [ + ["103", "0.0.0.0", "0.0.0.0"], + ] + ), + # Current version is affected, Target version < 6.0(4c), invalid both data + ( + { + mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_addr_and_gw_config.json"), + }, + "5.2(7f)", + "6.0(3g)", + script.NA, + [] + ), + # Current version is affected, Target version < 6.0(4c), valid both data + ( + { + mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_valid_config.json"), + }, + "5.2(7f)", + "6.0(3g)", + script.NA, + [] + ), + # Current version is not affected, Target version = 6.0(4c), invalid both data + ( + { + mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_addr_and_gw_config.json"), + }, + "5.3(2f)", + "6.0(4c)", + script.NA, + [] + ), + # Current version is not affected, Target version > 6.0(4c), invalid both data + ( + { + mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_addr_and_gw_config.json"), + }, + "5.3(2f)", + "6.0(6c)", + script.NA, + [] + ), + # Current version is not affected, Target version < 6.0(4c), invalid both data + ( + { + mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_addr_and_gw_config.json"), + }, + "5.3(2f)", + "6.0(3g)", + script.NA, + [] + ), + ], +) +def test_logic(run_check, mock_icurl, cversion, tversion, expected_result, expected_data): + result = run_check(cversion=script.AciVersion(cversion), tversion=script.AciVersion(tversion)) + assert result.result == expected_result + assert result.data == expected_data \ No newline at end of file