From ca1602eed8f42e43c828896d7216b1ad538007c1 Mon Sep 17 00:00:00 2001 From: sanjanch Date: Fri, 23 Jan 2026 05:26:45 +0000 Subject: [PATCH 1/3] Added validation for CSCwd40071 --- aci-preupgrade-validation-script.py | 30 +++++ docs/docs/validations.md | 24 ++++ ...sInBStNode_invalid_addr_and_gw_config.json | 18 +++ ...gmtRsInBStNode_invalid_address_config.json | 18 +++ ...gmtRsInBStNode_invalid_gateway_config.json | 18 +++ ...nband_management_policy_misconfig_check.py | 119 ++++++++++++++++++ 6 files changed, 227 insertions(+) create mode 100644 tests/checks/inband_management_policy_misconfig_check/mgmtRsInBStNode_invalid_addr_and_gw_config.json create mode 100644 tests/checks/inband_management_policy_misconfig_check/mgmtRsInBStNode_invalid_address_config.json create mode 100644 tests/checks/inband_management_policy_misconfig_check/mgmtRsInBStNode_invalid_gateway_config.json create mode 100644 tests/checks/inband_management_policy_misconfig_check/test_inband_management_policy_misconfig_check.py diff --git a/aci-preupgrade-validation-script.py b/aci-preupgrade-validation-script.py index 4b83f4c..bc274ef 100644 --- a/aci-preupgrade-validation-script.py +++ b/aci-preupgrade-validation-script.py @@ -6026,6 +6026,35 @@ def apic_downgrade_compat_warning_check(cversion, tversion, **kwargs): return Result(result=result, headers=headers, data=data, recommended_action=recommended_action, doc_url=doc_url) +@check_wrapper(check_title="Inband Management Policy Misconfiguration") +def inband_management_policy_misconfig_check(cversion, tversion, **kwargs): + + result = PASS + headers = ["Node_ID", "Address", "Gateway"] + data = [] + recommended_action = " Contact Cisco TAC to remove any identified misconfigured 'mgmtRsInBStNode' objects" + doc_url = "https://datacenter.github.io/ACI-Pre-Upgrade-Validation-Script/validations/#inband-management-policy-misconfiguration" + + if not tversion: + return Result(result=MANUAL, msg=TVER_MISSING) + if cversion.older_than("6.0(4c)") and (tversion.newer_than("6.0(4c)") or tversion.same_as("6.0(4c)")): + mgmtRsInBStNodes = icurl('class', 'mgmtRsInBStNode.json?query-target-filter=or(eq(mgmtRsInBStNode.addr,"0.0.0.0"),eq(mgmtRsInBStNode.addr,"0.0.0.0/0"),eq(mgmtRsInBStNode.gw,"0.0.0.0"))') + for mgmtRsInBStNode in mgmtRsInBStNodes: + attrs = mgmtRsInBStNode["mgmtRsInBStNode"]["attributes"] + addr = attrs['addr'] + gw = attrs['gw'] + node_match = re.search(node_regex, attrs['dn']) + node_id = node_match.group("node") + data.append([node_id, addr, gw]) + else: + return Result(result=NA, msg=VER_NOT_AFFECTED) + + if data: + result = FAIL_O + + return Result(result=result, headers=headers, data=data, recommended_action=recommended_action, doc_url=doc_url) + + # ---- Script Execution ---- @@ -6188,6 +6217,7 @@ class CheckManager: standby_sup_sync_check, isis_database_byte_check, configpush_shard_check, + inband_management_policy_misconfig_check, ] ssh_checks = [ diff --git a/docs/docs/validations.md b/docs/docs/validations.md index 68ca1c0..8789b39 100644 --- a/docs/docs/validations.md +++ b/docs/docs/validations.md @@ -193,6 +193,7 @@ Items | Defect | This Script [Stale pconsRA Object][d26] | CSCwp22212 | :warning:{title="Deprecated"} | :no_entry_sign: [ISIS DTEPs Byte Size][d27] | CSCwp15375 | :white_check_mark: | :no_entry_sign: [Policydist configpushShardCont Crash][d28] | CSCwp95515 | :white_check_mark: | +[Inband Management Policy Misconfiguration][d29]| CSCwd40071 | :white_check_mark: | :no_entry_sign: [d1]: #ep-announce-compatibility [d2]: #eventmgr-db-size-defect-susceptibility @@ -222,6 +223,7 @@ Items | Defect | This Script [d26]: #stale-pconsra-object [d27]: #isis-dteps-byte-size [d28]: #policydist-configpushshardcont-crash +[d29]: #inband-management-policy-misconfiguration ## General Check Details @@ -2648,6 +2650,26 @@ Due to [CSCwp95515][59], upgrading to an affected version while having any `conf If any instances of `configpushShardCont` are flagged by this script, Cisco TAC must be contacted to identify and resolve the underlying issue before performing the upgrade. +### Inband Management Policy Misconfiguration + +RCA: + +Due to the defect [CSCwh80837][62], starting from version 6.0(4c), an implicit deletion of `fvRsCustQosPol` was introduced under InBand EPG as QoS configuration is not applicable to management inband EPG and it was raising an invalid fault under it. This implicit deletion triggers a re-processing and pushes updates to `fvInBEpP` (Inband Endpoint Profile) on leaf nodes where the inband management policy is deployed. + +Impact: + +When upgrading from versions prior to 6.0(4c) to versions 6.0(4c) or later, if there is a misconfiguration in the inband management policies (`mgmtRsInBStNode`) with invalid values, the re-processing triggered by [CSCwh80837][62] will expose the underlying [CSCwd40071][63] defect. This results in continuous policyelem core dumps when attempting to add any access policies configuration to a leaf switch (such as VLANs tied to leaf profiles via physical domain, AAEP, interface policy group, or port selector). + +The invalid configuration occurs when `mgmtRsInBStNode` has "0.0.0.0" values (with no mask) for either the "addr" or "gw" fields. + +Suggestion: + +This check identifies misconfigured `mgmtRsInBStNode` objects where either "addr" or "gw" attributes are set to "0.0.0.0" when the upgrade crosses the 6.0(4c) release boundary. Contact Cisco TAC to remove any identified misconfigured objects before performing the upgrade to prevent policyelem crashes. + +!!! note + The [CSCwd40071][63] defect affects versions 5.2(5c) and later, with a fix available in 6.0(1g). However, the issue will only be triggered during upgrades crossing 6.0(4c) due to [CSCwh80837][62]. + + [0]: https://github.com/datacenter/ACI-Pre-Upgrade-Validation-Script [1]: https://www.cisco.com/c/dam/en/us/td/docs/Website/datacenter/apicmatrix/index.html [2]: https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-release-notes-list.html @@ -2710,3 +2732,5 @@ If any instances of `configpushShardCont` are flagged by this script, Cisco TAC [59]: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwp95515 [60]: https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-743951.html#Inter [61]: https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-743951.html#EnablePolicyCompression +[62]: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwh80837 +[63]: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwd40071 \ No newline at end of file diff --git a/tests/checks/inband_management_policy_misconfig_check/mgmtRsInBStNode_invalid_addr_and_gw_config.json b/tests/checks/inband_management_policy_misconfig_check/mgmtRsInBStNode_invalid_addr_and_gw_config.json new file mode 100644 index 0000000..565e715 --- /dev/null +++ b/tests/checks/inband_management_policy_misconfig_check/mgmtRsInBStNode_invalid_addr_and_gw_config.json @@ -0,0 +1,18 @@ +[ + { + "mgmtRsInBStNode": { + "attributes": { + "tDn": "topology/pod-1/node-103", + "addr": "0.0.0.0", + "configurationMode": "static", + "dn": "uni/tn-mgmt/mgmtp-default/inb-inb/rsinBStNode-[topology/pod-1/node-103]", + "gw": "0.0.0.0", + "modTs": "2024-12-20T07:45:21.454+00:00", + "rType": "mo", + "rn": "rsinBStNode-[topology/pod-1/node-103]", + "stateQual": "none", + "tType": "mo" + } + } + } +] \ No newline at end of file diff --git a/tests/checks/inband_management_policy_misconfig_check/mgmtRsInBStNode_invalid_address_config.json b/tests/checks/inband_management_policy_misconfig_check/mgmtRsInBStNode_invalid_address_config.json new file mode 100644 index 0000000..ee47c09 --- /dev/null +++ b/tests/checks/inband_management_policy_misconfig_check/mgmtRsInBStNode_invalid_address_config.json @@ -0,0 +1,18 @@ +[ + { + "mgmtRsInBStNode": { + "attributes": { + "tDn": "topology/pod-1/node-103", + "addr": "0.0.0.0", + "configurationMode": "static", + "dn": "uni/tn-mgmt/mgmtp-default/inb-inb/rsinBStNode-[topology/pod-1/node-103]", + "gw": "191.1.1.1", + "modTs": "2024-12-20T07:45:21.454+00:00", + "rType": "mo", + "rn": "rsinBStNode-[topology/pod-1/node-103]", + "stateQual": "none", + "tType": "mo" + } + } + } +] \ No newline at end of file diff --git a/tests/checks/inband_management_policy_misconfig_check/mgmtRsInBStNode_invalid_gateway_config.json b/tests/checks/inband_management_policy_misconfig_check/mgmtRsInBStNode_invalid_gateway_config.json new file mode 100644 index 0000000..9fc4c0c --- /dev/null +++ b/tests/checks/inband_management_policy_misconfig_check/mgmtRsInBStNode_invalid_gateway_config.json @@ -0,0 +1,18 @@ +[ + { + "mgmtRsInBStNode": { + "attributes": { + "tDn": "topology/pod-1/node-103", + "addr": "191.1.1.153/24", + "configurationMode": "static", + "dn": "uni/tn-mgmt/mgmtp-default/inb-inb/rsinBStNode-[topology/pod-1/node-103]", + "gw": "0.0.0.0", + "modTs": "2024-12-20T07:45:21.454+00:00", + "rType": "mo", + "rn": "rsinBStNode-[topology/pod-1/node-103]", + "stateQual": "none", + "tType": "mo" + } + } + } +] \ No newline at end of file diff --git a/tests/checks/inband_management_policy_misconfig_check/test_inband_management_policy_misconfig_check.py b/tests/checks/inband_management_policy_misconfig_check/test_inband_management_policy_misconfig_check.py new file mode 100644 index 0000000..1c5d5dd --- /dev/null +++ b/tests/checks/inband_management_policy_misconfig_check/test_inband_management_policy_misconfig_check.py @@ -0,0 +1,119 @@ +import os +import pytest +import logging +import importlib +from helpers.utils import read_data + +script = importlib.import_module("aci-preupgrade-validation-script") + +log = logging.getLogger(__name__) +dir = os.path.dirname(os.path.abspath(__file__)) + +test_function = "inband_management_policy_misconfig_check" + +# icurl query +mgmtRsInBStNode = 'mgmtRsInBStNode.json?query-target-filter=or(eq(mgmtRsInBStNode.addr,"0.0.0.0"),eq(mgmtRsInBStNode.addr,"0.0.0.0/0"),eq(mgmtRsInBStNode.gw,"0.0.0.0"))' + + +@pytest.mark.parametrize( + "icurl_outputs, cversion, tversion, expected_result", + [ + # Target version missing + ( + { + mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_addr_and_gw_config.json"), + }, + "5.2(5c)", + None, + script.MANUAL, + ), + # Current version < 6.0(4c), target version = 6.0(4c), valid data + ( + { + mgmtRsInBStNode: [], + }, + "6.0(3g)", + "6.0(4c)", + script.PASS, + ), + # Current version < 6.0(4c), target version > 6.0(4c), valid data + ( + { + mgmtRsInBStNode: [], + }, + "6.0(3e)", + "6.0(8f)", + script.PASS, + ), + # Current version > 6.0(4c), target version >= 6.0(4c), invalid address + ( + { + mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_address_config.json"), + }, + "6.0(4c)", + "6.0(5h)", + script.NA, + ), + + # Current version > 6.0(4c), target version >= 6.0(4c), invalid gateway + ( + { + mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_gateway_config.json"), + }, + "6.0(5h)", + "6.0(5j)", + script.NA, + ), + # Current version > 6.0(4c), target version >= 6.0(4c), invalid both data + ( + { + mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_addr_and_gw_config.json"), + }, + "6.0(5j)", + "6.0(6c)", + script.NA, + ), + # Current version < 6.0(4c), target version < 6.0(4c), invalid both data + ( + { + mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_addr_and_gw_config.json"), + }, + "6.0(3g)", + "6.0(3f)", + script.NA, + ), + # Current version < 6.0(4c), target version >= 6.0(4c), invalid address + ( + { + mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_address_config.json"), + }, + "6.0(3g)", + "6.0(4c)", + script.FAIL_O, + ), + # Current version < 6.0(4c), target version >= 6.0(4c), invalid gateway + ( + { + mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_gateway_config.json"), + }, + "5.3(2c)", + "6.1(4h)", + script.FAIL_O, + ), + # Current version < 6.0(4c), target version >= 6.0(4c), invalid both data + ( + { + mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_addr_and_gw_config.json"), + }, + "5.2(8h)", + "6.1(3f)", + script.FAIL_O, + ), + ], +) +def test_logic(run_check, mock_icurl, cversion, tversion, expected_result): + result = run_check( + cversion = script.AciVersion(cversion), + tversion = script.AciVersion(tversion) if tversion else None, + ) + assert result.result == expected_result \ No newline at end of file From ebedcf4187186cb233104325cf5c635dacb9209b Mon Sep 17 00:00:00 2001 From: sanjanch Date: Sun, 15 Mar 2026 20:41:18 +0000 Subject: [PATCH 2/3] Addressed the comments --- aci-preupgrade-validation-script.py | 13 +- docs/docs/validations.md | 1 - .../mgmtRsInBStNode_valid_config.json | 1 + ...nband_management_policy_misconfig_check.py | 122 +++++++++--------- 4 files changed, 68 insertions(+), 69 deletions(-) create mode 100644 tests/checks/inband_management_policy_misconfig_check/mgmtRsInBStNode_valid_config.json diff --git a/aci-preupgrade-validation-script.py b/aci-preupgrade-validation-script.py index 4ebf529..19bf0b1 100644 --- a/aci-preupgrade-validation-script.py +++ b/aci-preupgrade-validation-script.py @@ -6055,17 +6055,14 @@ def auto_firmware_update_on_switch_check(cversion, tversion, **kwargs): @check_wrapper(check_title="Inband Management Policy Misconfiguration") -def inband_management_policy_misconfig_check(cversion, tversion, **kwargs): - +def inband_management_policy_misconfig_check(tversion, **kwargs): result = PASS headers = ["Node_ID", "Address", "Gateway"] data = [] - recommended_action = " Contact Cisco TAC to remove any identified misconfigured 'mgmtRsInBStNode' objects" + recommended_action = "Contact Cisco TAC to remove any identified misconfigured 'mgmtRsInBStNode' objects" doc_url = "https://datacenter.github.io/ACI-Pre-Upgrade-Validation-Script/validations/#inband-management-policy-misconfiguration" - - if not tversion: - return Result(result=MANUAL, msg=TVER_MISSING) - if cversion.older_than("6.0(4c)") and (tversion.newer_than("6.0(4c)") or tversion.same_as("6.0(4c)")): + + if tversion.newer_than("6.0(4c)") or tversion.same_as("6.0(4c)"): mgmtRsInBStNodes = icurl('class', 'mgmtRsInBStNode.json?query-target-filter=or(eq(mgmtRsInBStNode.addr,"0.0.0.0"),eq(mgmtRsInBStNode.addr,"0.0.0.0/0"),eq(mgmtRsInBStNode.gw,"0.0.0.0"))') for mgmtRsInBStNode in mgmtRsInBStNodes: attrs = mgmtRsInBStNode["mgmtRsInBStNode"]["attributes"] @@ -6076,10 +6073,8 @@ def inband_management_policy_misconfig_check(cversion, tversion, **kwargs): data.append([node_id, addr, gw]) else: return Result(result=NA, msg=VER_NOT_AFFECTED) - if data: result = FAIL_O - return Result(result=result, headers=headers, data=data, recommended_action=recommended_action, doc_url=doc_url) diff --git a/docs/docs/validations.md b/docs/docs/validations.md index 48ded78..5a574a3 100644 --- a/docs/docs/validations.md +++ b/docs/docs/validations.md @@ -227,7 +227,6 @@ Items | Defect | This Script [d29]: #auto-firmware-update-on-switch-discovery [d30]: #inband-management-policy-misconfiguration - ## General Check Details ### Compatibility (Target ACI Version) diff --git a/tests/checks/inband_management_policy_misconfig_check/mgmtRsInBStNode_valid_config.json b/tests/checks/inband_management_policy_misconfig_check/mgmtRsInBStNode_valid_config.json new file mode 100644 index 0000000..0637a08 --- /dev/null +++ b/tests/checks/inband_management_policy_misconfig_check/mgmtRsInBStNode_valid_config.json @@ -0,0 +1 @@ +[] \ No newline at end of file diff --git a/tests/checks/inband_management_policy_misconfig_check/test_inband_management_policy_misconfig_check.py b/tests/checks/inband_management_policy_misconfig_check/test_inband_management_policy_misconfig_check.py index 1c5d5dd..f43bd37 100644 --- a/tests/checks/inband_management_policy_misconfig_check/test_inband_management_policy_misconfig_check.py +++ b/tests/checks/inband_management_policy_misconfig_check/test_inband_management_policy_misconfig_check.py @@ -5,115 +5,119 @@ from helpers.utils import read_data script = importlib.import_module("aci-preupgrade-validation-script") - log = logging.getLogger(__name__) dir = os.path.dirname(os.path.abspath(__file__)) - test_function = "inband_management_policy_misconfig_check" - -# icurl query mgmtRsInBStNode = 'mgmtRsInBStNode.json?query-target-filter=or(eq(mgmtRsInBStNode.addr,"0.0.0.0"),eq(mgmtRsInBStNode.addr,"0.0.0.0/0"),eq(mgmtRsInBStNode.gw,"0.0.0.0"))' - @pytest.mark.parametrize( - "icurl_outputs, cversion, tversion, expected_result", + "icurl_outputs, tversion, expected_result, expected_data", [ - # Target version missing + # Target version = 6.0(4c), valid data ( { - mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_addr_and_gw_config.json"), + mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_valid_config.json") }, - "5.2(5c)", - None, - script.MANUAL, - ), - # Current version < 6.0(4c), target version = 6.0(4c), valid data - ( - { - mgmtRsInBStNode: [], - }, - "6.0(3g)", "6.0(4c)", script.PASS, + [] ), - # Current version < 6.0(4c), target version > 6.0(4c), valid data - ( - { - mgmtRsInBStNode: [], - }, - "6.0(3e)", - "6.0(8f)", - script.PASS, - ), - # Current version > 6.0(4c), target version >= 6.0(4c), invalid address + # Target version = 6.0(4c), invalid address ( { mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_address_config.json"), }, "6.0(4c)", - "6.0(5h)", - script.NA, + script.FAIL_O, + [ + ["103", "0.0.0.0", "191.1.1.1"], + ] ), - - # Current version > 6.0(4c), target version >= 6.0(4c), invalid gateway + # Target version = 6.0(4c), invalid gateway ( { mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_gateway_config.json"), }, - "6.0(5h)", - "6.0(5j)", - script.NA, + "6.0(4c)", + script.FAIL_O, + [ + ["103", "191.1.1.153/24", "0.0.0.0"], + ] ), - # Current version > 6.0(4c), target version >= 6.0(4c), invalid both data + # Target version = 6.0(4c), invalid both data ( { mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_addr_and_gw_config.json"), }, - "6.0(5j)", - "6.0(6c)", - script.NA, + "6.0(4c)", + script.FAIL_O, + [ + ["103", "0.0.0.0", "0.0.0.0"], + ] ), - # Current version < 6.0(4c), target version < 6.0(4c), invalid both data + # Target version > 6.0(4c), valid data ( { - mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_addr_and_gw_config.json"), + mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_valid_config.json"), }, - "6.0(3g)", - "6.0(3f)", - script.NA, + "6.0(8f)", + script.PASS, + [] ), - # Current version < 6.0(4c), target version >= 6.0(4c), invalid address + # Target version > 6.0(4c), invalid address ( { mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_address_config.json"), }, - "6.0(3g)", - "6.0(4c)", + "6.0(5h)", script.FAIL_O, + [ + ["103", "0.0.0.0", "191.1.1.1"], + ] ), - # Current version < 6.0(4c), target version >= 6.0(4c), invalid gateway + # Target version > 6.0(4c), invalid gateway ( { mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_gateway_config.json"), }, - "5.3(2c)", - "6.1(4h)", + "6.0(5j)", script.FAIL_O, + [ + ["103", "191.1.1.153/24", "0.0.0.0"], + ] ), - # Current version < 6.0(4c), target version >= 6.0(4c), invalid both data + # Target version > 6.0(4c), invalid both data ( { mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_addr_and_gw_config.json"), }, - "5.2(8h)", - "6.1(3f)", + "6.0(6c)", script.FAIL_O, + [ + ["103", "0.0.0.0", "0.0.0.0"], + ] ), + # Target version < 6.0(4c), invalid both data + ( + { + mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_addr_and_gw_config.json"), + }, + "6.0(3f)", + script.NA, + [] + ), + # Target version < 6.0(4c), valid both data + ( + { + mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_valid_config.json"), + }, + "6.0(3f)", + script.NA, + [] + ) ], ) -def test_logic(run_check, mock_icurl, cversion, tversion, expected_result): - result = run_check( - cversion = script.AciVersion(cversion), - tversion = script.AciVersion(tversion) if tversion else None, - ) - assert result.result == expected_result \ No newline at end of file +def test_logic(run_check, mock_icurl, tversion, expected_result, expected_data): + result = run_check(tversion=script.AciVersion(tversion)) + assert result.result == expected_result + assert result.data == expected_data \ No newline at end of file From f0bc1061e2bcad3414d72cfcabd1225300879eac Mon Sep 17 00:00:00 2001 From: sanjanch Date: Wed, 18 Mar 2026 11:48:03 +0000 Subject: [PATCH 3/3] Added cversion for the check --- aci-preupgrade-validation-script.py | 4 +- ...gmtRsInBStNode_invalid_address_config.json | 16 ++++ ...nband_management_policy_misconfig_check.py | 74 +++++++++++++++---- 3 files changed, 76 insertions(+), 18 deletions(-) diff --git a/aci-preupgrade-validation-script.py b/aci-preupgrade-validation-script.py index 19bf0b1..91ca2f1 100644 --- a/aci-preupgrade-validation-script.py +++ b/aci-preupgrade-validation-script.py @@ -6055,14 +6055,14 @@ def auto_firmware_update_on_switch_check(cversion, tversion, **kwargs): @check_wrapper(check_title="Inband Management Policy Misconfiguration") -def inband_management_policy_misconfig_check(tversion, **kwargs): +def inband_management_policy_misconfig_check(cversion, tversion, **kwargs): result = PASS headers = ["Node_ID", "Address", "Gateway"] data = [] recommended_action = "Contact Cisco TAC to remove any identified misconfigured 'mgmtRsInBStNode' objects" doc_url = "https://datacenter.github.io/ACI-Pre-Upgrade-Validation-Script/validations/#inband-management-policy-misconfiguration" - if tversion.newer_than("6.0(4c)") or tversion.same_as("6.0(4c)"): + if (cversion.older_than("5.2(8d)")) and (tversion.newer_than("6.0(4c)") or tversion.same_as("6.0(4c)")): mgmtRsInBStNodes = icurl('class', 'mgmtRsInBStNode.json?query-target-filter=or(eq(mgmtRsInBStNode.addr,"0.0.0.0"),eq(mgmtRsInBStNode.addr,"0.0.0.0/0"),eq(mgmtRsInBStNode.gw,"0.0.0.0"))') for mgmtRsInBStNode in mgmtRsInBStNodes: attrs = mgmtRsInBStNode["mgmtRsInBStNode"]["attributes"] diff --git a/tests/checks/inband_management_policy_misconfig_check/mgmtRsInBStNode_invalid_address_config.json b/tests/checks/inband_management_policy_misconfig_check/mgmtRsInBStNode_invalid_address_config.json index ee47c09..13d00cf 100644 --- a/tests/checks/inband_management_policy_misconfig_check/mgmtRsInBStNode_invalid_address_config.json +++ b/tests/checks/inband_management_policy_misconfig_check/mgmtRsInBStNode_invalid_address_config.json @@ -14,5 +14,21 @@ "tType": "mo" } } + }, + { + "mgmtRsInBStNode": { + "attributes": { + "tDn": "topology/pod-1/node-104", + "addr": "0.0.0.0/0", + "configurationMode": "static", + "dn": "uni/tn-mgmt/mgmtp-default/inb-inb/rsinBStNode-[topology/pod-1/node-104]", + "gw": "191.1.1.1", + "modTs": "2024-12-20T07:45:21.454+00:00", + "rType": "mo", + "rn": "rsinBStNode-[topology/pod-1/node-104]", + "stateQual": "none", + "tType": "mo" + } + } } ] \ No newline at end of file diff --git a/tests/checks/inband_management_policy_misconfig_check/test_inband_management_policy_misconfig_check.py b/tests/checks/inband_management_policy_misconfig_check/test_inband_management_policy_misconfig_check.py index f43bd37..0a8c03d 100644 --- a/tests/checks/inband_management_policy_misconfig_check/test_inband_management_policy_misconfig_check.py +++ b/tests/checks/inband_management_policy_misconfig_check/test_inband_management_policy_misconfig_check.py @@ -11,113 +11,155 @@ mgmtRsInBStNode = 'mgmtRsInBStNode.json?query-target-filter=or(eq(mgmtRsInBStNode.addr,"0.0.0.0"),eq(mgmtRsInBStNode.addr,"0.0.0.0/0"),eq(mgmtRsInBStNode.gw,"0.0.0.0"))' @pytest.mark.parametrize( - "icurl_outputs, tversion, expected_result, expected_data", + "icurl_outputs, cversion, tversion, expected_result, expected_data", [ - # Target version = 6.0(4c), valid data + # Current version is affected, Target version = 6.0(4c), valid data ( { mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_valid_config.json") }, + "5.2(7g)", "6.0(4c)", script.PASS, [] ), - # Target version = 6.0(4c), invalid address + # Current version is affected, Target version = 6.0(4c), invalid address ( { mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_address_config.json"), }, + "5.2(7f)", "6.0(4c)", script.FAIL_O, [ ["103", "0.0.0.0", "191.1.1.1"], + ["104", "0.0.0.0/0", "191.1.1.1"], ] ), - # Target version = 6.0(4c), invalid gateway + # Current version is affected, Target version = 6.0(4c), invalid gateway ( { mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_gateway_config.json"), }, + "5.2(7f)", "6.0(4c)", script.FAIL_O, [ ["103", "191.1.1.153/24", "0.0.0.0"], ] ), - # Target version = 6.0(4c), invalid both data + # Current version is affected, Target version = 6.0(4c), invalid both data ( { mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_addr_and_gw_config.json"), }, + "5.2(7f)", "6.0(4c)", script.FAIL_O, [ ["103", "0.0.0.0", "0.0.0.0"], ] ), - # Target version > 6.0(4c), valid data + # Current version is affected, Target version > 6.0(4c), valid data ( { mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_valid_config.json"), }, + "5.2(7f)", "6.0(8f)", script.PASS, [] ), - # Target version > 6.0(4c), invalid address + # Current version is affected, Target version > 6.0(4c), invalid address ( { mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_address_config.json"), }, + "5.2(7f)", "6.0(5h)", script.FAIL_O, [ ["103", "0.0.0.0", "191.1.1.1"], + ["104", "0.0.0.0/0", "191.1.1.1",] ] ), - # Target version > 6.0(4c), invalid gateway + # Current version is affected, Target version > 6.0(4c), invalid gateway ( { mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_gateway_config.json"), }, + "5.2(7f)", "6.0(5j)", script.FAIL_O, [ ["103", "191.1.1.153/24", "0.0.0.0"], ] ), - # Target version > 6.0(4c), invalid both data + # Current version is affected, Target version > 6.0(4c), invalid both data ( { mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_addr_and_gw_config.json"), }, + "5.2(7f)", "6.0(6c)", script.FAIL_O, [ ["103", "0.0.0.0", "0.0.0.0"], ] ), - # Target version < 6.0(4c), invalid both data + # Current version is affected, Target version < 6.0(4c), invalid both data ( { mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_addr_and_gw_config.json"), }, - "6.0(3f)", + "5.2(7f)", + "6.0(3g)", script.NA, [] ), - # Target version < 6.0(4c), valid both data + # Current version is affected, Target version < 6.0(4c), valid both data ( { mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_valid_config.json"), }, - "6.0(3f)", + "5.2(7f)", + "6.0(3g)", script.NA, [] - ) + ), + # Current version is not affected, Target version = 6.0(4c), invalid both data + ( + { + mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_addr_and_gw_config.json"), + }, + "5.3(2f)", + "6.0(4c)", + script.NA, + [] + ), + # Current version is not affected, Target version > 6.0(4c), invalid both data + ( + { + mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_addr_and_gw_config.json"), + }, + "5.3(2f)", + "6.0(6c)", + script.NA, + [] + ), + # Current version is not affected, Target version < 6.0(4c), invalid both data + ( + { + mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_addr_and_gw_config.json"), + }, + "5.3(2f)", + "6.0(3g)", + script.NA, + [] + ), ], ) -def test_logic(run_check, mock_icurl, tversion, expected_result, expected_data): - result = run_check(tversion=script.AciVersion(tversion)) +def test_logic(run_check, mock_icurl, cversion, tversion, expected_result, expected_data): + result = run_check(cversion=script.AciVersion(cversion), tversion=script.AciVersion(tversion)) assert result.result == expected_result assert result.data == expected_data \ No newline at end of file