Skip to content

Commit

Permalink
New validation to address CSCwj69435 for the afected versions (#96)
Browse files Browse the repository at this point in the history 
* address CSCwj69435 for the afected versions

* new logic for validation, test and documents added but not completed

* new logic for validation, test and documents completed

* new logic for validation, test and documents completed - small change

* new logic for validation, test and documents completed - small change

* Update aci-preupgrade-validation-script.py

change doc_url

Co-authored-by: takishida <[email protected]>

* Update docs/docs/validations.md

change white_check_mark  to no_entry_sign

Co-authored-by: takishida <[email protected]>

* Update docs/docs/validations.md

match the section title with the name in the summary table.

Co-authored-by: takishida <[email protected]>

* This codeblock needs indentations with 4 spaces to be inside the example note.

* add 'else' to handle a case when the regex is not matching

* moving this new validation up to right beneath [L2 Port Config][f8]

* fix native-or-untagged-encap-failure and a minor allignment for [f9]

* minor fix of the docs

---------

Co-authored-by: takishida <[email protected]>
  • Loading branch information
@ehaminian @takishida
ehaminian and takishida authored Apr 23, 2024
1 parent d52fa97 commit 00462bb
Show file tree
Hide file tree
Showing 5 changed files with 280 additions and 15 deletions.
37 changes: 37 additions & 0 deletions aci-preupgrade-validation-script.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2775,6 +2775,42 @@ def sup_a_high_memory_check(index, total_checks, tversion, **kwargs):
return result


def access_untagged_check(index, total_checks, **kwargs):
title = 'Access (Untagged) Port Config (F0467 native-or-untagged-encap-failure)'
result = FAIL_O
msg = ''
headers = ["Fault", "POD ID","Node ID","Port","Tenant", "Application Profile", "Application EPG", "Recommended Action"]
unformatted_headers = ['Fault', 'Fault Description', 'Recommended Action']
unformatted_data = []
data = []
recommended_action = 'Resolve the conflict by removing this config or other configs using this port in Access(untagged) or native mode.'
doc_url = 'https://datacenter.github.io/ACI-Pre-Upgrade-Validation-Script/validations#access-untagged-port-config'
print_title(title, index, total_checks)

faultInsts = icurl('class','faultInst.json?&query-target-filter=wcard(faultInst.changeSet,"native-or-untagged-encap-failure")')
fault_dn_regex=r"topology/pod-(?P<podid>\d+)/node-(?P<nodeid>[^/]+)/[^/]+/[^/]+/uni/epp/fv-\[uni/tn-(?P<tenant>[^/]+)/ap-(?P<app_profile>[^/]+)/epg-(?P<epg_name>[^/]+)\]/[^/]+/stpathatt-\[(?P<port>.+)\]/nwissues/fault-F0467"

if faultInsts:
fc = faultInsts[0]['faultInst']['attributes']['code']
for faultInst in faultInsts:
m = re.search(fault_dn_regex, faultInst['faultInst']['attributes']['dn'])
if m:
podid = m.group('podid')
nodeid = m.group('nodeid')
port = m.group('port')
tenant = m.group('tenant')
app_profile = m.group('app_profile')
epg_name = m.group('epg_name')
data.append([fc,podid, nodeid, port, tenant, app_profile, epg_name, recommended_action])
else:
unformatted_data.append(fc,faultInst['faultInst']['attributes']['descr'],recommended_action)

if not data and not unformatted_data:
result = PASS
print_result(title, result, msg, headers, data, unformatted_headers, unformatted_data, recommended_action="", doc_url=doc_url)
return result


if __name__ == "__main__":
prints(' ==== %s%s, Script Version %s ====\n' % (ts, tz, SCRIPT_VERSION))
prints('!!!! Check https://github.com/datacenter/ACI-Pre-Upgrade-Validation-Script for Latest Release !!!!\n')
Expand Down Expand Up @@ -2822,6 +2858,7 @@ def sup_a_high_memory_check(index, total_checks, tversion, **kwargs):
port_configured_as_l3_check,
prefix_already_in_use_check,
encap_already_in_use_check,
access_untagged_check,
bd_subnet_overlap_check,
bd_duplicate_subnet_check,
vmm_controller_status_check,
Expand Down
78 changes: 63 additions & 15 deletions docs/docs/validations.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,14 +58,15 @@ Items | Faults | This Script
[Config On APIC Connected Port][f6] | F0467: port-configured-for-apic | :white_check_mark: | :white_check_mark: 6.0(1g) | :white_check_mark:
[L3 Port Config][f7] | F0467: port-configured-as-l2 | :white_check_mark: | :white_check_mark: 5.2(4d) | :white_check_mark:
[L2 Port Config][f8] | F0467: port-configured-as-l3 | :white_check_mark: | :white_check_mark: 5.2(4d) | :white_check_mark:
[L3Out Subnets][f9] | F0467: prefix-entry-already-in-use | :white_check_mark: | :white_check_mark: 6.0(1g) | :white_check_mark:
[BD Subnets][f10] | F0469: duplicate-subnets-within-ctx | :white_check_mark: | :white_check_mark: 5.2(4d) | :white_check_mark:
[BD Subnets][f11] | F1425: subnet-overlap | :white_check_mark: | :white_check_mark: 5.2(4d) | :white_check_mark:
[VMM Domain Controller Status][f12] | F0130 | :white_check_mark: | :white_check_mark: 4.2(1) | :white_check_mark:
[VMM Domain LLDP/CDP Adjacency Status][f13] | F606391 | :white_check_mark: | :white_check_mark: 4.2(1) | :white_check_mark:
[Different infra VLAN via LLDP][f14] | F0454: infra-vlan-mismatch | :white_check_mark: | :white_check_mark: 4.2(4) | :white_check_mark:
[HW Programming Failure][f15] | F3544: L3Out Prefixes<br>F3545: Contracts | :white_check_mark: | :white_check_mark: 5.1(1) | :white_check_mark:
[Scalability (faults related to Capacity Dashboard)][f16] | TCA faults for eqptcapacityEntity | :white_check_mark: | :no_entry_sign: | :white_check_mark:
[Access (Untagged) Port Config][f9] | F0467: native-or-untagged-encap-failure | :white_check_mark: | :no_entry_sign: | :no_entry_sign:
[L3Out Subnets][f10] | F0467: prefix-entry-already-in-use | :white_check_mark: | :white_check_mark: 6.0(1g) | :white_check_mark:
[BD Subnets][f11] | F0469: duplicate-subnets-within-ctx | :white_check_mark: | :white_check_mark: 5.2(4d) | :white_check_mark:
[BD Subnets][f12] | F1425: subnet-overlap | :white_check_mark: | :white_check_mark: 5.2(4d) | :white_check_mark:
[VMM Domain Controller Status][f13] | F0130 | :white_check_mark: | :white_check_mark: 4.2(1) | :white_check_mark:
[VMM Domain LLDP/CDP Adjacency Status][f14] | F606391 | :white_check_mark: | :white_check_mark: 4.2(1) | :white_check_mark:
[Different infra VLAN via LLDP][f15] | F0454: infra-vlan-mismatch | :white_check_mark: | :white_check_mark: 4.2(4) | :white_check_mark:
[HW Programming Failure][f16] | F3544: L3Out Prefixes<br>F3545: Contracts | :white_check_mark: | :white_check_mark: 5.1(1) | :white_check_mark:
[Scalability (faults related to Capacity Dashboard)][f17] | TCA faults for eqptcapacityEntity | :white_check_mark: | :no_entry_sign: | :white_check_mark:

[f1]: #apic-disk-space-usage
[f2]: #standby-apic-disk-space-usage
Expand All @@ -75,14 +76,17 @@ Items | Faults | This Script
[f6]: #config-on-apic-connected-port
[f7]: #l2l3-port-config
[f8]: #l2l3-port-config
[f9]: #l3out-subnets
[f10]: #bd-subnets
[f9]: #access-untagged-port-config
[f10]: #l3out-subnets
[f11]: #bd-subnets
[f12]: #vmm-domain-controller-status
[f13]: #vmm-domain-lldpcdp-adjacency-status
[f14]: #different-infra-vlan-via-lldp
[f15]: #hw-programming-failure
[f16]: #scalability-faults-related-to-capacity-dashboard
[f12]: #bd-subnets
[f13]: #vmm-domain-controller-status
[f14]: #vmm-domain-lldpcdp-adjacency-status
[f15]: #different-infra-vlan-via-lldp
[f16]: #hw-programming-failure
[f17]: #scalability-faults-related-to-capacity-dashboard




### Configuration Checks
Expand Down Expand Up @@ -664,6 +668,50 @@ It is critical that you resolve these issues before the upgrade to prevent any i
```


### Access (Untagged) Port Config
The APIC GUI or REST previously accepted two different access encapsulations on the same port, despite raising a fault with code F0467 and "native-or-untagged-encap-failure" in the changeSet. This configuration, likely resulting from user error, presents a significant risk of outage during switch upgrades or stateless reloads.

The script verifies these faults to ensure that a port is not configured as part of two access VLANs. You need to resolve the conflict causing this fault before any upgrades to prevent potential outages. Failure to do so may result in the deployment of a new VLAN/EPG on the port after the upgrade, leading to downtime in the environment.

!!! example "Fault Example (F0467: native-or-untagged-encap-failure)"
```
apic1# moquery -c faultInst -x 'query-target-filter=wcard(faultInst.changeSet,"native-or-untagged-encap-failure")'
Total Objects shown: 1
# fault.Inst
code : F0467
ack : no
alert : no
annotation :
cause : configuration-failed
changeSet : configQual:native-or-untagged-encap-failure, configSt:failed-to-apply, temporaryError:no
childAction :
created : 2024-04-20T10:03:48.493+02:00
delegated : yes
descr : Configuration failed for uni/tn-EEA-1/ap-APP1/epg-EPG-2 node 101 eth1/28 due to Only One Native or Untagged Encap Allowed on Interface, debug message:
dn : topology/pod-1/node-101/local/svc-policyelem-id-0/uni/epp/fv-[uni/tn-EEA-1/ap-APP1/epg-EPG-2]/node-101/stpathatt-[eth1/28]/nwissues/fault-F0467
domain : tenant
extMngdBy : undefined
highestSeverity : minor
lastTransition : 2024-04-20T10:03:53.045+02:00
lc : raised
modTs : never
occur : 1
origSeverity : minor
prevSeverity : minor
rn : fault-F0467
rule : fv-nw-issues-config-failed
severity : minor
status :
subject : management
title :
type : config
uid :
userdom : all
apic1#
```
Please note that this behavior has recently changed. With the new behavior, rejected through policy distributor validation, two different access encapsulations are no longer allowed on the same port by the APIC. This change has been documented in CSCwj69435.


### L3Out Subnets

There is another type of the F0467 fault code family that you should check before an upgrade. This fault alerts that an external EPG defined under a Layer3 Out (L3Out) has a subnet with the **External Subnet for the External EPG** scope configured that overlaps with another L3Out external EPG in the same VRF. After an upgrade, it’s possible that the previous working configuration will break if this faulty policy is deployed first after the switch reloads.
Expand Down
1 change: 1 addition & 0 deletions tests/access_untagged_check/faultInst_NEG.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
[]
147 changes: 147 additions & 0 deletions tests/access_untagged_check/faultInst_POS.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,147 @@
[
{
"faultInst": {
"attributes": {
"status": "",
"domain": "tenant",
"code": "F0467",
"occur": "1",
"subject": "management",
"severity": "minor",
"descr": "Configuration failed for uni/tn-EEA-1/ap-APP1/epg-EPG-2 node 102 Common-VPC-L101-102-To-N3K1-E35 due to Only One Native or Untagged Encap Allowed on Interface, debug message: ",
"title": "",
"origSeverity": "minor",
"childAction": "",
"cause": "configuration-failed",
"dn": "topology/pod-1/node-102/local/svc-policyelem-id-0/uni/epp/fv-[uni/tn-EEA-1/ap-APP1/epg-EPG-2]/node-102/stpathatt-[Common-VPC-L101-102-To-N3K1-E35]/nwissues/fault-F0467",
"prevSeverity": "minor",
"highestSeverity": "minor",
"alert": "no",
"delegated": "yes",
"lc": "raised",
"changeSet": "configQual:native-or-untagged-encap-failure, configSt:failed-to-apply, temporaryError:no",
"created": "2024-04-20T13:53:48.318+02:00",
"ack": "no",
"type": "config",
"rule": "fv-nw-issues-config-failed",
"lastTransition": "2024-04-20T13:54:10.743+02:00"
}
}
},
{
"faultInst": {
"attributes": {
"status": "",
"domain": "tenant",
"code": "F0467",
"occur": "1",
"subject": "management",
"severity": "minor",
"descr": "Configuration failed for uni/tn-EEA-1/ap-APP1/epg-EPG-2 node 103 Common-VPC-103-104-To-SRV73-LACP due to Only One Native or Untagged Encap Allowed on Interface, debug message: ",
"title": "",
"origSeverity": "minor",
"childAction": "",
"cause": "configuration-failed",
"dn": "topology/pod-1/node-103/local/svc-policyelem-id-0/uni/epp/fv-[uni/tn-EEA-1/ap-APP1/epg-EPG-2]/node-103/stpathatt-[Common-VPC-103-104-To-SRV73-LACP]/nwissues/fault-F0467",
"prevSeverity": "minor",
"highestSeverity": "minor",
"alert": "no",
"delegated": "yes",
"lc": "raised",
"changeSet": "configQual:native-or-untagged-encap-failure, configSt:failed-to-apply, temporaryError:no",
"created": "2024-04-20T13:54:15.129+02:00",
"ack": "no",
"type": "config",
"rule": "fv-nw-issues-config-failed",
"lastTransition": "2024-04-20T13:54:41.861+02:00"
}
}
},
{
"faultInst": {
"attributes": {
"status": "",
"domain": "tenant",
"code": "F0467",
"occur": "1",
"subject": "management",
"severity": "minor",
"descr": "Configuration failed for uni/tn-EEA-1/ap-APP1/epg-EPG-3 node 101 eth1/28 due to Only One Native or Untagged Encap Allowed on Interface, debug message: ",
"title": "",
"origSeverity": "minor",
"childAction": "",
"cause": "configuration-failed",
"dn": "topology/pod-1/node-101/local/svc-policyelem-id-0/uni/epp/fv-[uni/tn-EEA-1/ap-APP1/epg-EPG-3]/node-101/stpathatt-[eth1/28]/nwissues/fault-F0467",
"prevSeverity": "minor",
"highestSeverity": "minor",
"alert": "no",
"delegated": "yes",
"lc": "raised",
"changeSet": "configQual:native-or-untagged-encap-failure, configSt:failed-to-apply, temporaryError:no",
"created": "2024-04-20T10:57:54.056+02:00",
"ack": "no",
"type": "config",
"rule": "fv-nw-issues-config-failed",
"lastTransition": "2024-04-20T10:58:23.520+02:00"
}
}
},
{
"faultInst": {
"attributes": {
"status": "",
"domain": "tenant",
"code": "F0467",
"occur": "1",
"subject": "management",
"severity": "minor",
"descr": "Configuration failed for uni/tn-EEA-1/ap-APP1/epg-EPG-2 node 101 eth1/28 due to Only One Native or Untagged Encap Allowed on Interface, debug message: ",
"title": "",
"origSeverity": "minor",
"childAction": "",
"cause": "configuration-failed",
"dn": "topology/pod-1/node-101/local/svc-policyelem-id-0/uni/epp/fv-[uni/tn-EEA-1/ap-APP1/epg-EPG-2]/node-101/stpathatt-[eth1/28]/nwissues/fault-F0467",
"prevSeverity": "minor",
"highestSeverity": "minor",
"alert": "no",
"delegated": "yes",
"lc": "raised",
"changeSet": "configQual:native-or-untagged-encap-failure, configSt:failed-to-apply, temporaryError:no",
"created": "2024-04-20T10:03:48.493+02:00",
"ack": "no",
"type": "config",
"rule": "fv-nw-issues-config-failed",
"lastTransition": "2024-04-20T10:03:53.045+02:00"
}
}
},
{
"faultInst": {
"attributes": {
"status": "",
"domain": "tenant",
"code": "F0467",
"occur": "1",
"subject": "management",
"severity": "minor",
"descr": "Configuration failed for uni/tn-EEA-1/ap-APP1/epg-EPG-2 node 104 Common-VPC-103-104-To-SRV73-LACP due to Only One Native or Untagged Encap Allowed on Interface, debug message: ",
"title": "",
"origSeverity": "minor",
"childAction": "",
"cause": "configuration-failed",
"dn": "topology/pod-1/node-104/local/svc-policyelem-id-0/uni/epp/fv-[uni/tn-EEA-1/ap-APP1/epg-EPG-2]/node-104/stpathatt-[Common-VPC-103-104-To-SRV73-LACP]/nwissues/fault-F0467",
"prevSeverity": "minor",
"highestSeverity": "minor",
"alert": "no",
"delegated": "yes",
"lc": "raised",
"changeSet": "configQual:native-or-untagged-encap-failure, configSt:failed-to-apply, temporaryError:no",
"created": "2024-04-20T13:54:05.767+02:00",
"ack": "no",
"type": "config",
"rule": "fv-nw-issues-config-failed",
"lastTransition": "2024-04-20T13:54:13.497+02:00"
}
}
}
]
32 changes: 32 additions & 0 deletions tests/access_untagged_check/test_access_untagged_check.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
import os
import pytest
import logging
import importlib
from helpers.utils import read_data

script = importlib.import_module("aci-preupgrade-validation-script")

log = logging.getLogger(__name__)
dir = os.path.dirname(os.path.abspath(__file__))


# icurl queries
faultInsts = 'faultInst.json?&query-target-filter=wcard(faultInst.changeSet,"native-or-untagged-encap-failure")'


@pytest.mark.parametrize(
"icurl_outputs, expected_result",
[
(
{faultInsts: read_data(dir, "faultInst_POS.json")},
script.FAIL_O,
),
(
{faultInsts: read_data(dir, "faultInst_NEG.json")},
script.PASS,
)
],
)
def test_logic(mock_icurl,expected_result):
result = script.access_untagged_check(1, 1)
assert result == expected_result

0 comments on commit 00462bb

Please sign in to comment.