From 00462bbe67df4b9f84245f30ecedbbfd6e62bc9e Mon Sep 17 00:00:00 2001 From: Ehsan Aminian <44554182+ehaminian@users.noreply.github.com> Date: Tue, 23 Apr 2024 20:15:20 +0100 Subject: [PATCH] New validation to address CSCwj69435 for the afected versions (#96) * address CSCwj69435 for the afected versions * new logic for validation, test and documents added but not completed * new logic for validation, test and documents completed * new logic for validation, test and documents completed - small change * new logic for validation, test and documents completed - small change * Update aci-preupgrade-validation-script.py change doc_url Co-authored-by: takishida <38262981+takishida@users.noreply.github.com> * Update docs/docs/validations.md change white_check_mark to no_entry_sign Co-authored-by: takishida <38262981+takishida@users.noreply.github.com> * Update docs/docs/validations.md match the section title with the name in the summary table. Co-authored-by: takishida <38262981+takishida@users.noreply.github.com> * This codeblock needs indentations with 4 spaces to be inside the example note. * add 'else' to handle a case when the regex is not matching * moving this new validation up to right beneath [L2 Port Config][f8] * fix native-or-untagged-encap-failure and a minor allignment for [f9] * minor fix of the docs --------- Co-authored-by: takishida <38262981+takishida@users.noreply.github.com> --- aci-preupgrade-validation-script.py | 37 +++++ docs/docs/validations.md | 78 ++++++++-- .../access_untagged_check/faultInst_NEG.json | 1 + .../access_untagged_check/faultInst_POS.json | 147 ++++++++++++++++++ .../test_access_untagged_check.py | 32 ++++ 5 files changed, 280 insertions(+), 15 deletions(-) create mode 100644 tests/access_untagged_check/faultInst_NEG.json create mode 100644 tests/access_untagged_check/faultInst_POS.json create mode 100644 tests/access_untagged_check/test_access_untagged_check.py diff --git a/aci-preupgrade-validation-script.py b/aci-preupgrade-validation-script.py index 3a1608e..5ce1304 100644 --- a/aci-preupgrade-validation-script.py +++ b/aci-preupgrade-validation-script.py @@ -2775,6 +2775,42 @@ def sup_a_high_memory_check(index, total_checks, tversion, **kwargs): return result +def access_untagged_check(index, total_checks, **kwargs): + title = 'Access (Untagged) Port Config (F0467 native-or-untagged-encap-failure)' + result = FAIL_O + msg = '' + headers = ["Fault", "POD ID","Node ID","Port","Tenant", "Application Profile", "Application EPG", "Recommended Action"] + unformatted_headers = ['Fault', 'Fault Description', 'Recommended Action'] + unformatted_data = [] + data = [] + recommended_action = 'Resolve the conflict by removing this config or other configs using this port in Access(untagged) or native mode.' + doc_url = 'https://datacenter.github.io/ACI-Pre-Upgrade-Validation-Script/validations#access-untagged-port-config' + print_title(title, index, total_checks) + + faultInsts = icurl('class','faultInst.json?&query-target-filter=wcard(faultInst.changeSet,"native-or-untagged-encap-failure")') + fault_dn_regex=r"topology/pod-(?P\d+)/node-(?P[^/]+)/[^/]+/[^/]+/uni/epp/fv-\[uni/tn-(?P[^/]+)/ap-(?P[^/]+)/epg-(?P[^/]+)\]/[^/]+/stpathatt-\[(?P.+)\]/nwissues/fault-F0467" + + if faultInsts: + fc = faultInsts[0]['faultInst']['attributes']['code'] + for faultInst in faultInsts: + m = re.search(fault_dn_regex, faultInst['faultInst']['attributes']['dn']) + if m: + podid = m.group('podid') + nodeid = m.group('nodeid') + port = m.group('port') + tenant = m.group('tenant') + app_profile = m.group('app_profile') + epg_name = m.group('epg_name') + data.append([fc,podid, nodeid, port, tenant, app_profile, epg_name, recommended_action]) + else: + unformatted_data.append(fc,faultInst['faultInst']['attributes']['descr'],recommended_action) + + if not data and not unformatted_data: + result = PASS + print_result(title, result, msg, headers, data, unformatted_headers, unformatted_data, recommended_action="", doc_url=doc_url) + return result + + if __name__ == "__main__": prints(' ==== %s%s, Script Version %s ====\n' % (ts, tz, SCRIPT_VERSION)) prints('!!!! Check https://github.com/datacenter/ACI-Pre-Upgrade-Validation-Script for Latest Release !!!!\n') @@ -2822,6 +2858,7 @@ def sup_a_high_memory_check(index, total_checks, tversion, **kwargs): port_configured_as_l3_check, prefix_already_in_use_check, encap_already_in_use_check, + access_untagged_check, bd_subnet_overlap_check, bd_duplicate_subnet_check, vmm_controller_status_check, diff --git a/docs/docs/validations.md b/docs/docs/validations.md index 47c0281..9f972aa 100644 --- a/docs/docs/validations.md +++ b/docs/docs/validations.md @@ -58,14 +58,15 @@ Items | Faults | This Script [Config On APIC Connected Port][f6] | F0467: port-configured-for-apic | :white_check_mark: | :white_check_mark: 6.0(1g) | :white_check_mark: [L3 Port Config][f7] | F0467: port-configured-as-l2 | :white_check_mark: | :white_check_mark: 5.2(4d) | :white_check_mark: [L2 Port Config][f8] | F0467: port-configured-as-l3 | :white_check_mark: | :white_check_mark: 5.2(4d) | :white_check_mark: -[L3Out Subnets][f9] | F0467: prefix-entry-already-in-use | :white_check_mark: | :white_check_mark: 6.0(1g) | :white_check_mark: -[BD Subnets][f10] | F0469: duplicate-subnets-within-ctx | :white_check_mark: | :white_check_mark: 5.2(4d) | :white_check_mark: -[BD Subnets][f11] | F1425: subnet-overlap | :white_check_mark: | :white_check_mark: 5.2(4d) | :white_check_mark: -[VMM Domain Controller Status][f12] | F0130 | :white_check_mark: | :white_check_mark: 4.2(1) | :white_check_mark: -[VMM Domain LLDP/CDP Adjacency Status][f13] | F606391 | :white_check_mark: | :white_check_mark: 4.2(1) | :white_check_mark: -[Different infra VLAN via LLDP][f14] | F0454: infra-vlan-mismatch | :white_check_mark: | :white_check_mark: 4.2(4) | :white_check_mark: -[HW Programming Failure][f15] | F3544: L3Out Prefixes
F3545: Contracts | :white_check_mark: | :white_check_mark: 5.1(1) | :white_check_mark: -[Scalability (faults related to Capacity Dashboard)][f16] | TCA faults for eqptcapacityEntity | :white_check_mark: | :no_entry_sign: | :white_check_mark: +[Access (Untagged) Port Config][f9] | F0467: native-or-untagged-encap-failure | :white_check_mark: | :no_entry_sign: | :no_entry_sign: +[L3Out Subnets][f10] | F0467: prefix-entry-already-in-use | :white_check_mark: | :white_check_mark: 6.0(1g) | :white_check_mark: +[BD Subnets][f11] | F0469: duplicate-subnets-within-ctx | :white_check_mark: | :white_check_mark: 5.2(4d) | :white_check_mark: +[BD Subnets][f12] | F1425: subnet-overlap | :white_check_mark: | :white_check_mark: 5.2(4d) | :white_check_mark: +[VMM Domain Controller Status][f13] | F0130 | :white_check_mark: | :white_check_mark: 4.2(1) | :white_check_mark: +[VMM Domain LLDP/CDP Adjacency Status][f14] | F606391 | :white_check_mark: | :white_check_mark: 4.2(1) | :white_check_mark: +[Different infra VLAN via LLDP][f15] | F0454: infra-vlan-mismatch | :white_check_mark: | :white_check_mark: 4.2(4) | :white_check_mark: +[HW Programming Failure][f16] | F3544: L3Out Prefixes
F3545: Contracts | :white_check_mark: | :white_check_mark: 5.1(1) | :white_check_mark: +[Scalability (faults related to Capacity Dashboard)][f17] | TCA faults for eqptcapacityEntity | :white_check_mark: | :no_entry_sign: | :white_check_mark: [f1]: #apic-disk-space-usage [f2]: #standby-apic-disk-space-usage @@ -75,14 +76,17 @@ Items | Faults | This Script [f6]: #config-on-apic-connected-port [f7]: #l2l3-port-config [f8]: #l2l3-port-config -[f9]: #l3out-subnets -[f10]: #bd-subnets +[f9]: #access-untagged-port-config +[f10]: #l3out-subnets [f11]: #bd-subnets -[f12]: #vmm-domain-controller-status -[f13]: #vmm-domain-lldpcdp-adjacency-status -[f14]: #different-infra-vlan-via-lldp -[f15]: #hw-programming-failure -[f16]: #scalability-faults-related-to-capacity-dashboard +[f12]: #bd-subnets +[f13]: #vmm-domain-controller-status +[f14]: #vmm-domain-lldpcdp-adjacency-status +[f15]: #different-infra-vlan-via-lldp +[f16]: #hw-programming-failure +[f17]: #scalability-faults-related-to-capacity-dashboard + + ### Configuration Checks @@ -664,6 +668,50 @@ It is critical that you resolve these issues before the upgrade to prevent any i ``` +### Access (Untagged) Port Config +The APIC GUI or REST previously accepted two different access encapsulations on the same port, despite raising a fault with code F0467 and "native-or-untagged-encap-failure" in the changeSet. This configuration, likely resulting from user error, presents a significant risk of outage during switch upgrades or stateless reloads. + +The script verifies these faults to ensure that a port is not configured as part of two access VLANs. You need to resolve the conflict causing this fault before any upgrades to prevent potential outages. Failure to do so may result in the deployment of a new VLAN/EPG on the port after the upgrade, leading to downtime in the environment. + +!!! example "Fault Example (F0467: native-or-untagged-encap-failure)" + ``` + apic1# moquery -c faultInst -x 'query-target-filter=wcard(faultInst.changeSet,"native-or-untagged-encap-failure")' + Total Objects shown: 1 + # fault.Inst + code : F0467 + ack : no + alert : no + annotation : + cause : configuration-failed + changeSet : configQual:native-or-untagged-encap-failure, configSt:failed-to-apply, temporaryError:no + childAction : + created : 2024-04-20T10:03:48.493+02:00 + delegated : yes + descr : Configuration failed for uni/tn-EEA-1/ap-APP1/epg-EPG-2 node 101 eth1/28 due to Only One Native or Untagged Encap Allowed on Interface, debug message: + dn : topology/pod-1/node-101/local/svc-policyelem-id-0/uni/epp/fv-[uni/tn-EEA-1/ap-APP1/epg-EPG-2]/node-101/stpathatt-[eth1/28]/nwissues/fault-F0467 + domain : tenant + extMngdBy : undefined + highestSeverity : minor + lastTransition : 2024-04-20T10:03:53.045+02:00 + lc : raised + modTs : never + occur : 1 + origSeverity : minor + prevSeverity : minor + rn : fault-F0467 + rule : fv-nw-issues-config-failed + severity : minor + status : + subject : management + title : + type : config + uid : + userdom : all + apic1# + ``` +Please note that this behavior has recently changed. With the new behavior, rejected through policy distributor validation, two different access encapsulations are no longer allowed on the same port by the APIC. This change has been documented in CSCwj69435. + + ### L3Out Subnets There is another type of the F0467 fault code family that you should check before an upgrade. This fault alerts that an external EPG defined under a Layer3 Out (L3Out) has a subnet with the **External Subnet for the External EPG** scope configured that overlaps with another L3Out external EPG in the same VRF. After an upgrade, it’s possible that the previous working configuration will break if this faulty policy is deployed first after the switch reloads. diff --git a/tests/access_untagged_check/faultInst_NEG.json b/tests/access_untagged_check/faultInst_NEG.json new file mode 100644 index 0000000..0637a08 --- /dev/null +++ b/tests/access_untagged_check/faultInst_NEG.json @@ -0,0 +1 @@ +[] \ No newline at end of file diff --git a/tests/access_untagged_check/faultInst_POS.json b/tests/access_untagged_check/faultInst_POS.json new file mode 100644 index 0000000..47009c9 --- /dev/null +++ b/tests/access_untagged_check/faultInst_POS.json @@ -0,0 +1,147 @@ +[ + { + "faultInst": { + "attributes": { + "status": "", + "domain": "tenant", + "code": "F0467", + "occur": "1", + "subject": "management", + "severity": "minor", + "descr": "Configuration failed for uni/tn-EEA-1/ap-APP1/epg-EPG-2 node 102 Common-VPC-L101-102-To-N3K1-E35 due to Only One Native or Untagged Encap Allowed on Interface, debug message: ", + "title": "", + "origSeverity": "minor", + "childAction": "", + "cause": "configuration-failed", + "dn": "topology/pod-1/node-102/local/svc-policyelem-id-0/uni/epp/fv-[uni/tn-EEA-1/ap-APP1/epg-EPG-2]/node-102/stpathatt-[Common-VPC-L101-102-To-N3K1-E35]/nwissues/fault-F0467", + "prevSeverity": "minor", + "highestSeverity": "minor", + "alert": "no", + "delegated": "yes", + "lc": "raised", + "changeSet": "configQual:native-or-untagged-encap-failure, configSt:failed-to-apply, temporaryError:no", + "created": "2024-04-20T13:53:48.318+02:00", + "ack": "no", + "type": "config", + "rule": "fv-nw-issues-config-failed", + "lastTransition": "2024-04-20T13:54:10.743+02:00" + } + } + }, + { + "faultInst": { + "attributes": { + "status": "", + "domain": "tenant", + "code": "F0467", + "occur": "1", + "subject": "management", + "severity": "minor", + "descr": "Configuration failed for uni/tn-EEA-1/ap-APP1/epg-EPG-2 node 103 Common-VPC-103-104-To-SRV73-LACP due to Only One Native or Untagged Encap Allowed on Interface, debug message: ", + "title": "", + "origSeverity": "minor", + "childAction": "", + "cause": "configuration-failed", + "dn": "topology/pod-1/node-103/local/svc-policyelem-id-0/uni/epp/fv-[uni/tn-EEA-1/ap-APP1/epg-EPG-2]/node-103/stpathatt-[Common-VPC-103-104-To-SRV73-LACP]/nwissues/fault-F0467", + "prevSeverity": "minor", + "highestSeverity": "minor", + "alert": "no", + "delegated": "yes", + "lc": "raised", + "changeSet": "configQual:native-or-untagged-encap-failure, configSt:failed-to-apply, temporaryError:no", + "created": "2024-04-20T13:54:15.129+02:00", + "ack": "no", + "type": "config", + "rule": "fv-nw-issues-config-failed", + "lastTransition": "2024-04-20T13:54:41.861+02:00" + } + } + }, + { + "faultInst": { + "attributes": { + "status": "", + "domain": "tenant", + "code": "F0467", + "occur": "1", + "subject": "management", + "severity": "minor", + "descr": "Configuration failed for uni/tn-EEA-1/ap-APP1/epg-EPG-3 node 101 eth1/28 due to Only One Native or Untagged Encap Allowed on Interface, debug message: ", + "title": "", + "origSeverity": "minor", + "childAction": "", + "cause": "configuration-failed", + "dn": "topology/pod-1/node-101/local/svc-policyelem-id-0/uni/epp/fv-[uni/tn-EEA-1/ap-APP1/epg-EPG-3]/node-101/stpathatt-[eth1/28]/nwissues/fault-F0467", + "prevSeverity": "minor", + "highestSeverity": "minor", + "alert": "no", + "delegated": "yes", + "lc": "raised", + "changeSet": "configQual:native-or-untagged-encap-failure, configSt:failed-to-apply, temporaryError:no", + "created": "2024-04-20T10:57:54.056+02:00", + "ack": "no", + "type": "config", + "rule": "fv-nw-issues-config-failed", + "lastTransition": "2024-04-20T10:58:23.520+02:00" + } + } + }, + { + "faultInst": { + "attributes": { + "status": "", + "domain": "tenant", + "code": "F0467", + "occur": "1", + "subject": "management", + "severity": "minor", + "descr": "Configuration failed for uni/tn-EEA-1/ap-APP1/epg-EPG-2 node 101 eth1/28 due to Only One Native or Untagged Encap Allowed on Interface, debug message: ", + "title": "", + "origSeverity": "minor", + "childAction": "", + "cause": "configuration-failed", + "dn": "topology/pod-1/node-101/local/svc-policyelem-id-0/uni/epp/fv-[uni/tn-EEA-1/ap-APP1/epg-EPG-2]/node-101/stpathatt-[eth1/28]/nwissues/fault-F0467", + "prevSeverity": "minor", + "highestSeverity": "minor", + "alert": "no", + "delegated": "yes", + "lc": "raised", + "changeSet": "configQual:native-or-untagged-encap-failure, configSt:failed-to-apply, temporaryError:no", + "created": "2024-04-20T10:03:48.493+02:00", + "ack": "no", + "type": "config", + "rule": "fv-nw-issues-config-failed", + "lastTransition": "2024-04-20T10:03:53.045+02:00" + } + } + }, + { + "faultInst": { + "attributes": { + "status": "", + "domain": "tenant", + "code": "F0467", + "occur": "1", + "subject": "management", + "severity": "minor", + "descr": "Configuration failed for uni/tn-EEA-1/ap-APP1/epg-EPG-2 node 104 Common-VPC-103-104-To-SRV73-LACP due to Only One Native or Untagged Encap Allowed on Interface, debug message: ", + "title": "", + "origSeverity": "minor", + "childAction": "", + "cause": "configuration-failed", + "dn": "topology/pod-1/node-104/local/svc-policyelem-id-0/uni/epp/fv-[uni/tn-EEA-1/ap-APP1/epg-EPG-2]/node-104/stpathatt-[Common-VPC-103-104-To-SRV73-LACP]/nwissues/fault-F0467", + "prevSeverity": "minor", + "highestSeverity": "minor", + "alert": "no", + "delegated": "yes", + "lc": "raised", + "changeSet": "configQual:native-or-untagged-encap-failure, configSt:failed-to-apply, temporaryError:no", + "created": "2024-04-20T13:54:05.767+02:00", + "ack": "no", + "type": "config", + "rule": "fv-nw-issues-config-failed", + "lastTransition": "2024-04-20T13:54:13.497+02:00" + } + } + } +] diff --git a/tests/access_untagged_check/test_access_untagged_check.py b/tests/access_untagged_check/test_access_untagged_check.py new file mode 100644 index 0000000..21851c7 --- /dev/null +++ b/tests/access_untagged_check/test_access_untagged_check.py @@ -0,0 +1,32 @@ +import os +import pytest +import logging +import importlib +from helpers.utils import read_data + +script = importlib.import_module("aci-preupgrade-validation-script") + +log = logging.getLogger(__name__) +dir = os.path.dirname(os.path.abspath(__file__)) + + +# icurl queries +faultInsts = 'faultInst.json?&query-target-filter=wcard(faultInst.changeSet,"native-or-untagged-encap-failure")' + + +@pytest.mark.parametrize( + "icurl_outputs, expected_result", + [ + ( + {faultInsts: read_data(dir, "faultInst_POS.json")}, + script.FAIL_O, + ), + ( + {faultInsts: read_data(dir, "faultInst_NEG.json")}, + script.PASS, + ) + ], +) +def test_logic(mock_icurl,expected_result): + result = script.access_untagged_check(1, 1) + assert result == expected_result