Added validation for CSCwd40071

aci-preupgrade-validation-script.py

@@ -6026,6 +6026,35 @@ def apic_downgrade_compat_warning_check(cversion, tversion, **kwargs):
     return Result(result=result, headers=headers, data=data, recommended_action=recommended_action, doc_url=doc_url)
 
 
+@check_wrapper(check_title="Inband Management Policy Misconfiguration")
+def inband_management_policy_misconfig_check(cversion, tversion, **kwargs):
+
+    result = PASS
+    headers = ["Node_ID", "Address", "Gateway"]
+    data = []
+    recommended_action = " Contact Cisco TAC to remove any identified misconfigured 'mgmtRsInBStNode' objects"
+    doc_url = "https://datacenter.github.io/ACI-Pre-Upgrade-Validation-Script/validations/#inband-management-policy-misconfiguration"
+
+    if not tversion:
+        return Result(result=MANUAL, msg=TVER_MISSING)
+    if cversion.older_than("6.0(4c)") and (tversion.newer_than("6.0(4c)") or tversion.same_as("6.0(4c)")):
+        mgmtRsInBStNodes = icurl('class', 'mgmtRsInBStNode.json?query-target-filter=or(eq(mgmtRsInBStNode.addr,"0.0.0.0"),eq(mgmtRsInBStNode.addr,"0.0.0.0/0"),eq(mgmtRsInBStNode.gw,"0.0.0.0"))')
+        for mgmtRsInBStNode in mgmtRsInBStNodes:
+            attrs = mgmtRsInBStNode["mgmtRsInBStNode"]["attributes"]
+            addr = attrs['addr']
+            gw = attrs['gw']
+            node_match = re.search(node_regex, attrs['dn'])
+            node_id = node_match.group("node")
+            data.append([node_id, addr, gw])
+    else:
+        return Result(result=NA, msg=VER_NOT_AFFECTED)
+
+    if data:
+        result = FAIL_O
+
+    return Result(result=result, headers=headers, data=data, recommended_action=recommended_action, doc_url=doc_url)
+
+
 # ---- Script Execution ----
 
 
@@ -6188,6 +6217,7 @@ class CheckManager:
         standby_sup_sync_check,
         isis_database_byte_check,
         configpush_shard_check,
+        inband_management_policy_misconfig_check,
 
     ]
     ssh_checks = [

docs/docs/validations.md

@@ -193,6 +193,7 @@ Items                                           | Defect       | This Script
 [Stale pconsRA Object][d26]                     | CSCwp22212   | :warning:{title="Deprecated"} | :no_entry_sign:
 [ISIS DTEPs Byte Size][d27]                     | CSCwp15375   | :white_check_mark: | :no_entry_sign:
 [Policydist configpushShardCont Crash][d28]     | CSCwp95515   | :white_check_mark: | 
+[Inband Management Policy Misconfiguration][d29]| CSCwd40071   | :white_check_mark: | :no_entry_sign:
 
 [d1]: #ep-announce-compatibility
 [d2]: #eventmgr-db-size-defect-susceptibility
@@ -222,6 +223,7 @@ Items                                           | Defect       | This Script
 [d26]: #stale-pconsra-object
 [d27]: #isis-dteps-byte-size
 [d28]: #policydist-configpushshardcont-crash
+[d29]: #inband-management-policy-misconfiguration
 
 
 ## General Check Details
@@ -2648,6 +2650,26 @@ Due to [CSCwp95515][59], upgrading to an affected version while having any `conf
 If any instances of `configpushShardCont` are flagged by this script, Cisco TAC must be contacted to identify and resolve the underlying issue before performing the upgrade.
 
 
+### Inband Management Policy Misconfiguration
+
+RCA:
+
+Due to the defect [CSCwh80837][62], starting from version 6.0(4c), an implicit deletion of `fvRsCustQosPol` was introduced under InBand EPG as QoS configuration is not applicable to management inband EPG and it was raising an invalid fault under it. This implicit deletion triggers a re-processing and pushes updates to `fvInBEpP` (Inband Endpoint Profile) on leaf nodes where the inband management policy is deployed.
+
+Impact:
+
+When upgrading from versions prior to 6.0(4c) to versions 6.0(4c) or later, if there is a misconfiguration in the inband management policies (`mgmtRsInBStNode`) with invalid values, the re-processing triggered by [CSCwh80837][62] will expose the underlying [CSCwd40071][63] defect. This results in continuous policyelem core dumps and switch reboot when attempting to add any access policies configuration to a leaf switch (such as VLANs tied to leaf profiles via physical domain, AAEP, interface policy group, or port selector).
+
+The invalid configuration occurs when `mgmtRsInBStNode` has "0.0.0.0" values (with no mask) for either the "addr" or "gw" fields.
+
+Suggestion:
+
+This check identifies misconfigured `mgmtRsInBStNode` objects where either "addr" or "gw" attributes are set to "0.0.0.0" when the upgrade crosses the 6.0(4c) release boundary. Contact Cisco TAC to remove any identified misconfigured objects before performing the upgrade to prevent policyelem crashes.
+
+!!! note
+    The [CSCwd40071][63] defect affects versions 5.2(5c) and later, with a fix available in 6.0(1g). However, the issue will only be triggered during upgrades crossing 6.0(4c) due to [CSCwh80837][62].
+
+
 [0]: https://github.com/datacenter/ACI-Pre-Upgrade-Validation-Script
 [1]: https://www.cisco.com/c/dam/en/us/td/docs/Website/datacenter/apicmatrix/index.html
 [2]: https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-release-notes-list.html
@@ -2710,3 +2732,5 @@ If any instances of `configpushShardCont` are flagged by this script, Cisco TAC
 [59]: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwp95515
 [60]: https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-743951.html#Inter
 [61]: https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-743951.html#EnablePolicyCompression
+[62]: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwh80837
+[63]: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwd40071

tests/checks/inband_management_policy_misconfig_check/mgmtRsInBStNode_invalid_addr_and_gw_config.json

@@ -0,0 +1,18 @@
+[
+    {
+        "mgmtRsInBStNode": {
+            "attributes": {
+                "tDn": "topology/pod-1/node-103",
+                "addr": "0.0.0.0",
+                "configurationMode": "static",
+                "dn": "uni/tn-mgmt/mgmtp-default/inb-inb/rsinBStNode-[topology/pod-1/node-103]",
+                "gw": "0.0.0.0",
+                "modTs": "2024-12-20T07:45:21.454+00:00",
+                "rType": "mo",
+                "rn": "rsinBStNode-[topology/pod-1/node-103]",
+                "stateQual": "none",
+                "tType": "mo"
+            }
+        }
+    }
+]

tests/checks/inband_management_policy_misconfig_check/mgmtRsInBStNode_invalid_address_config.json

@@ -0,0 +1,18 @@
+[
+    {
+        "mgmtRsInBStNode": {
+            "attributes": {
+                "tDn": "topology/pod-1/node-103",
+                "addr": "0.0.0.0",
+                "configurationMode": "static",
+                "dn": "uni/tn-mgmt/mgmtp-default/inb-inb/rsinBStNode-[topology/pod-1/node-103]",
+                "gw": "191.1.1.1",
+                "modTs": "2024-12-20T07:45:21.454+00:00",
+                "rType": "mo",
+                "rn": "rsinBStNode-[topology/pod-1/node-103]",
+                "stateQual": "none",
+                "tType": "mo"
+            }
+        }
+    }
+]

tests/checks/inband_management_policy_misconfig_check/mgmtRsInBStNode_invalid_gateway_config.json

@@ -0,0 +1,18 @@
+[
+    {
+        "mgmtRsInBStNode": {
+            "attributes": {
+                "tDn": "topology/pod-1/node-103",
+                "addr": "191.1.1.153/24",
+                "configurationMode": "static",
+                "dn": "uni/tn-mgmt/mgmtp-default/inb-inb/rsinBStNode-[topology/pod-1/node-103]",
+                "gw": "0.0.0.0",
+                "modTs": "2024-12-20T07:45:21.454+00:00",
+                "rType": "mo",
+                "rn": "rsinBStNode-[topology/pod-1/node-103]",
+                "stateQual": "none",
+                "tType": "mo"
+            }
+        }
+    }
+]

tests/checks/inband_management_policy_misconfig_check/test_inband_management_policy_misconfig_check.py

@@ -0,0 +1,119 @@
+import os
+import pytest
+import logging
+import importlib
+from helpers.utils import read_data
+
+script = importlib.import_module("aci-preupgrade-validation-script")
+
+log = logging.getLogger(__name__)
+dir = os.path.dirname(os.path.abspath(__file__))
+
+test_function = "inband_management_policy_misconfig_check"
+
+# icurl query
+mgmtRsInBStNode = 'mgmtRsInBStNode.json?query-target-filter=or(eq(mgmtRsInBStNode.addr,"0.0.0.0"),eq(mgmtRsInBStNode.addr,"0.0.0.0/0"),eq(mgmtRsInBStNode.gw,"0.0.0.0"))'
+
+
+@pytest.mark.parametrize(
+    "icurl_outputs, cversion, tversion, expected_result",
+    [
+        # Target version missing
+        (
+            {
+                mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_addr_and_gw_config.json"),
+            },
+            "5.2(5c)",
+            None,
+            script.MANUAL,
+        ),
+        # Current version < 6.0(4c), target version = 6.0(4c), valid data
+        (
+            {
+                mgmtRsInBStNode: [],
+            },
+            "6.0(3g)",
+            "6.0(4c)",
+            script.PASS,
+        ),
+        # Current version < 6.0(4c), target version > 6.0(4c), valid data
+        (
+            {
+                mgmtRsInBStNode: [],
+            },
+            "6.0(3e)",
+            "6.0(8f)",
+            script.PASS,
+        ),
+        # Current version > 6.0(4c), target version >= 6.0(4c), invalid address
+        (
+            {
+                mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_address_config.json"),
+            },
+            "6.0(4c)",
+            "6.0(5h)",
+            script.NA,
+        ),
+
+        # Current version > 6.0(4c), target version >= 6.0(4c), invalid gateway
+        (
+            {
+                mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_gateway_config.json"),
+            },
+            "6.0(5h)",
+            "6.0(5j)",
+            script.NA,
+        ),
+        # Current version > 6.0(4c), target version >= 6.0(4c), invalid both data
+        (
+            {
+                mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_addr_and_gw_config.json"),
+            },
+            "6.0(5j)",
+            "6.0(6c)",
+            script.NA,
+        ),
+        # Current version < 6.0(4c), target version < 6.0(4c), invalid both data
+        (
+            {
+                mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_addr_and_gw_config.json"),
+            },
+            "6.0(3g)",
+            "6.0(3f)",
+            script.NA,
+        ),
+        # Current version < 6.0(4c), target version >= 6.0(4c), invalid address
+        (
+            {
+                mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_address_config.json"),
+            },
+            "6.0(3g)",
+            "6.0(4c)",
+            script.FAIL_O,
+        ),
+        # Current version < 6.0(4c), target version >= 6.0(4c), invalid gateway
+        (
+            {
+                mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_gateway_config.json"),
+            },
+            "5.3(2c)",
+            "6.1(4h)",
+            script.FAIL_O,
+        ),
+        # Current version < 6.0(4c), target version >= 6.0(4c), invalid both data
+        (
+            {
+                mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_addr_and_gw_config.json"),
+            },
+            "5.2(8h)",
+            "6.1(3f)",
+            script.FAIL_O,
+        ),
+    ],
+)
+def test_logic(run_check, mock_icurl, cversion, tversion, expected_result):
+    result = run_check(
+        cversion = script.AciVersion(cversion),
+        tversion = script.AciVersion(tversion) if tversion else None,
+    )
+    assert result.result == expected_result