Added validation for CSCwd40071 (#332)

sanjanch · web-flow · commit 217dbcbe5060 · 2026-05-08T11:16:36.000-04:00
* Added validation for CSCwd40071

* Addressed the comments

* Added cversion for the check

* Removed empty spaces

* logic change. removed 0.0.0.0/0 and made pytest changes

* logic modified and validation.md file updated
diff --git a/aci-preupgrade-validation-script.py b/aci-preupgrade-validation-script.py
@@ -6293,6 +6293,30 @@ def multipod_modular_spine_bootscript_check(tversion, fabric_nodes, username, pa
     return Result(result=result, headers=headers, data=data, recommended_action=recommended_action, doc_url=doc_url)
 
 
+@check_wrapper(check_title="Inband Management Policy Misconfiguration")
+def inband_management_policy_misconfig_check(cversion, tversion, **kwargs):
+    result = PASS
+    headers = ["Node_ID", "Address", "Gateway"]
+    data = []
+    recommended_action = "Contact Cisco TAC to remove any identified misconfigured 'mgmtRsInBStNode' objects"
+    doc_url = "https://datacenter.github.io/ACI-Pre-Upgrade-Validation-Script/validations/#inband-management-policy-misconfiguration"
+    
+    if (cversion.older_than("5.2(8d)")) and (tversion.newer_than("6.0(4c)") or tversion.same_as("6.0(4c)")):
+        mgmtRsInBStNodes = icurl('class', 'mgmtRsInBStNode.json?query-target-filter=or(eq(mgmtRsInBStNode.addr,"0.0.0.0"),eq(mgmtRsInBStNode.gw,"0.0.0.0"))')
+        for mgmtRsInBStNode in mgmtRsInBStNodes:
+            attrs = mgmtRsInBStNode["mgmtRsInBStNode"]["attributes"]
+            addr = attrs['addr']
+            gw = attrs['gw']
+            node_match = re.search(node_regex, attrs['dn'])
+            node_id = node_match.group("node")
+            data.append([node_id, addr, gw])
+    else:
+        return Result(result=NA, msg=VER_NOT_AFFECTED)
+    if data:
+        result = FAIL_O
+    return Result(result=result, headers=headers, data=data, recommended_action=recommended_action, doc_url=doc_url)
+    
+    
 # ---- Script Execution ----
 
 
@@ -6462,6 +6486,7 @@ class CheckManager:
         auto_firmware_update_on_switch_check,
         rogue_ep_coop_exception_mac_check,
         n9k_c9408_model_lem_count_check,
+        inband_management_policy_misconfig_check,
     ]
     ssh_checks = [
         # General
diff --git a/docs/docs/validations.md b/docs/docs/validations.md
@@ -198,6 +198,7 @@ Items                                           | Defect       | This Script
 [Rogue EP Exception List missing on switches][d30] | CSCwp64296   | :white_check_mark: | :no_entry_sign:
 [N9K-C9408 with more than 5 N9K-X9400-16W LEMs][d31] | CSCws82819   | :white_check_mark: | :no_entry_sign:
 [Multi-Pod Modular Spine Bootscript File][d32]  | CSCwr66848   | :white_check_mark: | :no_entry_sign:
+[Inband Management Policy Misconfiguration][d33]| CSCwd40071   | :white_check_mark: | :no_entry_sign:
 
 [d1]: #ep-announce-compatibility
 [d2]: #eventmgr-db-size-defect-susceptibility
@@ -231,6 +232,7 @@ Items                                           | Defect       | This Script
 [d30]: #rogue-ep-exception-list-missing-on-switches
 [d31]: #n9k-c9408-with-more-than-5-n9k-x9400-16w-lems
 [d32]: #multi-pod-modular-spine-bootscript-file
+[d33]: #inband-management-policy-misconfiguration
 
 ## General Check Details
 
@@ -2753,6 +2755,21 @@ This issue happens only when the target version is specifically 6.1(4h).
 To avoid this issue, change the target version to another version. Or verify that the `bootscript` file exists in the bootflash of each modular spine switch prior to upgrading to 6.1(4h). If the file is missing, you have to do clean reboot on the impacted spine to ensure that `/bootflash/bootscript` gets created again. In case you already upgraded your spine and you are experiencing the traffic impact due to this issue, clean reboot of the spine will restore the traffic.
 
 
+### Inband Management Policy Misconfiguration
+
+Due to the defect [CSCwh80837][67], starting from version 6.0(4c), mgmtRsInBStNode policy get modified in leaf/spine during Apic upgrade.
+
+Impact:
+
+When upgrading Apic from versions prior to 6.0(4c) to versions 6.0(4c) or later, if there is a misconfiguration in the inband management policies (mgmtRsInBStNode) with invalid values, the re-processing triggered by [CSCwh80837][67] will expose the underlying [CSCwd40071][68] defect. This results in continuous policyelem core dumps and switch reboot if Switch are running impacted version of [CSCwd40071][68].
+
+The invalid configuration occurs when mgmtRsInBStNode has "0.0.0.0" values ( with or without mask) for either the "addr" or "gw" fields.
+
+Suggestion:
+
+Contact Cisco TAC to remove any identified misconfigured objects before performing the upgrade to prevent policyelem crashes.
+The [CSCwd40071][68] defect affects versions 5.2(5c) and later with a fix available in 6.0(1g). However, the issue will only be triggered during Apic upgrades crossing 6.0(4c) due to [CSCwh80837][67].
+
 [0]: https://github.com/datacenter/ACI-Pre-Upgrade-Validation-Script
 [1]: https://www.cisco.com/c/dam/en/us/td/docs/Website/datacenter/apicmatrix/index.html
 [2]: https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-release-notes-list.html
@@ -2820,3 +2837,5 @@ To avoid this issue, change the target version to another version. Or verify tha
 [64]: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwp64296
 [65]: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCws82819
 [66]: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwr66848
+[67]: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwh80837
+[68]: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwd40071
diff --git a/tests/checks/inband_management_policy_misconfig_check/mgmtRsInBStNode_invalid_addr_and_gw_config.json b/tests/checks/inband_management_policy_misconfig_check/mgmtRsInBStNode_invalid_addr_and_gw_config.json
@@ -0,0 +1,18 @@
+[
+    {
+        "mgmtRsInBStNode": {
+            "attributes": {
+                "tDn": "topology/pod-1/node-103",
+                "addr": "0.0.0.0",
+                "configurationMode": "static",
+                "dn": "uni/tn-mgmt/mgmtp-default/inb-inb/rsinBStNode-[topology/pod-1/node-103]",
+                "gw": "0.0.0.0",
+                "modTs": "2024-12-20T07:45:21.454+00:00",
+                "rType": "mo",
+                "rn": "rsinBStNode-[topology/pod-1/node-103]",
+                "stateQual": "none",
+                "tType": "mo"
+            }
+        }
+    }
+]
diff --git a/tests/checks/inband_management_policy_misconfig_check/mgmtRsInBStNode_invalid_address_config.json b/tests/checks/inband_management_policy_misconfig_check/mgmtRsInBStNode_invalid_address_config.json
@@ -0,0 +1,18 @@
+[
+    {
+        "mgmtRsInBStNode": {
+            "attributes": {
+                "tDn": "topology/pod-1/node-103",
+                "addr": "0.0.0.0",
+                "configurationMode": "static",
+                "dn": "uni/tn-mgmt/mgmtp-default/inb-inb/rsinBStNode-[topology/pod-1/node-103]",
+                "gw": "191.1.1.1",
+                "modTs": "2024-12-20T07:45:21.454+00:00",
+                "rType": "mo",
+                "rn": "rsinBStNode-[topology/pod-1/node-103]",
+                "stateQual": "none",
+                "tType": "mo"
+            }
+        }
+    }
+]
diff --git a/tests/checks/inband_management_policy_misconfig_check/mgmtRsInBStNode_invalid_gateway_config.json b/tests/checks/inband_management_policy_misconfig_check/mgmtRsInBStNode_invalid_gateway_config.json
@@ -0,0 +1,18 @@
+[
+    {
+        "mgmtRsInBStNode": {
+            "attributes": {
+                "tDn": "topology/pod-1/node-103",
+                "addr": "191.1.1.153/24",
+                "configurationMode": "static",
+                "dn": "uni/tn-mgmt/mgmtp-default/inb-inb/rsinBStNode-[topology/pod-1/node-103]",
+                "gw": "0.0.0.0",
+                "modTs": "2024-12-20T07:45:21.454+00:00",
+                "rType": "mo",
+                "rn": "rsinBStNode-[topology/pod-1/node-103]",
+                "stateQual": "none",
+                "tType": "mo"
+            }
+        }
+    }
+]
diff --git a/tests/checks/inband_management_policy_misconfig_check/mgmtRsInBStNode_valid_config.json b/tests/checks/inband_management_policy_misconfig_check/mgmtRsInBStNode_valid_config.json
@@ -0,0 +1 @@
+[]
diff --git a/tests/checks/inband_management_policy_misconfig_check/test_inband_management_policy_misconfig_check.py b/tests/checks/inband_management_policy_misconfig_check/test_inband_management_policy_misconfig_check.py
@@ -0,0 +1,163 @@
+import os
+import pytest
+import logging
+import importlib
+from helpers.utils import read_data
+
+script = importlib.import_module("aci-preupgrade-validation-script")
+log = logging.getLogger(__name__)
+dir = os.path.dirname(os.path.abspath(__file__))
+test_function = "inband_management_policy_misconfig_check"
+mgmtRsInBStNode = 'mgmtRsInBStNode.json?query-target-filter=or(eq(mgmtRsInBStNode.addr,"0.0.0.0"),eq(mgmtRsInBStNode.gw,"0.0.0.0"))'
+
+@pytest.mark.parametrize(
+    "icurl_outputs, cversion, tversion, expected_result, expected_data",
+    [
+        # Current version is affected, Target version = 6.0(4c), valid data
+        (
+            {
+                mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_valid_config.json")
+            },
+            "5.2(7g)",
+            "6.0(4c)",
+            script.PASS,
+            []
+        ),
+        # Current version is affected, Target version = 6.0(4c), invalid address
+        (
+            {
+                mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_address_config.json"),
+            },
+            "5.2(7f)",
+            "6.0(4c)",
+            script.FAIL_O,
+            [
+                ["103", "0.0.0.0", "191.1.1.1"]
+            ]
+        ),
+        # Current version is affected, Target version = 6.0(4c), invalid gateway
+        (
+            {
+                mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_gateway_config.json"),
+            },
+            "5.2(7f)",
+            "6.0(4c)",
+            script.FAIL_O,
+            [
+                ["103", "191.1.1.153/24", "0.0.0.0"],
+            ]
+        ),
+        # Current version is affected,  Target version = 6.0(4c), invalid both data
+        (
+            {
+                mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_addr_and_gw_config.json"),
+            },
+            "5.2(7f)",
+            "6.0(4c)",
+            script.FAIL_O,
+            [
+                ["103", "0.0.0.0", "0.0.0.0"],
+            ]
+        ),
+        # Current version is affected,  Target version > 6.0(4c), valid data
+        (
+            {
+                mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_valid_config.json"),
+            },
+            "5.2(7f)",
+            "6.0(8f)",
+            script.PASS,
+            []
+        ),
+        # Current version is affected,  Target version > 6.0(4c), invalid address
+        (
+            {
+                mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_address_config.json"),
+            },
+            "5.2(7f)",
+            "6.0(5h)",
+            script.FAIL_O,
+            [
+                ["103", "0.0.0.0", "191.1.1.1"],
+            ]
+        ),
+        # Current version is affected,  Target version > 6.0(4c), invalid gateway
+        (
+            {
+                mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_gateway_config.json"),
+            },
+            "5.2(7f)",
+            "6.0(5j)",
+            script.FAIL_O,
+            [
+                ["103", "191.1.1.153/24", "0.0.0.0"],
+            ]
+        ),
+        # Current version is affected,  Target version > 6.0(4c), invalid both data
+        (
+            {
+                mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_addr_and_gw_config.json"),
+            },
+            "5.2(7f)",
+            "6.0(6c)",
+            script.FAIL_O,
+            [
+                ["103", "0.0.0.0", "0.0.0.0"],
+            ]
+        ),
+        # Current version is affected, Target version < 6.0(4c), invalid both data
+        (
+            {
+                mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_addr_and_gw_config.json"),
+            },
+            "5.2(7f)",
+            "6.0(3g)",
+            script.NA,
+            []
+        ),
+        #  Current version is affected, Target version < 6.0(4c), valid both data
+        (
+            {
+                mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_valid_config.json"),
+            },
+            "5.2(7f)",
+            "6.0(3g)",
+            script.NA,
+            []
+        ),
+        # Current version is not affected, Target version = 6.0(4c), invalid both data
+        (
+            {
+                mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_addr_and_gw_config.json"),
+            },
+            "5.3(2f)",
+            "6.0(4c)",
+            script.NA,
+            []
+        ),
+        # Current version is not affected, Target version > 6.0(4c), invalid both data
+        (
+            {
+                mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_addr_and_gw_config.json"),
+            },
+            "5.3(2f)",
+            "6.0(6c)",
+            script.NA,
+            []
+        ),
+        # Current version is not affected, Target version < 6.0(4c), invalid both data
+        (
+            {
+                mgmtRsInBStNode: read_data(dir, "mgmtRsInBStNode_invalid_addr_and_gw_config.json"),
+            },
+            "5.3(2f)",
+            "6.0(3g)",
+            script.NA,
+            []
+        ),
+    ],
+)
+def test_logic(run_check, mock_icurl, cversion, tversion, expected_result, expected_data):
+    result = run_check(cversion=script.AciVersion(cversion), tversion=script.AciVersion(tversion))
+    assert result.result == expected_result
+    assert result.data == expected_data
