added validation for CFD CSCwp64296 (#307)

Added rogue ep/coop exception mac check for the CFD CSCwp64296

Author: psureshb

aci-preupgrade-validation-script.py

@@ -6087,6 +6087,61 @@ def auto_firmware_update_on_switch_check(cversion, tversion, **kwargs):
 
     return Result(result=result, headers=headers, data=data, recommended_action=recommended_action, doc_url=doc_url)
 
+
+@check_wrapper(check_title='Rogue EP Exception List missing on switches')
+def rogue_ep_coop_exception_mac_check(cversion, tversion, **kwargs):
+    result = PASS
+    headers = ["Rogue Exception MACs Count", "presListener Count"]
+    data = []
+    recommended_action = 'Delete the exception lists and create again before upgrading switches. Or contact Cisco TAC to restore the missing presListener objects.'
+    recommended_action_pre_apic_upg = 'Change the target version to a fixed version of CSCwp64296.'
+    doc_url = 'https://datacenter.github.io/ACI-Pre-Upgrade-Validation-Script/validations/#rogue-ep-exception-list-missing-on-switches'
+
+    exception_mac_api = 'fvRogueExceptionMac.json?rsp-subtree-include=count'
+    presListener_api = 'presListener.json?query-target-filter=and(eq(presListener.lstDn,"exceptcont"))&rsp-subtree-include=count'
+
+    # Version ranges
+    # (unless the patch alphabet is explicitly stated, it means the first version of the train)
+    # affected source: 5.2(3) <= version < 6.0(3)
+    # affected target: (6.0(3) <= version < 6.0(9e)) or (6.1(1) <= tversion < 6.1(4))
+
+    def is_affected_source(ver):
+        return ver.newer_than("5.2(3a)") and ver.older_than("6.0(3a)")
+
+    def is_affected_target(ver):
+        in_60 = ver.newer_than("6.0(3a)") and ver.older_than("6.0(9e)")
+        in_61 = ver.newer_than("6.1(1a)") and ver.older_than("6.1(4h)")
+        return in_60 or in_61
+
+    pre_apic_upg = is_affected_source(cversion) and is_affected_target(tversion)  # Before APIC upgrade
+    post_apic_upg = is_affected_target(cversion) and is_affected_target(tversion) and cversion.same_as(tversion)  # After APIC upgrade (and before switch)
+
+    if not (pre_apic_upg or post_apic_upg):
+        return Result(result=NA, msg=VER_NOT_AFFECTED, doc_url=doc_url)
+
+    exception_macs = icurl('class', exception_mac_api)
+    exception_macs_count = int(exception_macs[0]['moCount']['attributes']['count'])
+    # Affected versions but no exception MACs. Not susceptible to the issue.
+    if exception_macs_count == 0:
+        return Result(result=PASS, doc_url=doc_url)
+
+    # The issue in presListener has yet to happen before APIC upgrade. You can still avoid hitting the issue itself.
+    if pre_apic_upg:
+        recommended_action = recommended_action_pre_apic_upg
+        data.append([exception_macs_count, "N/A"])
+        return Result(result=FAIL_O, headers=headers, data=data, recommended_action=recommended_action, doc_url=doc_url)
+
+    # Check presListener entries on APIC after APIC upgrade.
+    presListener_response = icurl('class', presListener_api)
+    presListener_count = int(presListener_response[0]['moCount']['attributes']['count'])
+    if presListener_count >= 0 and presListener_count < 32:
+        log.info("Insufficient presListener entries ({} found) for {} exception MACs.".format(presListener_count, exception_macs_count))
+        result = FAIL_O
+        data.append([exception_macs_count, "only {} found out of 32".format(presListener_count)])
+
+    return Result(result=result, headers=headers, data=data, recommended_action=recommended_action, doc_url=doc_url)
+
+
 # ---- Script Execution ----
 
 
@@ -6251,7 +6306,7 @@ class CheckManager:
         isis_database_byte_check,
         configpush_shard_check,
         auto_firmware_update_on_switch_check,
-
+        rogue_ep_coop_exception_mac_check,
     ]
     ssh_checks = [
         # General

docs/docs/validations.md

@@ -194,6 +194,7 @@ Items                                           | Defect       | This Script
 [ISIS DTEPs Byte Size][d27]                     | CSCwp15375   | :white_check_mark: | :no_entry_sign:
 [Policydist configpushShardCont Crash][d28]     | CSCwp95515   | :white_check_mark: | :no_entry_sign:
 [Auto Firmware Update on Switch Discovery][d29] | CSCwe83941   | :white_check_mark: | :no_entry_sign:
+[Rogue EP Exception List missing on switches][d30] | CSCwp64296   | :white_check_mark: | :no_entry_sign:
 
 [d1]: #ep-announce-compatibility
 [d2]: #eventmgr-db-size-defect-susceptibility
@@ -224,6 +225,8 @@ Items                                           | Defect       | This Script
 [d27]: #isis-dteps-byte-size
 [d28]: #policydist-configpushshardcont-crash
 [d29]: #auto-firmware-update-on-switch-discovery
+[d30]: #rogue-ep-exception-list-missing-on-switches
+
 
 ## General Check Details
 
@@ -2648,6 +2651,7 @@ Due to [CSCwp95515][59], upgrading to an affected version while having any `conf
 
 If any instances of `configpushShardCont` are flagged by this script, Cisco TAC must be contacted to identify and resolve the underlying issue before performing the upgrade.
 
+
 ### Auto Firmware Update on Switch Discovery
 
 [Auto Firmware Update on Switch Discovery][63] automatically upgrades a new switch to the target firmware version before registering it to the ACI fabric. This feature activates in three scenarios:
@@ -2668,6 +2672,17 @@ To avoid this risk, consider disabling Auto Firmware Update before upgrading to
     This issue occurs because older switch firmware versions are not compatible with switch images 6.0(3) or newer. The APIC version is not a factor.
 
 
+### Rogue EP Exception List missing on switches
+
+The Rogue/COOP Exception List feature, introduced in 5.2(3), allows exclusion of specific MAC addresses from Rogue Endpoint Control and COOP Dampening. Initially, each MAC address had to be configured individually in each bridge domain. In 6.0(3), this feature was enhanced to support fabric-wide exception lists with wildcard options per bridge domain and the ability to exclude MAC addresses in L3Outs.
+
+However, due to [CSCwp64296][64], when upgrading spine switches to version 6.0(3)+ from an older version with Rogue/COOP Exception Lists configured, some exception lists may not be pushed to the spine switches. As a result, the feature may stop functioning after the upgrade. 
+
+The root cause is that internal objects called `presListener` for Rogue/COOP Exception List, which publish the configuration from APICs to switches, may be missing on the APICs after an upgrade.
+
+Recommended action: Delete the affected exception list and create it again. If needed, contact Cisco TAC to help recover missing `presListener` objects on APICs.
+
+
 [0]: https://github.com/datacenter/ACI-Pre-Upgrade-Validation-Script
 [1]: https://www.cisco.com/c/dam/en/us/td/docs/Website/datacenter/apicmatrix/index.html
 [2]: https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-release-notes-list.html
@@ -2731,4 +2746,5 @@ To avoid this risk, consider disabling Auto Firmware Update before upgrading to
 [60]: https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-743951.html#Inter
 [61]: https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-743951.html#EnablePolicyCompression
 [62]: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwe83941
-[63]: https://www.cisco.com/c/en/us/td/docs/dcn/aci/apic/all/apic-installation-aci-upgrade-downgrade/Cisco-APIC-Installation-ACI-Upgrade-Downgrade-Guide/m-auto-firmware-update.html
+[63]: https://www.cisco.com/c/en/us/td/docs/dcn/aci/apic/all/apic-installation-aci-upgrade-downgrade/Cisco-APIC-Installation-ACI-Upgrade-Downgrade-Guide/m-auto-firmware-update.html
+[64]: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwp64296

tests/checks/rogue_ep_coop_exception_mac_check/no_rogue_mac_response.json

@@ -0,0 +1,12 @@
+[
+    {
+        "moCount": {
+            "attributes": {
+                "childAction": "",
+                "count": "0",
+                "dn": "",
+                "status": ""
+            }
+        }
+    }
+]

tests/checks/rogue_ep_coop_exception_mac_check/presListener_exceptcont.json

@@ -0,0 +1,12 @@
+[
+    {
+        "moCount": {
+            "attributes": {
+            "childAction": "",
+            "count": "32",
+            "dn": "",
+            "status": ""
+            }
+        }
+    }
+]

tests/checks/rogue_ep_coop_exception_mac_check/presListener_exceptcont_31_missing.json

@@ -0,0 +1,12 @@
+[
+    {
+        "moCount": {
+            "attributes": {
+            "childAction": "",
+            "count": "1",
+            "dn": "",
+            "status": ""
+            }
+        }   
+    }
+]

tests/checks/rogue_ep_coop_exception_mac_check/presListener_exceptcont_32_missing.json

@@ -0,0 +1,12 @@
+[
+    {
+        "moCount": {
+            "attributes": {
+            "childAction": "",
+            "count": "0",
+            "dn": "",
+            "status": ""
+            }
+        }
+    }
+]

tests/checks/rogue_ep_coop_exception_mac_check/presListener_exceptcont_many_missing.json

@@ -0,0 +1,12 @@
+[
+    {
+        "moCount": {
+            "attributes": {
+            "childAction": "",
+            "count": "27",
+            "dn": "",
+            "status": ""
+            }
+        }
+    }
+]

tests/checks/rogue_ep_coop_exception_mac_check/presListener_exceptcont_one_missing.json

@@ -0,0 +1,12 @@
+[
+    {
+        "moCount": {
+            "attributes": {
+            "childAction": "",
+            "count": "31",
+            "dn": "",
+            "status": ""
+            }
+        }
+    }
+]

tests/checks/rogue_ep_coop_exception_mac_check/rogue_mac_response.json

@@ -0,0 +1,12 @@
+[
+    {
+        "moCount": {
+            "attributes": {
+                "childAction": "",
+                "count": "5",
+                "dn": "",
+                "status": ""
+            }
+        }
+    }
+]