added validation for CFD CSCwp64296

aci-preupgrade-validation-script.py

@@ -6008,6 +6008,48 @@ def apic_vmm_inventory_sync_faults_check(**kwargs):
         doc_url=doc_url)
 
 
+@check_wrapper(check_title='Rogue EP/COOP Exception MACs missing')
+def rogue_ep_coop_exception_mac_check(cversion, tversion, **kwargs):
+    result = PASS
+    headers = ["Rogue Exception MACs Count", "presListener Count"]
+    data = []
+    recommended_action = 'Remove the affected EP exception configurations and re-add them'
+    doc_url = 'https://datacenter.github.io/ACI-Pre-Upgrade-Validation-Script/validations/#rogue-epcoop-exception-macs-missing'
+
+    # Target version check
+    if not tversion:
+        prints("Target version not provided, skipping check.")
+        return Result(result=MANUAL, msg=TVER_MISSING)
+
+    # Affected source version is in range [5.2(3):6.0(3)] . Fixed on 6.0(9e)+ and 6.1(4)+.
+    # if cversion.newer_than("3.1(2v)") and tversion.older_than("6.1(3g)"):
+    if (
+    (cversion.same_as("5.2(3e)") or cversion.newer_than("5.2(3e)")) and
+    (cversion.same_as("6.0(3g)") or cversion.older_than("6.0(3g)")) and
+    (
+        tversion.older_than("6.0(9e)") or
+        ((tversion.same_as("6.1(1f)") or tversion.newer_than("6.1(1f)")) and tversion.older_than("6.1(4h)"))
+    )
+    ):
+        # endpoint to fetch the rogue exception MACs
+        exception_mac_api = 'fvRogueExceptionMac.json?query-target-filter=and(wcard(fvRogueExceptionMac.dn,"([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}"))'
+
+        # endpoint to fetch the presListener entries
+        presListener_api = 'presListener.json?query-target-filter=and(wcard(presListener.dn,"exceptcont"))'
+
+        exception_macs = icurl('class', exception_mac_api)
+
+        if exception_macs:
+            prints("Found {} exception MACs, checking presListener entries...".format(len(exception_macs)))
+            presListener_response = icurl('class', presListener_api)
+            if len(presListener_response) >= 0 and len(presListener_response) < 32:
+                prints("Insufficient presListener entries ({} found) for {} exception MACs.".format(len(presListener_response), len(exception_macs)))
+                result = FAIL_O
+                data.append([len(exception_macs), len(presListener_response)])
+
+    return Result(result=result, headers=headers, data=data, recommended_action=recommended_action, doc_url=doc_url)
+
+
 @check_wrapper(check_title='APIC downgrade compatibility when crossing 6.2 release')
 def apic_downgrade_compat_warning_check(cversion, tversion, **kwargs):
     result = NA
@@ -6188,6 +6230,7 @@ class CheckManager:
         standby_sup_sync_check,
         isis_database_byte_check,
         configpush_shard_check,
+        rogue_ep_coop_exception_mac_check,
 
     ]
     ssh_checks = [

docs/docs/validations.md

@@ -192,7 +192,8 @@ Items                                           | Defect       | This Script
 [Observer Database Size][d25]                   | CSCvw45531   | :white_check_mark: | :no_entry_sign:
 [Stale pconsRA Object][d26]                     | CSCwp22212   | :warning:{title="Deprecated"} | :no_entry_sign:
 [ISIS DTEPs Byte Size][d27]                     | CSCwp15375   | :white_check_mark: | :no_entry_sign:
-[Policydist configpushShardCont Crash][d28]     | CSCwp95515   | :white_check_mark: | 
+[Policydist configpushShardCont Crash][d28]     | CSCwp95515   | :white_check_mark: |
+[Rogue EP/COOP Exception MACs missing][d29]     | CSCwp64296   | :white_check_mark: | :no_entry_sign:
 
 [d1]: #ep-announce-compatibility
 [d2]: #eventmgr-db-size-defect-susceptibility
@@ -222,6 +223,7 @@ Items                                           | Defect       | This Script
 [d26]: #stale-pconsra-object
 [d27]: #isis-dteps-byte-size
 [d28]: #policydist-configpushshardcont-crash
+[d29]: #rogue-epcoop-exception-macs-missing
 
 
 ## General Check Details
@@ -2648,6 +2650,15 @@ Due to [CSCwp95515][59], upgrading to an affected version while having any `conf
 If any instances of `configpushShardCont` are flagged by this script, Cisco TAC must be contacted to identify and resolve the underlying issue before performing the upgrade.
 
 
+### Rogue EP/COOP Exception MACs missing
+
+Due to the defect [CSCwp64296][62], rogue endpoint (EP) and COOP exception MAC address configurations may be lost after a stateless reload of spine switches in an ACI fabric. The `presListener` MO, which holds the exception list configuration for the tenant shard, is missing or incomplete on the APIC side. This leads to spine switches not receiving the `rogueBDDef` configuration after reload.
+
+This script checks if the APIC version is in the affected range, whether rogue MACs are configured in the exception list, and if `presListener` MOs are missing. If all conditions are met, the check will flag the fabric as susceptible to CSCwp64296.
+
+As a workaround, remove the affected EP exception configurations and re-add them. To permanently resolve the issue, contact Cisco TAC to create the missing `presListener` MOs.
+
+
 [0]: https://github.com/datacenter/ACI-Pre-Upgrade-Validation-Script
 [1]: https://www.cisco.com/c/dam/en/us/td/docs/Website/datacenter/apicmatrix/index.html
 [2]: https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-release-notes-list.html
@@ -2710,3 +2721,4 @@ If any instances of `configpushShardCont` are flagged by this script, Cisco TAC
 [59]: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwp95515
 [60]: https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-743951.html#Inter
 [61]: https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-743951.html#EnablePolicyCompression
+[62]: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwp64296

tests/checks/rogue_ep_coop_exception_mac_check/no_rogue_mac_response.json

@@ -0,0 +1 @@
+[]