Skip to content

Commit

Permalink
merge master
Browse files Browse the repository at this point in the history
  • Loading branch information
monrog2 committed Aug 12, 2024
2 parents e84f922 + 402501c commit 40c47e8
Show file tree
Hide file tree
Showing 19 changed files with 932 additions and 7 deletions.
278 changes: 274 additions & 4 deletions aci-preupgrade-validation-script.py

Large diffs are not rendered by default.

84 changes: 81 additions & 3 deletions docs/docs/validations.md
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,7 @@ Items | Faults | This Script
[OoB Mgmt Security][c13] | :white_check_mark: | :no_entry_sign: | :no_entry_sign:
[EECDH SSL Cipher Disabled][c14] | :white_check_mark: | :no_entry_sign: | :no_entry_sign:
[BD and EPG Subnet must have matching scopes][c15] | :white_check_mark: | :no_entry_sign: | :no_entry_sign:
[Unsupported FEC Configuration for N9K-C93180YC-EX][c16] | :white_check_mark: | :no_entry_sign: | :no_entry_sign:


[c1]: #vpc-paired-leaf-switches
Expand All @@ -134,6 +135,7 @@ Items | Faults | This Script
[c13]: #oob-mgmt-security
[c14]: #eecdh-ssl-cipher
[c15]: #bd-and-epg-subnet-must-have-matching-scopes
[c16]: #unsupported-fec-configuration-for-n9k-c93180yc-ex


### Defect Condition Checks
Expand All @@ -155,6 +157,8 @@ Items | Defect | This Script
[N9K-C93108TC-FX3P/FX3H Interface Down][d13] | CSCwh81430 | :white_check_mark: | :no_entry_sign: |:no_entry_sign:
[Invalid FEX fabricPathEp DN References][d14] | CSCwh68103 | :white_check_mark: | :no_entry_sign: |:no_entry_sign:
[LLDP Custom Interface Description][d15] | CSCwf00416 | :white_check_mark: | :no_entry_sign: |:no_entry_sign:
[Route-map Community Match][d16] | CSCwb08081 | :white_check_mark: | :no_entry_sign: |:no_entry_sign:
[L3out /32 overlap with BD Subnet][d17] | CSCwb91766 | :white_check_mark: | :no_entry_sign: |:no_entry_sign:


[d1]: #ep-announce-compatibility
Expand All @@ -172,6 +176,8 @@ Items | Defect | This Script
[d13]: #n9k-c93108tc-fx3pfx3h-interface-down
[d14]: #invalid-fex-fabricpathep-dn-references
[d15]: #lldp-custom-interface-description
[d16]: #route-map-community-match
[d17]: #l3out-32-overlap-with-bd-subnet


## General Check Details
Expand Down Expand Up @@ -416,7 +422,7 @@ This validation checks whether the number of objects for the existing and newly

When targeting any version that is 6.0(2) or greater, download both the 32-bit and 64-bit Cisco ACI-mode switch images to the Cisco APIC. Downloading only one of the images may result in errors during the upgrade process.

For additional information, see the [Guidelines and Limitations for Upgrading or Downgrading][25] section of the Cisco APIC Installation and ACI Upgrade and Downgrade Guide.
For additional information, see the [Guidelines and Limitations for Upgrading or Downgrading][28] section of the Cisco APIC Installation and ACI Upgrade and Downgrade Guide.


## Fault Check Details
Expand Down Expand Up @@ -1648,6 +1654,38 @@ Before the fix implemented in [CSCvv30303][21], it was possible for a BD and an

[CSCvv30303][21] introduced policy validations to prevent this configuration and enforce that matching subnets defined in both the BD and related EPG have the same scope. It is imperative that identified mismatching subnet scopes are corrected within an ACI fabric to prevent unexpected traffic pattern issues in the future.

### Unsupported FEC Configuration for N9K-C93180YC-EX

Nexus C93180YC-EX switches [do not support CONS16-RS-FEC or IEEE-RS-FEC][26] mode. In older versions a FEC mode misconfiguration does not cause the interface to be down. However after upgrading to 5.0(1) or later the port will become hardware disabled until the misconfiguration is removed.

It is important to remove any unsupported configuration prior to ugprade to avoid any unexpected downtime.

!!! example
On each N9K-C93180YC-EX switch, you can check the FEC mode for each interface with the following query:
```
leaf101# moquery -c l1PhysIf -x query-target-filter=or\(eq\(l1PhysIf.fecMode,\"ieee-rs-fec\"\),eq\(l1PhysIf.fecMode,\"cons16-rs-fec\"\)\)
Total Objects shown: 1

# l1.PhysIf
id : eth1/1
adminSt : up
autoNeg : on
breakT : nonbroken
bw : 0
childAction :
delay : 1
descr :
dfeDelayMs : 0
dn : sys/phys-[eth1/1]
dot1qEtherType : 0x8100
emiRetrain : disable
enablePoap : no
ethpmCfgFailedBmp :
ethpmCfgFailedTs : 00:00:00:00.000
ethpmCfgState : 2
fcotChannelNumber : Channel32
fecMode : ieee-rs-fec <<<
```

## Defect Check Details

Expand Down Expand Up @@ -1826,7 +1864,6 @@ This check queries `infraRsHPathAtt` objects related to eths, then check if any




### LLDP Custom Interface Description

Due to the defect [CSCwf00416][24], custom interface descriptions may override the port topology DN. In ACI LLDP should always advertise the topology DN as the port description irrespective of whether an interface description is configured or not.
Expand Down Expand Up @@ -1861,6 +1898,44 @@ In cases where there is a custom interface description and a VMM-integrated depl
--- omit ---
```

### Route-map Community Match

Due to the defect [CSCwb08081][25], if you have a route-map with a community match statement but there is no prefix list match the set clause may not be applied.

It is recommended if you are upgrading to an affected release to add a prefix list match statement prior to upgrade.

!!! example
In this example, the Route-map match rule `rtctrlSubjP` has a community match `rtctrlMatchCommFactor` but no prefix list match `rtctrlMatchRtDest`. This match rule would be affected by the defect.
```
apic1# moquery -c rtctrlSubjP -x rsp-subtree=full -x rsp-subtree-class=rtctrlMatchCommFactor,rtctrlMatchRtDest | egrep "^#|dn "
# rtctrl.SubjP
dn : uni/tn-Cisco/subj-match-comm
# rtctrl.MatchCommTerm
dn : uni/tn-Cisco/subj-match-comm/commtrm-test
# rtctrl.MatchCommFactor
dn : uni/tn-Cisco/subj-match-comm/commtrm-test/commfct-regular:as2-nn2:4:15
```
In order to fix this, navigate to `Tenants > "Cisco" > Policies > Protocol > Match Rules > "match-comm"` and add a prefix-list.
```
apic1# moquery -c rtctrlSubjP -x rsp-subtree=full -x rsp-subtree-class=rtctrlMatchCommFactor,rtctrlMatchRtDest | egrep "^#|dn "
# rtctrl.SubjP
dn : uni/tn-Cisco/subj-match-comm
# rtctrl.MatchCommTerm
dn : uni/tn-Cisco/subj-match-comm/commtrm-test
# rtctrl.MatchCommFactor
dn : uni/tn-Cisco/subj-match-comm/commtrm-test/commfct-regular:as2-nn2:4:15
# rtctrl.MatchRtDest
dn : uni/tn-Cisco/subj-match-comm/dest-[0.0.0.0/0]
```


### L3out /32 overlap with BD Subnet

Due to defect [CSCwb91766][27], L3out /32 Static Routes that overlap with BD Subnets within the same VRF will be programmed into RIB but not FIB of the relevant switches in the forwarding path. This will cause traffic loss as packets will not be able to take the /32 route, resulting in unexpecteded forwarding issues.

If found, the target version of your upgrade should be a version with a fix for CSCwb91766. Otherwise, the other option is to change the routing design of the affected fabric.


[0]: https://github.com/datacenter/ACI-Pre-Upgrade-Validation-Script
[1]: https://www.cisco.com/c/dam/en/us/td/docs/Website/datacenter/apicmatrix/index.html
[2]: https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-release-notes-list.html
Expand All @@ -1886,4 +1961,7 @@ In cases where there is a custom interface description and a VMM-integrated depl
[22]: https://www.cisco.com/c/dam/en/us/td/docs/unified_computing/ucs/c/sw/CIMC-Upgrade-Downgrade-Matrix/index.html
[23]: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwh68103
[24]: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwf00416
[25]: https://www.cisco.com/c/en/us/td/docs/dcn/aci/apic/all/apic-installation-aci-upgrade-downgrade/Cisco-APIC-Installation-ACI-Upgrade-Downgrade-Guide/m-aci-upgrade-downgrade-architecture.html#Cisco_Reference.dita_22480abb-4138-416b-8dd5-ecde23f707b4
[25]: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb08081
[26]: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/kb/b_Cisco_ACI_and_Forward_Error_Correction.html#Cisco_Reference.dita_5cef69b3-b7fa-4bde-ba60-38129c9e7d82
[27]: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb91766
[28]: https://www.cisco.com/c/en/us/td/docs/dcn/aci/apic/all/apic-installation-aci-upgrade-downgrade/Cisco-APIC-Installation-ACI-Upgrade-Downgrade-Guide/m-aci-upgrade-downgrade-architecture.html#Cisco_Reference.dita_22480abb-4138-416b-8dd5-ecde23f707b4
44 changes: 44 additions & 0 deletions tests/invalid_fex_rs_check/infraRsHPathAtt_neg.json
Original file line number Diff line number Diff line change
Expand Up @@ -42,5 +42,49 @@
"userdom": ""
}
}
},
{
"infraRsHPathAtt": {
"attributes": {
"annotation": "",
"childAction": "",
"dn": "uni/infra/hpaths-105_eth198_1_7/rsHPathAtt-[topology/pod-1/paths-105/pathep-[eth100/1/7]]",
"extMngdBy": "",
"forceResolve": "yes",
"lcOwn": "local",
"modTs": "2021-10-23T08:33:12.722+09:00",
"rType": "mo",
"state": "unformed",
"stateQual": "none",
"status": "",
"tCl": "fabricPathEp",
"tDn": "topology/pod-1/paths-105/pathep-[eth198/1/7]",
"tType": "mo",
"uid": "15374",
"userdom": ""
}
}
},
{
"infraRsHPathAtt": {
"attributes": {
"annotation": "",
"childAction": "",
"dn": "uni/infra/hpaths-105_eth198_1_7/rsHPathAtt-[topology/pod-1/paths-105/pathep-[eth1/30/11]]",
"extMngdBy": "",
"forceResolve": "yes",
"lcOwn": "local",
"modTs": "2021-10-23T08:33:12.722+09:00",
"rType": "mo",
"state": "unformed",
"stateQual": "none",
"status": "",
"tCl": "fabricPathEp",
"tDn": "topology/pod-1/paths-105/pathep-[eth198/1/7]",
"tType": "mo",
"uid": "15374",
"userdom": ""
}
}
}
]
66 changes: 66 additions & 0 deletions tests/invalid_fex_rs_check/infraRsHPathAtt_pos.json
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,28 @@
}
}
},
{
"infraRsHPathAtt": {
"attributes": {
"annotation": "",
"childAction": "",
"dn": "uni/infra/hpaths-105_eth198_1_7/rsHPathAtt-[topology/pod-1/paths-105/pathep-[eth101/1/20]]",
"extMngdBy": "",
"forceResolve": "yes",
"lcOwn": "local",
"modTs": "2021-10-23T08:33:12.722+09:00",
"rType": "mo",
"state": "unformed",
"stateQual": "none",
"status": "",
"tCl": "fabricPathEp",
"tDn": "topology/pod-1/paths-105/pathep-[eth198/1/7]",
"tType": "mo",
"uid": "15374",
"userdom": ""
}
}
},
{
"infraRsHPathAtt": {
"attributes": {
Expand All @@ -42,5 +64,49 @@
"userdom": ""
}
}
},
{
"infraRsHPathAtt": {
"attributes": {
"annotation": "",
"childAction": "",
"dn": "uni/infra/hpaths-105_eth198_1_7/rsHPathAtt-[topology/pod-1/paths-105/pathep-[eth13/1/4]]",
"extMngdBy": "",
"forceResolve": "yes",
"lcOwn": "local",
"modTs": "2021-10-23T08:33:12.722+09:00",
"rType": "mo",
"state": "unformed",
"stateQual": "none",
"status": "",
"tCl": "fabricPathEp",
"tDn": "topology/pod-1/paths-105/pathep-[eth198/1/7]",
"tType": "mo",
"uid": "15374",
"userdom": ""
}
}
},
{
"infraRsHPathAtt": {
"attributes": {
"annotation": "",
"childAction": "",
"dn": "uni/infra/hpaths-105_eth198_1_7/rsHPathAtt-[topology/pod-1/paths-105/pathep-[eth1/11/11]]",
"extMngdBy": "",
"forceResolve": "yes",
"lcOwn": "local",
"modTs": "2021-10-23T08:33:12.722+09:00",
"rType": "mo",
"state": "unformed",
"stateQual": "none",
"status": "",
"tCl": "fabricPathEp",
"tDn": "topology/pod-1/paths-105/pathep-[eth198/1/7]",
"tType": "mo",
"uid": "15374",
"userdom": ""
}
}
}
]
1 change: 1 addition & 0 deletions tests/rtmap_comm_match_defect_check/rtctrlCtxP_NEG.json
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
[{"rtctrlCtxP":{"attributes":{"action":"permit","annotation":"","childAction":"","descr":"","dn":"uni/tn-bw/prof-test/ctx-test","extMngdBy":"","lcOwn":"local","modTs":"2024-05-23T12:33:59.880-04:00","monPolDn":"uni/tn-common/monepg-default","name":"test","nameAlias":"","order":"0","status":"","uid":"15374","userdom":":all:"},"children":[{"rtctrlScope":{"attributes":{"annotation":"","childAction":"","descr":"","extMngdBy":"","lcOwn":"local","modTs":"2024-05-23T12:33:59.880-04:00","monPolDn":"uni/tn-common/monepg-default","name":"","nameAlias":"","rn":"scp","status":"","uid":"15374","userdom":":all:"},"children":[{"rtctrlRsScopeToAttrP":{"attributes":{"annotation":"","childAction":"","extMngdBy":"","forceResolve":"yes","lcOwn":"local","modTs":"2024-05-23T12:33:59.880-04:00","monPolDn":"uni/tn-common/monepg-default","rType":"mo","rn":"rsScopeToAttrP","state":"formed","stateQual":"none","status":"","tCl":"rtctrlAttrP","tContextDn":"","tDn":"uni/tn-bw/attr-set-as-path","tRn":"attr-set-as-path","tType":"name","tnRtctrlAttrPName":"set-as-path","uid":"0","userdom":":all:"}}}]}},{"rtctrlRsCtxPToSubjP":{"attributes":{"annotation":"","childAction":"","extMngdBy":"","forceResolve":"yes","lcOwn":"local","modTs":"2024-05-23T12:33:59.880-04:00","monPolDn":"uni/tn-common/monepg-default","rType":"mo","rn":"rsctxPToSubjP-deny-all-routes","state":"formed","stateQual":"none","status":"","tCl":"rtctrlSubjP","tContextDn":"","tDn":"uni/tn-bw/subj-deny-all-routes","tRn":"subj-deny-all-routes","tType":"name","tnRtctrlSubjPName":"deny-all-routes","uid":"15374","userdom":":all:"}}}]}}]
1 change: 1 addition & 0 deletions tests/rtmap_comm_match_defect_check/rtctrlCtxP_POS.json
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
[{"rtctrlCtxP":{"attributes":{"action":"permit","annotation":"","childAction":"","descr":"","dn":"uni/tn-bw/prof-test/ctx-test","extMngdBy":"","lcOwn":"local","modTs":"2024-05-23T12:33:59.880-04:00","monPolDn":"uni/tn-common/monepg-default","name":"test","nameAlias":"","order":"0","status":"","uid":"15374","userdom":":all:"},"children":[{"rtctrlScope":{"attributes":{"annotation":"","childAction":"","descr":"","extMngdBy":"","lcOwn":"local","modTs":"2024-05-23T12:33:59.880-04:00","monPolDn":"uni/tn-common/monepg-default","name":"","nameAlias":"","rn":"scp","status":"","uid":"15374","userdom":":all:"},"children":[{"rtctrlRsScopeToAttrP":{"attributes":{"annotation":"","childAction":"","extMngdBy":"","forceResolve":"yes","lcOwn":"local","modTs":"2024-05-23T12:33:59.880-04:00","monPolDn":"uni/tn-common/monepg-default","rType":"mo","rn":"rsScopeToAttrP","state":"formed","stateQual":"none","status":"","tCl":"rtctrlAttrP","tContextDn":"","tDn":"uni/tn-bw/attr-set-as-path","tRn":"attr-set-as-path","tType":"name","tnRtctrlAttrPName":"set-as-path","uid":"0","userdom":":all:"}}}]}},{"rtctrlRsCtxPToSubjP":{"attributes":{"annotation":"","childAction":"","extMngdBy":"","forceResolve":"yes","lcOwn":"local","modTs":"2024-05-23T12:33:59.880-04:00","monPolDn":"uni/tn-common/monepg-default","rType":"mo","rn":"rsctxPToSubjP-deny-all-routes","state":"formed","stateQual":"none","status":"","tCl":"rtctrlSubjP","tContextDn":"","tDn":"uni/tn-bw/subj-deny-all-routes","tRn":"subj-deny-all-routes","tType":"name","tnRtctrlSubjPName":"deny-all-routes","uid":"15374","userdom":":all:"}}}]}}]
1 change: 1 addition & 0 deletions tests/rtmap_comm_match_defect_check/rtctrlSubjP_NEG.json
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
[{"rtctrlSubjP":{"attributes":{"annotation":"","childAction":"","descr":"","dn":"uni/tn-bw/subj-deny-all-routes","extMngdBy":"","lcOwn":"local","modTs":"2022-07-26T09:49:02.638-04:00","name":"deny-all-routes","nameAlias":"","status":"","uid":"15374","userdom":"all"},"children":[{"rtctrlMatchCommTerm":{"attributes":{"annotation":"","childAction":"","descr":"","extMngdBy":"","lcOwn":"local","modTs":"2024-05-21T12:29:17.075-04:00","name":"test","nameAlias":"","rn":"commtrm-test","status":"","type":"community","uid":"15374","userdom":":all:"},"children":[{"rtctrlMatchCommFactor":{"attributes":{"annotation":"","childAction":"","community":"regular:as2-nn2:4:15","descr":"","extMngdBy":"","lcOwn":"local","modTs":"2024-05-21T12:29:17.075-04:00","name":"","nameAlias":"","rn":"commfct-regular:as2-nn2:4:15","scope":"transitive","status":"","type":"community","uid":"15374","userdom":":all:"}}}]}},{"rtctrlMatchRtDest":{"attributes":{"aggregate":"yes","annotation":"","childAction":"","descr":"","extMngdBy":"","fromPfxLen":"0","ip":"0.0.0.0/0","lcOwn":"local","modTs":"2024-05-21T16:53:49.801-04:00","name":"","nameAlias":"","rn":"dest-[0.0.0.0/0]","status":"","toPfxLen":"0","type":"rt-dst","uid":"15374","userdom":":all:"}}}]}}]
1 change: 1 addition & 0 deletions tests/rtmap_comm_match_defect_check/rtctrlSubjP_POS.json
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
[{"rtctrlSubjP":{"attributes":{"annotation":"","childAction":"","descr":"","dn":"uni/tn-bw/subj-deny-all-routes","extMngdBy":"","lcOwn":"local","modTs":"2022-07-26T09:49:02.638-04:00","name":"deny-all-routes","nameAlias":"","status":"","uid":"15374","userdom":"all"},"children":[{"rtctrlMatchCommTerm":{"attributes":{"annotation":"","childAction":"","descr":"","extMngdBy":"","lcOwn":"local","modTs":"2024-05-21T12:29:17.075-04:00","name":"test","nameAlias":"","rn":"commtrm-test","status":"","type":"community","uid":"15374","userdom":":all:"},"children":[{"rtctrlMatchCommFactor":{"attributes":{"annotation":"","childAction":"","community":"regular:as2-nn2:4:15","descr":"","extMngdBy":"","lcOwn":"local","modTs":"2024-05-21T12:29:17.075-04:00","name":"","nameAlias":"","rn":"commfct-regular:as2-nn2:4:15","scope":"transitive","status":"","type":"community","uid":"15374","userdom":":all:"}}}]}}]}}]
Loading

0 comments on commit 40c47e8

Please sign in to comment.