Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enhance Overlapping VLAN pools check #155

Merged
merged 6 commits into from
Aug 29, 2024
Merged

Enhance Overlapping VLAN pools check #155

merged 6 commits into from
Aug 29, 2024

Conversation

takishida
Copy link
Collaborator

The current overlapping_vlan_pools_check only checks whether each EPG has multiple domains and whether or not those domains have VLAN pools with overlapping VLAN IDs. It does not check the VLAN or interfaces used in those EPGs.
The current implementation can warn users about the potential risk of overlapping VLAN pools and highly encourage them to check their design and implementation. However, this can be a daunting task.

The enhancement in this PR checks the VLAN and interfaces in those EPGs along with the VLAN scope (portlocal/global) to show users the exact VLAN ID and interfaces that are using the overlapping VLAN pools along with their impact. This can reduce the amount of configurations to be examined by users, and can also prevent a potential false alarm that may occur with the current implementation, such as when the EPG does have overlapping VLAN pools but the VLAN used in the EPG is not in the overlapping range.

In the examples below, TN1:AP1:EPG1 is listed as one of the problematic ones in the current implementation. However, it is not listed in the new output with the enhancement because the VLAN used in the EPG is not in the overlapping ranges of those pools.
The new output also shows different impacts for each VLAN and interface. The main difference is whether the affected VLAN is implemented on a vPC or not. In such as case, the impact is shown as Outage because it affects not only the flooding scope but also the endpoint learning. More detailed explanations and examples were added in the github doc with this PR.

Current Output Example

[Check 35/67] Overlapping VLAN Pools...                                                                            FAIL - OUTAGE WARNING!!
  Tenant  AP   EPG   VLAN Pool (Domain) 1  VLAN Pool (Domain) 2  Recommended Action
  ------  --   ---   --------------------  --------------------  ------------------
  TN1     AP1  EPG1  VLAN_Pool1 (PhyDom1)  VLAN_Pool2 (PhyDom2)  Resolve overlapping VLANs between these two VLAN pools
  TN2     AP1  EPG1  VLAN_Pool3 (PhyDom3)  VLAN_Pool4 (PhyDom4)  Resolve overlapping VLANs between these two VLAN pools
  TN3     AP1  EPG3  VLAN_Pool5 (PhyDom5)  VLAN_Pool6 (PhyDom6)  Resolve overlapping VLANs between these two VLAN pools

  Reference Document: "Overlapping VLAN Pool" from from Pre-Upgrade Check Lists

New Output Example

[Check 35/67] Overlapping VLAN Pools...                                                                            FAIL - OUTAGE WARNING!!
  Tenant  AP   EPG   Node  Port       VLAN Scope  VLAN ID  VLAN Pools (Domains)                     Impact
  ------  --   ---   ----  ----       ----------  -------  --------------------                     ------
  TN2     AP1  EPG1  205   eth1/22    global      100      VLAN_Pool3(PhyDom3),VLAN_Pool4(PhyDom4)  Flood Scope
  TN2     AP1  EPG1  206   eth1/22    global      100      VLAN_Pool3(PhyDom3),VLAN_Pool4(PhyDom4)  Flood Scope
  TN3     AP1  EPG3  217   IFPG_VPC1  global      221      VLAN_Pool5(PhyDom5),VLAN_Pool6(PhyDom6)  Outage
  TN3     AP1  EPG3  217   IFPG_VPC2  global      221      VLAN_Pool5(PhyDom5),VLAN_Pool6(PhyDom6)  Outage
  TN3     AP1  EPG3  217   IFPG_VPC3  global      221      VLAN_Pool5(PhyDom5),VLAN_Pool6(PhyDom6)  Outage
  TN3     AP1  EPG3  218   IFPG_VPC1  global      221      VLAN_Pool5(PhyDom5),VLAN_Pool6(PhyDom6)  Outage
  TN3     AP1  EPG3  218   IFPG_VPC2  global      221      VLAN_Pool5(PhyDom5),VLAN_Pool6(PhyDom6)  Outage
  TN3     AP1  EPG3  218   IFPG_VPC3  global      221      VLAN_Pool5(PhyDom5),VLAN_Pool6(PhyDom6)  Outage

  Recommended Action:
    Each node must have only one VLAN pool per VLAN ID across all the ports or across the ports with VLAN scope `portlocal` in the same EPG.'
    When `Impact` shows `Outage`, you must resolve the overlapping VLAN pools.
    When `Impact` shows `Flood Scope`, you should check whether it is ok that STP BPDUs, or any BUM traffic when using Flood-in-Encap, may not be flooded within the same VLAN ID across all the nodes/ports.
    Note that only the nodes causing the overlap are shown above.
  Reference Document: https://datacenter.github.io/ACI-Pre-Upgrade-Validation-Script/validations/#overlapping-vlan-pool

When there are only non-vPC ports using the overlapping VLAN pools, the overall check result shows MANUAL_CHECK_REQUIRED instead of FAIL - OUTAGE WARNING!! because the flooding scope inconsistency with overlapping VLAN pools typically impacts only STP BPDUs unless Flood-in-Encap is used. In the case of STP BPDUs, the impact may be negligible when the VLANs are purely for server connectivity.

New Output Example

[Check 35/67] Overlapping VLAN Pools...                                                                            MANUAL_CHECK_REQUIRED
  Tenant  AP   EPG   Node  Port       VLAN Scope  VLAN ID  VLAN Pools (Domains)                     Impact
  ------  --   ---   ----  ----       ----------  -------  --------------------                     ------
  TN2     AP1  EPG1  205   eth1/22    global      100      VLAN_Pool3(PhyDom3),VLAN_Pool4(PhyDom4)  Flood Scope
  TN2     AP1  EPG1  206   eth1/22    global      100      VLAN_Pool3(PhyDom3),VLAN_Pool4(PhyDom4)  Flood Scope

@takishida takishida requested a review from monrog2 August 23, 2024 21:50
Copy link
Collaborator

@monrog2 monrog2 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Checked lab test output, aside from typo the rest looks good

docs/docs/validations.md Outdated Show resolved Hide resolved
@takishida takishida requested a review from monrog2 August 29, 2024 17:12
@takishida takishida merged commit 363a542 into master Aug 29, 2024
3 checks passed
@takishida takishida removed the request for review from monrog2 August 29, 2024 17:14
@takishida takishida deleted the overlapping_vlan branch October 4, 2024 21:06
takishida added a commit that referenced this pull request Nov 7, 2024
`vnid_mismatch_check` was added to complement
`overlapping_vlan_pools_check`. Given the recent update (#155, #162),
`vnid_mismatch_check` became redundant, and it was decided to remove
this check.
monrog2 pushed a commit that referenced this pull request Dec 12, 2024
* Remove vnid_mismatch_check

`vnid_mismatch_check` was added to complement
`overlapping_vlan_pools_check`. Given the recent update (#155, #162),
`vnid_mismatch_check` became redundant, and it was decided to remove
this check.

* doc: Update doc with deprecation warning
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants