From 4f7e432f099bee4081652c20a53a5810f3e6931b Mon Sep 17 00:00:00 2001 From: Matt Tarkington Date: Sun, 21 Jul 2024 19:47:43 -0400 Subject: [PATCH 1/5] organize rules and add new rules for vrfs & networks --- ...ology_switch_interfaces_members_unique.py} | 2 +- ... => 305_topology_switch_interfaces_vpc.py} | 2 +- ...> 401_overlay_services_cross_reference.py} | 8 +--- .../402_overlay_services_vrfs.py | 43 +++++++++++++++++++ .../403_overlay_services_networks.py | 30 +++++++++++++ 5 files changed, 77 insertions(+), 8 deletions(-) rename roles/validate/files/rules/required_rules/{305_topology_switch_interfaces_members_unique.py => 304_topology_switch_interfaces_members_unique.py} (99%) rename roles/validate/files/rules/required_rules/{306_topology_switch_interfaces_vpc.py => 305_topology_switch_interfaces_vpc.py} (99%) rename roles/validate/files/rules/required_rules/{304_overlay_services_cross_reference.py => 401_overlay_services_cross_reference.py} (95%) create mode 100644 roles/validate/files/rules/required_rules/402_overlay_services_vrfs.py create mode 100644 roles/validate/files/rules/required_rules/403_overlay_services_networks.py diff --git a/roles/validate/files/rules/required_rules/305_topology_switch_interfaces_members_unique.py b/roles/validate/files/rules/required_rules/304_topology_switch_interfaces_members_unique.py similarity index 99% rename from roles/validate/files/rules/required_rules/305_topology_switch_interfaces_members_unique.py rename to roles/validate/files/rules/required_rules/304_topology_switch_interfaces_members_unique.py index ed8e2c5b..964f086b 100644 --- a/roles/validate/files/rules/required_rules/305_topology_switch_interfaces_members_unique.py +++ b/roles/validate/files/rules/required_rules/304_topology_switch_interfaces_members_unique.py @@ -2,7 +2,7 @@ class Rule: - id = "305" + id = "304" description = "\n1)Verify Interface names are Unique per switch\n2)Verify member interfaces are not repeated within a switch\n" severity = "HIGH" diff --git a/roles/validate/files/rules/required_rules/306_topology_switch_interfaces_vpc.py b/roles/validate/files/rules/required_rules/305_topology_switch_interfaces_vpc.py similarity index 99% rename from roles/validate/files/rules/required_rules/306_topology_switch_interfaces_vpc.py rename to roles/validate/files/rules/required_rules/305_topology_switch_interfaces_vpc.py index aa918f74..f5eee7de 100644 --- a/roles/validate/files/rules/required_rules/306_topology_switch_interfaces_vpc.py +++ b/roles/validate/files/rules/required_rules/305_topology_switch_interfaces_vpc.py @@ -2,7 +2,7 @@ class Rule: - id = "306" + id = "305" description = ( "Verify vPC interfaces are compliant with vPC configuration requirements" ) diff --git a/roles/validate/files/rules/required_rules/304_overlay_services_cross_reference.py b/roles/validate/files/rules/required_rules/401_overlay_services_cross_reference.py similarity index 95% rename from roles/validate/files/rules/required_rules/304_overlay_services_cross_reference.py rename to roles/validate/files/rules/required_rules/401_overlay_services_cross_reference.py index 18909f0e..a4e7dcc4 100644 --- a/roles/validate/files/rules/required_rules/304_overlay_services_cross_reference.py +++ b/roles/validate/files/rules/required_rules/401_overlay_services_cross_reference.py @@ -1,5 +1,5 @@ class Rule: - id = "304" + id = "401" description = "Cross Reference VRFs and Networks items in the Service Model" severity = "HIGH" @@ -19,11 +19,7 @@ def match(cls, inventory): if inventory["vxlan"].get("overlay_services", None): if inventory.get("vxlan").get("overlay_services").get("vrfs", None): sm_vrfs = inventory.get("vxlan").get("overlay_services").get("vrfs") - # Build list of VRF names from sm_networks - # network_vrf_names = [] - # for net in sm_networks: - # if net.get('vrf_name') is not None: - # network_vrf_names.append(net.get('vrf_name')) + # Build list of VRF names from sm_vrfs if sm_vrfs and sm_networks: vrf_names = [] diff --git a/roles/validate/files/rules/required_rules/402_overlay_services_vrfs.py b/roles/validate/files/rules/required_rules/402_overlay_services_vrfs.py new file mode 100644 index 00000000..acc96d89 --- /dev/null +++ b/roles/validate/files/rules/required_rules/402_overlay_services_vrfs.py @@ -0,0 +1,43 @@ +class Rule: + id = "402" + description = "Verify VRF elements are enabled in fabric overlay services" + severity = "HIGH" + + @classmethod + def match(cls, inventory): + results = [] + netflow_status = False + trm_status = False + vrfs = [] + + if inventory.get("vxlan", None): + if inventory["vxlan"].get("global", None): + if inventory["vxlan"].get("global").get("netflow", None): + netflow_status = inventory["vxlan"]["global"]["netflow"].get("enable", False) + + if inventory.get("vxlan", None): + if inventory["vxlan"].get("underlay", None): + if inventory["vxlan"].get("underlay").get("multicast", None): + trm_status = inventory["vxlan"]["underlay"]["multicast"].get("trm_enable", False) + + if inventory.get("vxlan", None): + if inventory["vxlan"].get("overlay_services", None): + if inventory["vxlan"].get("overlay_services").get("vrfs", None): + vrfs = inventory["vxlan"]["overlay_services"]["vrfs"] + + for vrf in vrfs: + current_vrf_netflow_status = vrf.get("netflow_enable", False) + if current_vrf_netflow_status != netflow_status: + results.append( + f"For vxlan.overlay_services.vrfs.{vrf['name']}.netflow_enable to be enabled, " + f"first vxlan.global.netflow.enable must be enabled (true)." + ) + + current_vrf_trm_status = vrf.get("trm_enable", False) + if current_vrf_trm_status != trm_status: + results.append( + f"For vxlan.overlay_services.vrfs.{vrf['name']}.trm_enable to be enabled, " + f"first vxlan.underlay.multicast.trm_enable must be enabled (true)." + ) + + return results diff --git a/roles/validate/files/rules/required_rules/403_overlay_services_networks.py b/roles/validate/files/rules/required_rules/403_overlay_services_networks.py new file mode 100644 index 00000000..013df58b --- /dev/null +++ b/roles/validate/files/rules/required_rules/403_overlay_services_networks.py @@ -0,0 +1,30 @@ +class Rule: + id = "403" + description = "Verify Network elements are enabled in fabric overlay services" + severity = "HIGH" + + @classmethod + def match(cls, inventory): + results = [] + netflow_status = False + networks = [] + + if inventory.get("vxlan", None): + if inventory["vxlan"].get("global", None): + if inventory["vxlan"].get("global").get("netflow", None): + netflow_status = inventory["vxlan"]["global"]["netflow"].get("enable", False) + + if inventory.get("vxlan", None): + if inventory["vxlan"].get("overlay_services", None): + if inventory["vxlan"].get("overlay_services").get("networks", None): + networks = inventory["vxlan"]["overlay_services"]["networks"] + + for network in networks: + current_network_netflow_status = network.get("netflow_enable", False) + if current_network_netflow_status != netflow_status: + results.append( + f"For vxlan.overlay_services.networks.{network['name']}.netflow_enable to be enabled, " + f"first vxlan.global.netflow.enable must be enabled (true)." + ) + + return results From 8fafaf1e2d8b5063fb2e9d348972643ba5c608c8 Mon Sep 17 00:00:00 2001 From: Matt Tarkington Date: Sun, 21 Jul 2024 19:55:58 -0400 Subject: [PATCH 2/5] fix lint errors --- .../required_rules/401_overlay_services_cross_reference.py | 2 +- .../files/rules/required_rules/402_overlay_services_vrfs.py | 2 +- .../files/rules/required_rules/403_overlay_services_networks.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/validate/files/rules/required_rules/401_overlay_services_cross_reference.py b/roles/validate/files/rules/required_rules/401_overlay_services_cross_reference.py index a4e7dcc4..356718c3 100644 --- a/roles/validate/files/rules/required_rules/401_overlay_services_cross_reference.py +++ b/roles/validate/files/rules/required_rules/401_overlay_services_cross_reference.py @@ -19,7 +19,7 @@ def match(cls, inventory): if inventory["vxlan"].get("overlay_services", None): if inventory.get("vxlan").get("overlay_services").get("vrfs", None): sm_vrfs = inventory.get("vxlan").get("overlay_services").get("vrfs") - + # Build list of VRF names from sm_vrfs if sm_vrfs and sm_networks: vrf_names = [] diff --git a/roles/validate/files/rules/required_rules/402_overlay_services_vrfs.py b/roles/validate/files/rules/required_rules/402_overlay_services_vrfs.py index acc96d89..f100acef 100644 --- a/roles/validate/files/rules/required_rules/402_overlay_services_vrfs.py +++ b/roles/validate/files/rules/required_rules/402_overlay_services_vrfs.py @@ -24,7 +24,7 @@ def match(cls, inventory): if inventory["vxlan"].get("overlay_services", None): if inventory["vxlan"].get("overlay_services").get("vrfs", None): vrfs = inventory["vxlan"]["overlay_services"]["vrfs"] - + for vrf in vrfs: current_vrf_netflow_status = vrf.get("netflow_enable", False) if current_vrf_netflow_status != netflow_status: diff --git a/roles/validate/files/rules/required_rules/403_overlay_services_networks.py b/roles/validate/files/rules/required_rules/403_overlay_services_networks.py index 013df58b..a409bddc 100644 --- a/roles/validate/files/rules/required_rules/403_overlay_services_networks.py +++ b/roles/validate/files/rules/required_rules/403_overlay_services_networks.py @@ -18,7 +18,7 @@ def match(cls, inventory): if inventory["vxlan"].get("overlay_services", None): if inventory["vxlan"].get("overlay_services").get("networks", None): networks = inventory["vxlan"]["overlay_services"]["networks"] - + for network in networks: current_network_netflow_status = network.get("netflow_enable", False) if current_network_netflow_status != netflow_status: From ec560e8898e7b68d124e8b71f74e9d4c4677502f Mon Sep 17 00:00:00 2001 From: Matt Tarkington Date: Sun, 21 Jul 2024 19:58:44 -0400 Subject: [PATCH 3/5] fix lint errors --- .../files/rules/required_rules/402_overlay_services_vrfs.py | 2 +- .../files/rules/required_rules/403_overlay_services_networks.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/validate/files/rules/required_rules/402_overlay_services_vrfs.py b/roles/validate/files/rules/required_rules/402_overlay_services_vrfs.py index f100acef..c7cd3bd6 100644 --- a/roles/validate/files/rules/required_rules/402_overlay_services_vrfs.py +++ b/roles/validate/files/rules/required_rules/402_overlay_services_vrfs.py @@ -24,7 +24,7 @@ def match(cls, inventory): if inventory["vxlan"].get("overlay_services", None): if inventory["vxlan"].get("overlay_services").get("vrfs", None): vrfs = inventory["vxlan"]["overlay_services"]["vrfs"] - + for vrf in vrfs: current_vrf_netflow_status = vrf.get("netflow_enable", False) if current_vrf_netflow_status != netflow_status: diff --git a/roles/validate/files/rules/required_rules/403_overlay_services_networks.py b/roles/validate/files/rules/required_rules/403_overlay_services_networks.py index a409bddc..409b18ac 100644 --- a/roles/validate/files/rules/required_rules/403_overlay_services_networks.py +++ b/roles/validate/files/rules/required_rules/403_overlay_services_networks.py @@ -18,7 +18,7 @@ def match(cls, inventory): if inventory["vxlan"].get("overlay_services", None): if inventory["vxlan"].get("overlay_services").get("networks", None): networks = inventory["vxlan"]["overlay_services"]["networks"] - + for network in networks: current_network_netflow_status = network.get("netflow_enable", False) if current_network_netflow_status != netflow_status: From 2ca9e31fc87f290c99add8d89f543c49f8b87110 Mon Sep 17 00:00:00 2001 From: Matt Tarkington Date: Mon, 22 Jul 2024 06:56:43 -0400 Subject: [PATCH 4/5] adjust rules to account for another permutation --- .../402_overlay_services_vrfs.py | 34 ++++++++++--------- .../403_overlay_services_networks.py | 17 +++++----- 2 files changed, 27 insertions(+), 24 deletions(-) diff --git a/roles/validate/files/rules/required_rules/402_overlay_services_vrfs.py b/roles/validate/files/rules/required_rules/402_overlay_services_vrfs.py index c7cd3bd6..0d024112 100644 --- a/roles/validate/files/rules/required_rules/402_overlay_services_vrfs.py +++ b/roles/validate/files/rules/required_rules/402_overlay_services_vrfs.py @@ -6,19 +6,19 @@ class Rule: @classmethod def match(cls, inventory): results = [] - netflow_status = False - trm_status = False + fabric_netflow_status = False + fabric_trm_status = False vrfs = [] if inventory.get("vxlan", None): if inventory["vxlan"].get("global", None): if inventory["vxlan"].get("global").get("netflow", None): - netflow_status = inventory["vxlan"]["global"]["netflow"].get("enable", False) + fabric_netflow_status = inventory["vxlan"]["global"]["netflow"].get("enable", False) if inventory.get("vxlan", None): if inventory["vxlan"].get("underlay", None): if inventory["vxlan"].get("underlay").get("multicast", None): - trm_status = inventory["vxlan"]["underlay"]["multicast"].get("trm_enable", False) + fabric_trm_status = inventory["vxlan"]["underlay"]["multicast"].get("trm_enable", False) if inventory.get("vxlan", None): if inventory["vxlan"].get("overlay_services", None): @@ -26,18 +26,20 @@ def match(cls, inventory): vrfs = inventory["vxlan"]["overlay_services"]["vrfs"] for vrf in vrfs: - current_vrf_netflow_status = vrf.get("netflow_enable", False) - if current_vrf_netflow_status != netflow_status: - results.append( - f"For vxlan.overlay_services.vrfs.{vrf['name']}.netflow_enable to be enabled, " - f"first vxlan.global.netflow.enable must be enabled (true)." - ) + current_vrf_netflow_status = vrf.get("netflow_enable", None) + if current_vrf_netflow_status is not None: + if fabric_netflow_status == False and current_vrf_netflow_status == True: + results.append( + f"For vxlan.overlay_services.vrfs.{vrf['name']}.netflow_enable to be enabled, " + f"first vxlan.global.netflow.enable must be enabled (true)." + ) - current_vrf_trm_status = vrf.get("trm_enable", False) - if current_vrf_trm_status != trm_status: - results.append( - f"For vxlan.overlay_services.vrfs.{vrf['name']}.trm_enable to be enabled, " - f"first vxlan.underlay.multicast.trm_enable must be enabled (true)." - ) + current_vrf_trm_status = vrf.get("trm_enable", None) + if current_vrf_trm_status is not None: + if fabric_trm_status == False and current_vrf_trm_status == True: + results.append( + f"For vxlan.overlay_services.vrfs.{vrf['name']}.trm_enable to be enabled, " + f"first vxlan.underlay.multicast.trm_enable must be enabled (true)." + ) return results diff --git a/roles/validate/files/rules/required_rules/403_overlay_services_networks.py b/roles/validate/files/rules/required_rules/403_overlay_services_networks.py index 409b18ac..2968d04d 100644 --- a/roles/validate/files/rules/required_rules/403_overlay_services_networks.py +++ b/roles/validate/files/rules/required_rules/403_overlay_services_networks.py @@ -6,13 +6,13 @@ class Rule: @classmethod def match(cls, inventory): results = [] - netflow_status = False + fabric_netflow_status = False networks = [] if inventory.get("vxlan", None): if inventory["vxlan"].get("global", None): if inventory["vxlan"].get("global").get("netflow", None): - netflow_status = inventory["vxlan"]["global"]["netflow"].get("enable", False) + fabric_netflow_status = inventory["vxlan"]["global"]["netflow"].get("enable", False) if inventory.get("vxlan", None): if inventory["vxlan"].get("overlay_services", None): @@ -20,11 +20,12 @@ def match(cls, inventory): networks = inventory["vxlan"]["overlay_services"]["networks"] for network in networks: - current_network_netflow_status = network.get("netflow_enable", False) - if current_network_netflow_status != netflow_status: - results.append( - f"For vxlan.overlay_services.networks.{network['name']}.netflow_enable to be enabled, " - f"first vxlan.global.netflow.enable must be enabled (true)." - ) + current_network_netflow_status = network.get("netflow_enable", None) + if current_network_netflow_status is not None: + if fabric_netflow_status == False and current_network_netflow_status == True: + results.append( + f"For vxlan.overlay_services.networks.{network['name']}.netflow_enable to be enabled, " + f"first vxlan.global.netflow.enable must be enabled (true)." + ) return results From a9cd0a5fd94b92041e3efa53975e8aaa753b1ae1 Mon Sep 17 00:00:00 2001 From: Matt Tarkington Date: Mon, 22 Jul 2024 07:01:41 -0400 Subject: [PATCH 5/5] fix lint errors --- .../files/rules/required_rules/402_overlay_services_vrfs.py | 4 ++-- .../rules/required_rules/403_overlay_services_networks.py | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/validate/files/rules/required_rules/402_overlay_services_vrfs.py b/roles/validate/files/rules/required_rules/402_overlay_services_vrfs.py index 0d024112..099cd930 100644 --- a/roles/validate/files/rules/required_rules/402_overlay_services_vrfs.py +++ b/roles/validate/files/rules/required_rules/402_overlay_services_vrfs.py @@ -28,7 +28,7 @@ def match(cls, inventory): for vrf in vrfs: current_vrf_netflow_status = vrf.get("netflow_enable", None) if current_vrf_netflow_status is not None: - if fabric_netflow_status == False and current_vrf_netflow_status == True: + if fabric_netflow_status is False and current_vrf_netflow_status is True: results.append( f"For vxlan.overlay_services.vrfs.{vrf['name']}.netflow_enable to be enabled, " f"first vxlan.global.netflow.enable must be enabled (true)." @@ -36,7 +36,7 @@ def match(cls, inventory): current_vrf_trm_status = vrf.get("trm_enable", None) if current_vrf_trm_status is not None: - if fabric_trm_status == False and current_vrf_trm_status == True: + if fabric_trm_status is False and current_vrf_trm_status is True: results.append( f"For vxlan.overlay_services.vrfs.{vrf['name']}.trm_enable to be enabled, " f"first vxlan.underlay.multicast.trm_enable must be enabled (true)." diff --git a/roles/validate/files/rules/required_rules/403_overlay_services_networks.py b/roles/validate/files/rules/required_rules/403_overlay_services_networks.py index 2968d04d..bbb5ce7e 100644 --- a/roles/validate/files/rules/required_rules/403_overlay_services_networks.py +++ b/roles/validate/files/rules/required_rules/403_overlay_services_networks.py @@ -22,7 +22,7 @@ def match(cls, inventory): for network in networks: current_network_netflow_status = network.get("netflow_enable", None) if current_network_netflow_status is not None: - if fabric_netflow_status == False and current_network_netflow_status == True: + if fabric_netflow_status is False and current_network_netflow_status is True: results.append( f"For vxlan.overlay_services.networks.{network['name']}.netflow_enable to be enabled, " f"first vxlan.global.netflow.enable must be enabled (true)."