Skip to content

add rule 503 to check ip address for route-control #408

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: develop
Choose a base branch
from
Draft

add rule 503 to check ip address for route-control #408

wants to merge 2 commits into from

Conversation

ccoueffe
Copy link
Collaborator

@ccoueffe ccoueffe commented Jun 6, 2025

Related Issue(s)

fix #400

Related Collection Role

  • cisco.nac_dc_vxlan.validate
  • cisco.nac_dc_vxlan.dtc.create
  • cisco.nac_dc_vxlan.dtc.deploy
  • cisco.nac_dc_vxlan.dtc.remove
  • other

Related Data Model Element

  • vxlan.fabric
  • vxlan.global
  • vxlan.topology
  • vxlan.underlay
  • vxlan.overlay
  • vxlan.overlay_extensions
  • vxlan.policy
  • vxlan.multisite
  • defaults.vxlan
  • other

Proposed Changes

rule 503 checks ip address in the validate role for:

  • ipv4 and ipv6 prefix-lists
  • ipv4 and ipv6 acls

Test Notes

---
vxlan:
  overlay_extensions:
     ipv4_prefix_lists:
        - name: sac-prefix-list
          description: 'SAC IPv4 prefix-list'
          entries:
            - seq_number: 10
              operation: permit
              prefix: 41.0.0.0
            - seq_number: 20
              operation: permit
              prefix: 42.0.0.1/24
              le: 32
            - seq_number: 30
              operation: permit
              prefix: 43.0.0.0/24
              ge: 25
            - seq_number: 40
              operation: permit
              prefix: 44.0.0.0/24
              eq: 25
            - seq_number: 50
              operation: permit
              prefix: 45.0.0.0/24
              mask: 255.255.255.0
            - seq_number: 60
              operation: deny
              prefix: 35.0.0.0/8
              le: 32
              ge: 24
❯ nac-validate -s schemas/schema.yaml -r rules/vxlan host_vars/nac-ndfc2
ERROR - Semantic error, rule 503: Verify IP address format for Route-Control (["In IPv4 Prefix-List: sac-prefix-list Invalid format. '41.0.0.0' must include a CIDR prefix (e.g., /24 for IPv4 or /64 for IPv6)", 'In IPv4 Prefix-List: sac-prefix-list Invalid IP or CIDR: 42.0.0.1/24 has host bits set'])
---
vxlan:
  overlay_extensions:
    ipv6_access_lists:
        - name: ACL6-102
          entries:
            - seq_number: 10
              operation: permit
              protocol: tcp
              source:
                ip: 2001:db8:300:201::1/64
                port_number:
                  operator: eq
                  port: 80
              destination:
                ip: 2001:db8:300:202::/32
❯ nac-validate -s schemas/schema.yaml -r rules/vxlan host_vars/nac-ndfc2
ERROR - Semantic error, rule 503: Verify IP address format for Route-Control (['In IPv6 ACL: ACL6-102 Invalid IP or CIDR: 2001:db8:300:201::1/64 has host bits set or use wildcard.', 'In IPv6 ACL: ACL6-102 Invalid IP or CIDR: 2001:db8:300:202::/32 has host bits set or use wildcard.'])
---
vxlan:
  overlay_extensions:
      ipv4_access_lists:
        - name: myACL
          entries:
            - seq_number: 5
              remark: Allow_traffic
            - seq_number: 10
              operation: permit
              protocol: ip
              source:
                ip: 192.168.10.0/24
                wildcard: 0.0.0.255
              destination:
                ip: 192.168.200.0
                wildcard: 0.0.0.255
❯ nac-validate -s schemas/schema.yaml -r rules/vxlan host_vars/nac-ndfc2
ERROR - Semantic error, rule 503: Verify IP address format for Route-Control (["In IPv4 ACL: myACL Invalid format. '192.168.10.0/24' must not include a CIDR prefix when wildcard is configured."])

Cisco NDFC Version

Checklist

  • Latest commit is rebased from develop with merge conflicts resolved
  • New or updates to documentation has been made accordingly
  • Assigned the proper reviewers

@ccoueffe
add rule 503
bb59caf 
rule 503 checks ip address in the validate role for:
* ipv4 and ipv6 prefix-lists
* ipv4 and ipv6 acls
@ccoueffe ccoueffe self-assigned this Jun 6, 2025
@ccoueffe ccoueffe added the 0.4.3 Release 0.4.3 label Jun 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@peter8498 peter8498 Awaiting requested review from peter8498

@devegupt devegupt Awaiting requested review from devegupt

@juburnet juburnet Awaiting requested review from juburnet

At least 1 approving review is required to merge this pull request.

Assignees

@ccoueffe ccoueffe

Labels
0.4.3 Release 0.4.3
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Remove the use of ipaddr function in the jinja template for route control
1 participant
@ccoueffe