Validations
Validations are split up into features and their different sub-features that can be validated.
Feature |
Sub-feature |
Description |
Strict |
IOS-XE |
NXOS |
ASA |
WLC |
Palo |
Viptela |
|---|---|---|---|---|---|---|---|---|---|
system |
image |
Software version |
❌ |
✅ |
✅ |
✅ |
✅ |
✅ |
❌ |
mgmt_acl |
Management ACLs |
✅ |
✅ |
✅ |
✅ |
❌ |
❌ |
❌ |
|
module |
Model & status (implicit) |
❌ |
✅ |
✅ |
❌ |
❌ |
❌ |
❌ |
|
sla |
IP, RTT & status (implicit) |
❌ |
✅ |
❌ |
❌ |
❌ |
✅ |
❌ |
|
redundancy |
ha_state |
Local & peer state |
❌ |
✅ |
❌ |
✅ |
✅ |
✅ |
❌ |
sw_stack |
Switch, role, priority & state (implicit) |
✅ |
✅ |
❌ |
❌ |
❌ |
❌ |
❌ |
|
neighbor |
cdp |
Neighbor name & port |
❌ |
✅ |
✅ |
❌ |
✅ |
❌ |
❌ |
lldp |
Neighbor name & port |
❌ |
✅ |
✅ |
❌ |
❌ |
❌ |
❌ |
|
intf_bonded |
port-channel |
Interface members (strict) & status (implicit) |
✅ |
✅ |
✅ |
✅ |
❌ |
❌ |
❌ |
vpc |
VPC status (implicit), port-channels & VLANs (strict) |
✅ |
❌ |
✅ |
❌ |
❌ |
❌ |
❌ |
|
interface |
intf |
Port speed, duplex, type & status (implicit) |
❌ |
✅ |
✅ |
✅ |
✅ |
✅ |
❌ |
switchport |
Switchport mode & VLANs |
✅ |
✅ |
✅ |
❌ |
❌ |
❌ |
❌ |
|
ip_brief |
IP address & status (implicit) |
❌ |
✅ |
✅ |
✅ |
✅ |
✅ |
❌ |
|
layer2 |
vlan |
VLAN interfaces |
✅ |
✅ |
✅ |
❌ |
❌ |
❌ |
❌ |
stp_vlan |
Per-VLAN interfaces STP state (implicit FWD) |
✅ |
✅ |
❌ |
❌ |
❌ |
❌ |
❌ |
|
mac_table |
Total & per-VLAN MAC count |
❌ |
✅ |
✅ |
❌ |
❌ |
❌ |
❌ |
|
fhr |
hsrp |
Interface, priority & state |
❌ |
✅ |
✅ |
❌ |
❌ |
❌ |
❌ |
route_table |
vrf |
VRF interfaces |
✅ |
✅ |
✅ |
❌ |
❌ |
❌ |
❌ |
route_count |
Per-VRF routing table subnet count |
❌ |
✅ |
✅ |
✅ |
❌ |
✅ |
❌ |
|
route |
Per-VRF route, type & next-hops (strict) |
✅ |
✅ |
✅ |
✅ |
❌ |
✅ |
❌ |
|
route_protocol |
eigrp_intf_nbr |
Interfaces, neighbors & state (implicit) |
✅ |
✅ |
❌ |
❌ |
❌ |
❌ |
❌ |
ospf_intf_nbr |
Interfaces, neighbors & state (implicit) |
✅ |
✅ |
✅ |
✅ |
❌ |
❌ |
❌ |
|
ospf_lsdb_count |
Total LSAs per-OSPF process |
❌ |
✅ |
✅ |
✅ |
❌ |
❌ |
❌ |
|
bgp_peer |
BGP peer, ASN and received prefix count |
✅ |
✅ |
✅ |
✅ |
❌ |
✅ |
❌ |
|
fw |
conn_count |
Total firewall connections |
❌ |
❌ |
❌ |
✅ |
❌ |
✅ |
❌ |
auth_session |
mab_count |
Total MAB Sessions |
❌ |
✅ |
❌ |
❌ |
❌ |
❌ |
❌ |
dot1x_count |
Total dot1x Sessions |
❌ |
✅ |
❌ |
❌ |
❌ |
❌ |
❌ |
|
evpn |
nve_vni |
NVE L3VNI/ VRF or L2VNI/ BDI & state (implicit) |
❌ |
✅ |
✅ |
❌ |
❌ |
❌ |
❌ |
nve_peer |
NVE peers & state (implicit) |
✅ |
✅ |
✅ |
❌ |
❌ |
❌ |
❌ |
|
vpn |
sts_peer |
VPN peers & state (implicit) |
✅ |
✅ |
❌ |
✅ |
❌ |
❌ |
❌ |
ac_user |
AnyConnect users, group-policy & tunnel-group |
❌ |
❌ |
❌ |
✅ |
❌ |
❌ |
❌ |
|
vpn_count |
Total StS VPNs and/or AnyConnect users |
❌ |
✅ |
❌ |
✅ |
❌ |
❌ |
❌ |
|
wifi |
wlan |
WLAN ID, SSID, interface & status (implicit) |
❌ |
❌ |
❌ |
❌ |
✅ |
❌ |
❌ |
ap |
APs, model, IP & client count on each |
❌ |
❌ |
❌ |
❌ |
✅ |
❌ |
❌ |
|
client_count |
Total clients per-WLAN |
❌ |
❌ |
❌ |
❌ |
✅ |
❌ |
❌ |
|
flexconnect |
AP count per-flexconn groups |
❌ |
❌ |
❌ |
❌ |
✅ |
❌ |
❌ |
|
intf_grp |
Interfaces, WLANs & APs per-group |
❌ |
❌ |
❌ |
❌ |
✅ |
❌ |
❌ |
|
sdwan |
omp_peer |
OMP peer, site-ID, routes (R/I/S) & status (implicit) |
✅ |
✅ |
❌ |
❌ |
❌ |
❌ |
✅ |
control_conn |
Neighbor system-IP, site-ID, color & state (implicit) |
✅ |
✅ |
❌ |
❌ |
❌ |
❌ |
✅ |
|
bfd_session |
Neighbor system-IP, site-ID, color & state (implicit) |
✅ |
✅ |
❌ |
❌ |
❌ |
❌ |
❌ |
General Behaviors
Strict: Strict validations (dictionary or list) must be an exact match, no more or no less (for example, exact BGP peers)
Integers (count): Any output that is a numerical value (route table summary, MAC count, BGP prefixes, etc) can be:
An exact value (integer)
Less than a value (
<15)More than a value (
>15)Between a range (
10<->20)A tolerance percentage either side of a value (
10%15)
Implicit (state): Expects a certain state (like interfaces being Up) rather than defining the state manually in the validation file
Validation-specific details
Management ACL: Allowed addresses for SSH and HTTP on ASA, or the SSH and SNMP extended ACLs (not standard ACLs) on other platforms (assumes +10 for each seq number)
SLA: For Palo it is HA path-monitoring and for IOS-XE SDWAN endpoint tracker and endpoint tracker-groups. The RTT is rounded up or down to the nearest integer (can’t be a float) to allow for the use lessthan, morethan, etc
Module: Assumes an implicit status of ok, this can be overridden such as for active or standby when validating NXOS supervisors
Interface: The speed and duplex do not need to be defined if a port doesn’t support these properties (like sub-interfaces)
Route table: The next-hop can be:
A single address
A strict list of multiple next-hops
An interface name for directly connected routes
OSPF: A dictionary of interfaces with an optional strict list of neighbors (RID) off each interface (expected to be FULL, doesn’t care about DR, BDR)
BGP: For duplicate peers across different address-families the IPv4 address family entry is ignored and the other overlay address family validated (EVPN, MPLS VPN, etc)