Static routing table does not match across cluster members-linux-False

error
high-availability
false
linux
Static routing table does not match across cluster members-linux-False
0

#1

Static routing table does not match across cluster members-linux-False

Vendor: linux

OS: False

Description:
Indeni will identify when two devices are part of a cluster and alert if their static routing tables are different.

Remediation Steps:
Ensure the static routing table matches across devices in a cluster.

How does this work?
By running the command “netstat -rn” the routes are retrieved.

Why is this important?
It is important that the routing is configured the same for all cluster members of the same cluster. Otherwise there can be downtime in the event of a failover.

Without Indeni how would you find this?
An administrator could login and manually run the command.

linux-os-netstat_rn

#! META
name: linux-os-netstat_rn
description: Get routing table using "netstat -rn"
type: monitoring
monitoring_interval: 1 minute
requires:
    or:
        -
            linux-based: "true"
        -
            linux-busybox: "true"
    and:
        -
            vendor:
                neq: "checkpoint"
        -
            vendor:
                neq: "f5"

#! COMMENTS
static-routing-table:
    why: |
        It is important that the routing is configured the same for all cluster members of the same cluster. Otherwise there can be downtime in the event of a failover.
    how: |
        By running the command "netstat -rn" the routes are retrieved.
    without-indeni: |
        An administrator could login and manually run the command.
    can-with-snmp: true
    can-with-syslog: false
    vendor-provided-management: |
        Listing static routes is only available from the command line interface or via SNMP.

connected-networks-table:
    why: |
        It is important that the connected interfaces is configured the same, for all cluster members of the same cluster. Otherwise there can be downtime in the event of a failure.
    how: |
          By running the command "netstat -rn" the routes are retrieved.
    without-indeni: |
        An administrator could login and manually run the command.
    can-with-snmp: true
    can-with-syslog: false
    vendor-provided-management: |
        Listing routes for directly connected interfaces is only available from the command line interface, or SNMP.

#! REMOTE::SSH
${nice-path} -n 15 netstat -rn

#! PARSER::AWK

# Function to calculate number of binary 1s in a decimal number
function count1s(N) {
	r = ""                    # initialize result to empty (not 0)
	while(N != 0){            # as long as number still has a value
		r = ((N%2)?"1":"0") r   # prepend the modulos2 to the result
		N = int(N/2)            # shift right (integer division by 2)
	}

	# count number of 1s
	r = gsub(/1/,"",r)
	# Return result
	return r
}


# Function to convert a subnetmask (example: 255.255.255.0) to subnet prefix (example: 24)
function subnetmaskToPrefix(subnetmask) {
	split(subnetmask, v, "\\.")
	prefix = count1s(v[1]) + count1s(v[2]) + count1s(v[3]) + count1s(v[4])
	return prefix
}


# 10.11.2.0       0.0.0.0         255.255.255.0   U         0 0          0 eth1
/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}/ {
	destination = $1
	mask = $3
	subnetprefix = subnetmaskToPrefix(mask)
	flags = $4
	gateway = $2
	
	# If its a direct connected network route
	if (gateway == "0.0.0.0") {
		iDirectRoute++
		
		directRoutes[iDirectRoute, "network"] = destination
		directRoutes[iDirectRoute, "mask"] = subnetprefix
	}

	# If its not a directly connected network
	if (gateway != "0.0.0.0") {
		iStaticRoute++
		
		staticRoutes[iStaticRoute, "network"] = destination
		staticRoutes[iStaticRoute, "mask"] = subnetprefix
		staticRoutes[iStaticRoute, "next-hop"] = gateway
	}
}

END {
	writeComplexMetricObjectArrayWithLiveConfig("static-routing-table", null, staticRoutes, "Static routes")
	writeComplexMetricObjectArrayWithLiveConfig("connected-networks-table", null, directRoutes, "Directly Connected Networks")
}

static_routing_table_comparison_non_vsx

package com.indeni.server.rules.library.templatebased.crossvendor

import com.indeni.server.common.data.conditions.{Equals => DataEquals}
import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library._

/**
  *
  */
case class static_routing_table_comparison_non_vsx(context: RuleContext) extends SnapshotComparisonTemplateRule(context,
  ruleName = "static_routing_table_comparison_non_vsx",
  ruleFriendlyName = "Clustered Devices (Non-VS): Static routing table does not match across cluster members",
  ruleDescription = "Indeni will identify when two devices are part of a cluster and alert if their static routing tables are different.",
  metricName = "static-routing-table",
  isArray = true,
  metaCondition = !DataEquals("vsx", "true"),
  baseRemediationText = "Ensure the static routing table matches across devices in a cluster.",
  alertDescription = "Devices that are part of a cluster must have the same static routing tables. Review the differences below.\n\nThis alert was added per the request of <a target=\"_blank\" href=\"http://il.linkedin.com/pub/itzik-assaraf/2/870/1b5\">Itzik Assaraf</a> (Leumi Card)."
  )(
  ConditionalRemediationSteps.VENDOR_CP -> "Use the \"show configuration\" command in clish to compare the calls to \"set static-route\".",
  ConditionalRemediationSteps.OS_NXOS ->
    """|
      |1. Execute the "show ip route static" command to display the current contents of the  static routes installed to the routing table.
      |2. Compare the static route config between the peer switches with the show run | i "ip route" command
      |NOTE: The static routes configured between the peer switches may be different in case of orphan devices without need of redundancy between the vPC peer switches
      |3. For more information please review the next Cisco configuration guide:
      |https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/5_x/nx-os/unicast/configuration/guide/l3_cli_nxos/l3_route.html
    """.stripMargin
)
{override val deviceCondition = generateDevicePassiveAndPassiveLinkStateCondition(context.tsDao)}


case class static_routing_table_comparison_vsx(context: RuleContext) extends SnapshotComparisonTemplateRule(context,
  ruleName = "static_routing_table_comparison_vsx",
  ruleFriendlyName = "Clustered Devices (VS): Static routing table does not match across cluster members",
  ruleDescription = "Indeni will identify when two devices are part of a cluster and alert if their static routing tables are different.",
  metricName = "static-routing-table",
  isArray = true,
  descriptionMetricTag = "vs.name",
  metaCondition = DataEquals("vsx", "true"),
  alertDescription = "Devices that are part of a cluster must have the same static routing tables. Review the differences below.\n\nThis alert was added per the request of <a target=\"_blank\" href=\"http://il.linkedin.com/pub/itzik-assaraf/2/870/1b5\">Itzik Assaraf</a> (Leumi Card).",
  baseRemediationText = "Ensure the static routing table matches across devices in a cluster.")(
  ConditionalRemediationSteps.VENDOR_CP -> "Use the \"show configuration\" command in clish to compare the calls to \"set static-route\".",
  ConditionalRemediationSteps.OS_NXOS ->
    """|
       |1. Execute the "show ip route static" command to display the current contents of the  static routes installed to the routing table.
       |2. Compare the static route config between the peer switches with the show run | i "ip route" command
       |NOTE: The static routes configured between the peer switches may be different in case of orphan devices without need of redundancy between the vPC peer switches
       |3. For more information please review the next Cisco configuration guide:
       |https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/5_x/nx-os/unicast/configuration/guide/l3_cli_nxos/l3_route.html
    """.stripMargin
)
{override val deviceCondition = generateDevicePassiveAndPassiveLinkStateCondition(context.tsDao)}