Guest

Preview Tool

Cisco Bug: CSCvt49963 - ARP Req between EPGs in same BD redirected by SG without using Allow Any Ctrct

Last Modified

Oct 03, 2020

Products (24)

  • Cisco Nexus 9000 Series Switches
  • Cisco Nexus 9516 Switch
  • Cisco Nexus 9396PX Switch
  • Cisco Nexus 93108TC-FX Switch
  • Cisco Nexus 9396TX Switch
  • Cisco Nexus 93240YC-FX2 Switch
  • Cisco Nexus 93120TX Switch
  • Cisco Nexus 93108TC-EX Switch
  • Cisco Nexus 9372TX-E Switch
  • Cisco Nexus 9504 Switch
View all products in Bug Search Tool Login Required

Known Affected Releases

14.2(3l)

Description (partial)

Symptom:
ARP requests between EPGs in the same bridge domain are being redirected by the service graph without using an Allow Any contract.

Conditions:
This issue occurs under the following conditions:

*   ACI Fabric running firmware release 4.2(3l)
*   The source and destination endpoints are located on the same leaf switches in the same bridge domain, but with different EPGs and different encap VLANs
*   Leaf switches are part of a vPC domain
*   The source endpoint that is sourcing the ARP request is on an orphan port, and the destination endpoint is on a vPC
*   The setup is a single-armed service graph PBR to unmanaged firewalls
     * Single-armed meaning there is a single service bridge domain
*   The contract used for redirection features two subjects:
     * One subject with an Ethertype IP all filter with redirection
     * One subject for Ethertype IP and IP Proto ICMP without redirection
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.