Preview Tool

Cisco Bug: CSCvt49963 - ARP Req between EPGs in same BD redirected by SG without using Allow Any Ctrct

Last Modified

Oct 03, 2020

Products (24)

  • Cisco Nexus 9000 Series Switches
  • Cisco Nexus 9516 Switch
  • Cisco Nexus 9396PX Switch
  • Cisco Nexus 93108TC-FX Switch
  • Cisco Nexus 9396TX Switch
  • Cisco Nexus 93240YC-FX2 Switch
  • Cisco Nexus 93120TX Switch
  • Cisco Nexus 93108TC-EX Switch
  • Cisco Nexus 9372TX-E Switch
  • Cisco Nexus 9504 Switch
View all products in Bug Search Tool Login Required

Known Affected Releases


Description (partial)

ARP requests between EPGs in the same bridge domain are being redirected by the service graph without using an Allow Any contract.

This issue occurs under the following conditions:

*   ACI Fabric running firmware release 4.2(3l)
*   The source and destination endpoints are located on the same leaf switches in the same bridge domain, but with different EPGs and different encap VLANs
*   Leaf switches are part of a vPC domain
*   The source endpoint that is sourcing the ARP request is on an orphan port, and the destination endpoint is on a vPC
*   The setup is a single-armed service graph PBR to unmanaged firewalls
     * Single-armed meaning there is a single service bridge domain
*   The contract used for redirection features two subjects:
     * One subject with an Ethertype IP all filter with redirection
     * One subject for Ethertype IP and IP Proto ICMP without redirection
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.