Guest

Preview Tool

Cisco Bug: CSCvv93409 - [ACI Switch] Leaf ACLQOS TCAM move (reshuffle) happens within same batch

Last Modified

Oct 03, 2020

Products (1)

  • Cisco Nexus 9000 Series Switches

Known Affected Releases

14.2(4o)

Description (partial)

Symptom:
Traffic is inadvertently contract dropped due to a problem with aclqos zoning-rules. Per the below zoning-rules, a rule matching the source and destination pcTag/class appears to be set and enabled. However, traffic is confirmed to be missing this rule and instead matches another rule, such as an implicit deny. In this case, the permit rule with priority 11 should be hit first before the deny rule with priority 12. The filter for the permit rule is "default," so all traffic with this source and destination pcTag/class should match.

ACI-Leaf# show zoning-rule scope 2000000 dst-epg 0 src-epg 10250
+---------+--------+--------+----------+---------+---------+---------+------+----------+------------------------+
| Rule ID | SrcEPG | DstEPG | FilterID |   Dir   |  operSt |  Scope  | Name |  Action  |        Priority        |
+---------+--------+--------+----------+---------+---------+---------+------+----------+------------------------+
|  13000  | 10250  |   0    | default  | uni-dir | enabled | 2000000 |      |  permit  | shsrc_any_any_perm(11) |  <- Rule to permit traffic (Preferred priority)
|  13987  | 10250  |   0    | implicit | uni-dir | enabled | 2000000 |      | deny,log | shsrc_any_any_deny(12) |  <- Implicit deny
+---------+--------+--------+----------+---------+---------+---------+------+----------+------------------------+

Packets dropped due to contracts/policy can be observed on the ACI switch CLI using the below command. The output can be verbose so it may be helpful to use grep or another method to search for the affected IP addresses.

    show logging ip access-list internal packet-log deny

Conditions:
This is a very rare event due to a race condition while rules are being installed. This has been observed following an ACI switch upgrade, but the event is not limited to only upgrade scenarios.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.