Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
ACI Leaf sends ARP to a device(router,host or any type of IP device) in a directly connected subnet for L3OUT. (Please be noted that ACI doesn't usually use ARP for normal EP) After ARP is resolved for L3OUT direct subnet, ACI LEAF uses a special pcTag 1 for those IPs in ARP table instead of L3OUT EPG (l3extInstP) pcTag. pcTag is an identifier of each EPG. Contract is applied based on pcTag which represents EPG. Because of this special reserved pcTag 1, traffic to/from a device in L3OUT direct subnet may be able to communicate with other devices in ACI without a contract. Please refer to the Further Problem Description for the details.
Although a special reserved pcTag 1 is used for any IP in L3OUT direct subnet, it is not concerning in most scenario since the subnet behind the direct subnet is not affected and there are some conditions for pcTag 1 to be an issue even for direct subnet. Please refer to the Further Problem Description for the details.
It is recommended not to attach any other devices than a necessary router to directly connected subnets for L3OUT. Use EPG for a device that does not provide any router equivalent role. As for routers or any equivalent devices, a configuration workaround for this was implemented by this defect. This configuration workaround is available only from second generation LEAF switches such as N9K-C93180YC-EX. 1st generation LEAF : N9K-C9396PX etc. 2nd generation LEAF : N9K-C93180YC-EX, N9K-C93180YC-FX etc. The configuration workaround is to configure l3extSubnet for the L3OUT direct subnet under L3OUT EPG(l3extInstp) with the import-security option ("External Subnets for the External EPG" flag in APIC UI). This subnet cannot be 0.0.0.0/0. By doing this, L3OUT direct subnets follow the same behavior as other subnets in L3OUT. This configuration workaround takes effect only on 2nd generation LEAF or later. No workaround is available for 1st generation LEAF.
In ACI, a contract is applied based on pcTag for each EPG. External Network Instance Profile(L3OUT EPG) under External Routed Networks(L3OUT) has pcTag as an identifier as well as normal EPGs under Application Profiles. Normally, the subnets configured under L3OUT EPG with External Subnets for the External EPG (= import-security ) use pcTag of its L3OUT EPG. There is an exceptional scenario in this L3OUT subnets and pcTag behavior. If the subnet is L3OUT directly connected subnet, ACI LEAF can resolve ARP for host IP(/32) within this subnet, which installs a reserved pcTag 1 for this host IP instead of the pcTag for L3OUT EPG. When this reserved pcTag 1 is used, no contracts will be applied to the traffic. The behavior without the workaround is slightly differernt between each LEAF generation. The following is an example for some scenarios in each generation of LEAF. In this example, there is no contract between X and l3out. Hence, contract drop would be expected unless pcTag 1 exception is applied. === 1st gen LEAF === Across 2 LEAFs : --- contract drop : X to l3out, l3out to X --- no contract drop : (none) Same LEAF : --- contract drop : l3out to X --- no contract drop : X to l3out === 2nd gen LEAF === Across 2 LEAFs (VRF policy enforcement Egress): --- contract drop : (none) --- no contract drop : X to l3out, l3out to X Across 2 LEAFs (VRF policy enforcement Ingress): --- contract drop : X to l3out --- no contract drop : l3out to X Same LEAF : --- contract drop : (none) --- no contract drop : X to l3out, l3out to X