Symptom
VXLAN encapsulated traffic flooded in the overlay network, after arriving at a Fabric Edge via the L3 fabric-faced interface with macsec enabled, is "bridged" instead of being "routed". As a consequence, traffic is dropped and does not trigger S,G creation.
Decision:
Destination Index : 0 [DI_NULL]
Rewrite Index : 3 [RI_MCAST_BRIDGE_V4]
Dest Mod Index : 1 [IGR_FIXED_DMI_DROP_FORWARDING_CONTEXT]
CPU Map Index : 0 [CMI_NULL]
Forwarding Mode : 0 [Bridging] <<<<<----
Replication Bit Map : []
Winner : IPV4MCASTBRIDGESTARG LOOKUP
FE#show platfor hardware fed switch active fwd-asic drops exceptions asci 0 | ex 0 0 0
****EXCEPTION STATS ASIC INSTANCE 0 (asic/core 0/0)****
=================================================================================
Asic/core | NAME | prev | current | delta
=================================================================================
0 0 DENY_BRIDGE 1644344904 1644345387 483 <<<<<<<<----- this counter is increasing
Conditions
Fabric edge : SDA + mcast flooding in the L2 Only VN + macsec enabled on fabric uplinks
Workaround
disabling macsec on uplink interfaces
