Symptom

1. The endpoint is getting tagged with the incorrect Encap VLAN leaf-101# show endpoint int eth1/39 Legend: S - static s - arp L - local O - peer-attached V - vpc-attached a - local-aged p - peer-aged M - span B - bounce H - vtep R - peer-attached-rl D - bounce-to-proxy E - shared-service m - svc-mgr +-----------------------------------+---------------+-----------------+--------------+-------------+ VLAN/ Encap MAC Address MAC Info/ Interface Domain VLAN IP Address IP Info +-----------------------------------+---------------+-----------------+--------------+-------------+ 3/tenant1:vrf1 ***vlan-707*** aaaa.bbbb.cccc L eth1/39 2. AAEP aaep-policy-name is associated to eth1/39 under Access Policies 3. AAEP aaep-policy-name binds EPG-VLAN203 with VLAN 203 as Access (Untagged). 4. After upgrading leaf node from 5.2.4 to 6.0.2h we can see that VLAN-707 is using same port 1/39 as well. leaf-101# show vlan extended VLAN Name Encap Ports ---- -------------------------------- ---------------- ------------------------ ... 2 tenant1:bd_vlan707 vxlan-14778357 Eth1/39 3 tenant1:lap:epg_vlan707 vlan-707 Eth1/39 <<<<<<< 5. Both VLANS 203 and 707 are programmed on eth1/39 on node-101 on eltmc. Only VLAN 203 should be programmed here. module-1# show system internal eltmc info interface ethernet 1/39 ... IfInfo: interface: Ethernet1/39 ::: ifindex: 0x1a026000 iod: 71 ::: state: up hw_bd_idx: 0 ::: hw_epg_idx: 0 Infra_bd_Index: 0 ::: vlan_Scope: 0 svp: 225 ::: Is External: Regular Portgroup_ID: 1 ::: Mpls_En: False Is Spine Mpod B2b: 0 Is ACI POAP en : 0 Is MCPStrictMode en : 0 Mod: 0 ::: Port: 36 port_layer: L2 ::: fabric_port: 0 port_mode: trunk ::: native_vlan_id: 3 Dtag_mode: FALSE ::: dot1x_shm_valid: 0 speed: 1000 Storm Ctrl Info: Unicast: Type: Percent Stm_rate: 10.000000 ::: Stm_burst: 10.000000 storm_action: 0 ::: soak_count: 3 Broadcast: Type: Percent Stm_rate: 10.000000 ::: Stm_burst: 10.000000 storm_action: 0 ::: soak_count: 3 Multicast: Type: Percent Stm_rate: 100.000000 ::: Stm_burst: 100.000000 storm_action: 0 ::: soak_count: 3 vlan_bmp: 2-3,15-16 vlan_bmp_count: 4 acc_vlan_bmp: 203,707 <<<<<<<<< acc_vlan_bmp_count: 2 scope(0: Global, 1: Local): 0 is_reflective_relay_en: 1

Conditions

1. Original AAEP aaep-vlan561 under policy group X is attached on port eth1/22. 2. Under Interface Selector for 1/22 attached change Policy Group X with original aaep-vlan561 to policy group Y with aaep-vlan9 3. New VLAN-9 gets deployed on port eth1/22. 4. Changes are reverted to the original policy group X with AAEP aaep-vlan561 on eth1/22 on the Interface Policy group. 5. The leaf switch gets stuck on eth1/22 with old VLAN-9 but still has VLAN-561 programmed. 6. Endpoint gets stuck with old VLAN-9 Thus conditions is changing from policy group X to Y. Change from aaep-vlan561 to aaep-vlan9 under the same policy group (say X) will not hit this issue

Workaround

1. Run moquery for l2RsPathDomAtt class object on the APIC. 2. Look for the stale DNs that handles the association of the incorrect VLAN-9 and incorrect BD bd-[vxlan-14909412 to node X (1158) on port Y (1/22). apic01# moquery -c l2RsPathDomAtt | grep "1158.*1/22" dn : topology/pod-1/node-1158/sys/ctx-[vxlan-2752512]/bd-[vxlan-14909412]/rspathDomAtt-[topology/pod-1/node-1158/sys/conng/path-[eth1/22]] <<< dn : topology/pod-1/node-1158/sys/ctx-[vxlan-2752512]/bd-[vxlan-14909412]/vlan-[vlan-9]/rspathDomAtt-[topology/pod-1/node-1158/sys/conng/path-[eth1/22]] <<<< dn : topology/pod-1/node-1158/sys/ctx-[vxlan-2752512]/bd-[vxlan-14903573]/rspathDomAtt-[topology/pod-1/node-1158/sys/conng/path-[eth1/22]] dn : topology/pod-1/node-1158/sys/ctx-[vxlan-2752512]/bd-[vxlan-14903573]/vlan-[vlan-561]/rspathDomAtt-[topology/pod-1/node-1158/sys/conng/path-[eth1/22]] 3. Entered APIC with root user to execute the following command: enable_testapi 3600 4. Exited root user 5. Deleted the objects with icurl command: icurl -sX POST http://127.0.0.1:7777/testapi/mo/.xml -d "" icurl -sX POST http://127.0.0.1:7777/testapi/mo/.xml -d "" 6. A clean reload might be needed on the leaf switch if port eth1/X was configured for POE devices.

Further Problem Description