Symptom
In SD-Access Fabric, using L2 Only VLANs or any subnet within the same Virtual Network, using the same IP addresses on endpoints in different VLANs with different source MAC address will traffic failures where ARP resolution will not occur successfully (ARP Reply will be dropped).
For example (in the same Virtual Network)
- Endpoint A in VLAN 111 with IP address 192.168.1.1 from MAC address aaaa.aaaa.aaaa
- Endpoint B in VLAN 222 with IP address 192.168.1.1 from MAC address bbbb.bbbb.bbbb
Traffic will only work to/from one endpoint at a time. Endpoint in question will be whichever was first entered in the IP Device Tracking database (which can be checked using show device-tracking database address ip_address.
Conditions
This is observed in SD-Access Edge nodes running IOS XE version 17.4.x and above.
Workaround
Changing the IP Device Tracking policy (or creating a new one) on the interface where the endpoint is located to "security-level glean" allows to prevent SISF from verifying the IP Device Tracking database binding which causes the ARP Replies to be dropped.
It is important to note that removing switch from "security-level guard" implies the interface(s) attached to the IPDT policy will no longer be protected against any duplication / theft / spoofing (MAC or IP) detection / prevention. Take this into consideration to evaluate if this workaround is acceptable in your environment.
Further Problem Description
Note that this scenario is different from IP Aliasing or Bridge Mode feature available on DNA Center version 2.3.5 and above. IP Aliasing/Bridge Mode refer to multiple IPv4 per MAC addresses assignment - this defect refers to multiple MAC per IPv4 addresses.
