OPERATIONAL DEFECT DATABASE
...
...
In SD-Access Fabric, using L2 Only VLANs or any subnet within the same Virtual Network, using the same IP addresses on endpoints in different VLANs with different source MAC address will traffic failures where ARP resolution will not occur successfully (ARP Reply will be dropped). For example (in the same Virtual Network) - Endpoint A in VLAN 111 with IP address 192.168.1.1 from MAC address aaaa.aaaa.aaaa - Endpoint B in VLAN 222 with IP address 192.168.1.1 from MAC address bbbb.bbbb.bbbb Traffic will only work to/from one endpoint at a time. Endpoint in question will be whichever was first entered in the IP Device Tracking database (which can be checked using show device-tracking database address ip_address.
This is observed in SD-Access Edge nodes running IOS XE version 17.4.x and above.
Changing the IP Device Tracking policy (or creating a new one) on the interface where the endpoint is located to "security-level glean" allows to prevent SISF from verifying the IP Device Tracking database binding which causes the ARP Replies to be dropped. It is important to note that removing switch from "security-level guard" implies the interface(s) attached to the IPDT policy will no longer be protected against any duplication / theft / spoofing (MAC or IP) detection / prevention. Take this into consideration to evaluate if this workaround is acceptable in your environment.
Note that this scenario is different from IP Aliasing or Bridge Mode feature available on DNA Center version 2.3.5 and above. IP Aliasing/Bridge Mode refer to multiple IPv4 per MAC addresses assignment - this defect refers to multiple MAC per IPv4 addresses.
Click on a version to see all relevant bugs
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
