Skip to content

NewValidation: CSCwi17652 check for service-ep flag #294

New issue
New issue
Open
Open
NewValidation: CSCwi17652 check for service-ep flag#294
Assignees
jeestr4d
Labels
new_validation
@rg5147

Description

@rg5147
rg5147
opened on Nov 4, 2025
  1. Version check between 5.2.5c/6.0.1g and 16.0.8e/6.1.1f.

What needs to be validated

  1. config validation:

This is related to the fix made under https://cdetsng.cisco.com/summary/#/defect/CSCwi17652

Between 5.2.5c/6.0.1g and 16.0.8e/6.1.1f as part of the fix tied to a different bug CSCwb17734, the Service-ep flag is set on the service epg (vlanCktEp) even when PBR is not enabled.

	moquery -c vlan.CktEp -f 'vlan.CktEp.encap=="vlan-65"'
	# vlan.CktEp
	encap                    : vlan-65
	adminSt                  : active
	allowUsegUnsupported     : 0
	childAction              :
	classPrefOperSt          : encap
	ctrl                     : policy-enforced,service-ep
	name                     : GZ-Test-DC-Tenant:DC-LBctxGZ-Test-DC-VRF:LB_Outside:

When customer upgrades to a version >= 16.0.8e/6.1.1f, Service-ep flag gets removed for the specific service epg (vlanCktEp).

	SV-40G-Leaf211# moquery -c vlan.CktEp -f 'vlan.CktEp.encap=="vlan-93"'
	Total Objects shown: 1

	# vlan.CktEp
	encap                    : vlan-93
	adminSt                  : active
	allowUsegUnsupported     : 0
	childAction              :
	classPrefOperSt          : encap
	ctrl                     : policy-enforced
	epgDn                    : uni/tn-CIB/LDevInst-[uni/tn-CIB/lDevVip-Prod-SV-LB]-ctx-DC-VRF/G-Prod-SV-LBctxDC-VRF-N-Prod-LB-Out_BD-C-Prod-SV-LB-Out

This may affect working service graphs which uses the service epg (vlanCktEp) and has valid pbr config.

The R comments for CSCwi17652 has the fix details which resulted in the removal of the service-ep flag.
Problem:
Service-ep flag is set on the vlanCktEp of service epg when PBR is not enabled.
This leads to DL bit being set on traffic coming from service device, and hence more BUM traffic on customer network.

RCA:
- This is due to regression caused by fix of “CSCwb17734 Lafayeete 16.0.0.76 has traffic failure 30 % drop in s1-leaf2 due to SECURITY_GROUP_DENY” in 5.2.
- https://aci-gerrit.cisco.com:8443/c/mgmt/+/246518
	- The commit sets service-ep knob on vlanCktEp during
EthIfBI::configureIfConn()—>vlan::CktEpBI::configure()
	- But we are not checking if EPpRedirPol (PBR) is present. This leads to service-ep being set even when there is no PBR.

Fix:
- In CktEpBI::postExplicitCb(), we are handling service-ep setting during vlanCktEp create, modify and delete. 
So ideally we need not set service-ep flags during vlanCktEp's factory. So removed fix for CSCwb17734.

Why it needs to be validated

When customer upgrades to a version >= 16.0.8e/6.1.1f, Service-ep flag gets removed for the specific service epg vlanCktEp.
This may affect working service graphs.
A warning of failure would help customer look into their L4-L7 config and identify if the PBR config is complete.
TAC should also account for unidirectional PBR config before suggesting any recommendations.

How to detect this issue

See attachment
service-ep flag.txt

Metadata

Metadata

Assignees

Labels

new_validation

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions