Tenant Leaks in Partial Rollback Scenarios
Introduction
A tenant leak occurs when traffic that should be confined to a specific logical tenant (VRF, VPN, or security zone) is inadvertently allowed to traverse into another tenant’s forwarding domain. In Ethernet‑VPN (EVPN) fabrics with MP‑BGP control plane, isolation is enforced primarily by route‑targets (RTs) and filtering constraints (import/export policies or route‑maps).
A leak is partial when the misconfiguration is isolated to a subset of devices (e.g., a single leaf switch) while the rest of the fabric remains correctly programmed. The control plane continues to converge, so the underlay and overlay stay operational, but the data‑plane forwarding decision on the affected leaf deviates from the intended policy, allowing packets to cross tenant boundaries.
Common Causes
| Cause | Description | Typical Symptom |
|---|---|---|
| Missing RT on leaf | Leaf does not advertise or import the RT that marks a tenant’s routes. | Routes appear in the wrong VRF table; traffic forwarded based on longest‑prefix match without RT check. |
| Incorrect filtering constraint | Import/export route‑map or prefix‑list absent or overly permissive. | Routes that should be filtered are installed, causing cross‑tenant reachability. |
| Partial rollback | Configuration change (e.g., RT addition) applied to only a subset of leaves due to failed commit, staged rollout, or mis‑applied patch. | Only the non‑updated leaf exhibits leak behavior; other leaves enforce correctly. |
| Human error in policy‑as‑code | Templated variables (e.g., {{ tenant_id }}) not resolved for a specific node. | Rendered config differs from intended state on that node only. |
| Software bug in RT handling | Leaf’s forwarding ASIC fails to apply RT check under certain conditions (e.g., ECMP load‑balancing). | Leak appears only for certain flow hashes. |
Understanding Route‑Targets and Filtering Constraints
Route‑Target Fundamentals
In EVPN, a route‑target is an extended community attached to BGP NLRI that signals which VRF should import or export the route.
- Export RT: When a PE (or leaf) originates a route for a local prefix, it attaches one or more export RTs.
- Import RT: A VRF is configured with a list of import RTs; any BGP route carrying a matching RT is imported into that VRF’s routing table.
Mathematically:
if (route.RT ∩ VRF.import_RTs ≠ ∅) then install route in VRF
RTs travel as an optional transitive BGP attribute; they do not affect underlay forwarding. The data‑plane enforcement occurs when the forwarding ASIC first derives the VRF context from the incoming interface/VLAN, then performs a longest‑prefix match (LPM) within that VRF’s FIB. If a route was incorrectly imported due to a missing or wrong RT, the packet is forwarded using that VRF’s FIB, potentially reaching a destination belonging to another tenant.
Filtering Constraint Basics
Filtering constraints are policy mechanisms applied at the BGP import/export stage to further restrict which routes are accepted based on criteria beyond RT matching (e.g., IP prefix, MAC address, VNI, or route‑type). Common implementations:
- Route‑maps with
match ip address prefix-list/match mac-liststatements. - Import/export policies defined in the VRF configuration (
import map,export map). - EVPN‑specific constraints such as
vni-onlyorencap-typechecks.
A filtering constraint can be whitelisting (only allow matching routes) or blacklisting (deny matching routes). Evaluation order is deterministic:
- RT match (mandatory for EVPN routes).
- If RT matches, evaluate import/export route‑map (if present).
- If the route‑map returns
permit, the route is installed; otherwise, it is dropped.
If a leaf lacks an import map that should deny a certain prefix, the RT check alone may permit the route, leading to a leak.
Interaction Between Route‑Targets and Filtering Constraints
Install(route) = RT_match(route) AND (Filter(route) == permit OR no Filter configured)
- Both present: filter refines the RT‑based import.
- Only RT present: any route with a matching RT is imported unconditionally.
- Only filter present (no RT): filter is ineffective for EVPN because RT match is a prerequisite; the route is dropped before filter evaluation.
Thus, a missing RT is a hard failure (route never matches any VRF), whereas a missing or overly permissive filter is a soft failure (route matches RT but should have been blocked). In a partial rollback scenario, the leaf may have correct RTs but lack the intended filter, or vice‑versa, creating a leak that does not break overall BGP convergence but violates segmentation.
Identifying Partial Rollback Scenarios
Symptoms
| Symptom | Observation | Likely Root Cause |
|---|---|---|
| Intermittent tenant‑to‑tenant reachability | Ping/trace from host A (tenant X) to host B (tenant Y) succeeds only when the flow hashes through leaf L₁, fails when hashed through leaf L₂. | Leaf L₁ missing filter/RT; L₂ correct. |
BGP show ip bgp vpnv4 vrf X | Routes present in VRF X on leaf L₁ that have RT Y (belonging to tenant Y) but are absent on other leaves. | Import RT missing or filter absent on L₁. |
| Flow‑stat counters | Incrementing rx_drop on leaf L₂ for traffic destined to tenant Y, while tx_ok increments on L₁ for same traffic. | L₂ drops due to missing RT; L₁ forwards incorrectly. |
| Compliance scan alerts | Scanners flag unauthorized traffic between security zones only during peak hours (when specific ECMP paths are used). | Leak only visible on subset of flows. |
| No BGP session flaps | All BGP peers remain Established; no route‑withdrawal storms. | Control plane stable; issue is data‑plane/policy misapplication. |
Detection Methods
-
Policy‑as‑code diff
- Render intended config (e.g., from Ansible/Terraform) for each leaf.
- Compare with
show running-configusingbatdifforntc‑templates. - Look for missing
route-target import/exportlines or missingimport mapstatements.
-
BGP RT verification
- On each leaf:
show bgp vpnv4 vrf <VRF> | include <RT> - Zero matches for an expected RT indicates a missing import.
- On each leaf:
-
Forwarding plane validation
- Use
pingwith specific source/destination and vary source port to force ECMP hash (e.g.,ping -s 1472 -p 0xabcd). - Capture packets on both leaves with
tcpdump -i <if> -w leak.pcapand verify VLAN/VNI tags.
- Use
-
Telemetry correlation
- Pull sFlow/NetFlow records and group by
src_vrf,dst_vrf. - Any non‑zero flow where
src_vrf != dst_vrfand the flow is not in the approved communication matrix indicates a leak.
- Pull sFlow/NetFlow records and group by
-
Automated drift detection
- Tools like Network Source of Truth (NSoT), NetBox, or Slurp’it store intended RT/filter objects.
- Periodic jobs run
ansible‑network‑automationmodules to compare intended vs. actual and raise alerts on divergence.
Tools and Techniques
| Tool | Use Case | Example Command |
|---|---|---|
batdiff | Config diff between intended and rendered | batdiff intended/leaf01.cfg <(ssh leaf01 "show run") |
bgpq3 | Generate prefix‑lists/RT lists from IRR for validation | bgpq3 -A AS65000 -j leaf01-import |
ansible.iosxr.iosxr_command | Run show commands across fabric | - iosxr_command: commands: ["show bgp vpnv4 vrf tenantA"] |
ntc‑templates | Parse structured output for diffing | parse_output("cisco_iosxr.show_bgp", output) |
Wireshark/tcpdump | Verify VNI/VLAN tags on leaking packets | tcpdump -i eth0 -nn -s 0 -w leak.pcap 'vxlan and vxlan.vni == 5001' |
gNMI | Subscribe to BGP RT telemetry in real time | gnmic -a leaf01:9339 subscribe --path "/bgp/vpnv4/route-target" |
Falco (network plugin) | Alert on unexpected inter‑VRF traffic | Rule: evt.type = sendto and fd.sport > 1024 and proc.name = "ping" and evt.args contains "dst_vrf != src_vrf" |
Troubleshooting a Partial Rollback
Step‑by‑Step Guide
-
Define the observed symptom
- Record exact source/destination IPs, VNI/VLAN, and time window where leakage occurs.
- Example:
10.1.2.5 (VRF RED) → 10.2.3.8 (VRF BLUE)observed at 14:03–14:07 UTC.
-
Collect intended policy
- Extract RT and filter definitions from the source‑of‑truth (e.g., Git repo).
- Example intended snippet for leaf:
vrf RED address-family ipv4 unicast import route-target 65000:100 import map RED-IMPORT ! route-map RED-IMPORT permit 10 match ip address prefix-list RED-ALLOWED ! ip prefix-list RED-ALLOWED seq 5 permit 10.1.0.0/16 le 24
-
Render config on each leaf
- Pull
show running-config vrf REDandshow route-map RED-IMPORT. - Compare line‑by‑line with intended.
- Pull
-
Validate RT presence
show bgp vpnv4 vrf RED | include 65000:100- If missing on a leaf → RT import gap.
-
Validate filter presence/effect
show route-map RED-IMPORT- If absent or missing
match ip address prefix-list RED-ALLOWED→ filter gap.
-
Check BGP RIB vs. FIB
show bgp vpnv4 vrf RED(RIB)show route vrf RED | include 10.2.3.0/24(FIB)- If route present in RIB but missing from FIB → possible ASIC RT‑check failure (rare).
-
Data‑plane verification
- On the suspect leaf, start a continuous ping with varying source ports to force different ECMP paths:
for i in {1..100}; do ping -c 1 -s 1472 -p $(printf "%02x" $i) 10.2.3.8; done - Capture on both leaves and inspect VNI tags.
- On the suspect leaf, start a continuous ping with varying source ports to force different ECMP paths:
-
Correlate with telemetry
- Query flow records:
SELECT * FROM netflow WHERE src_ip='10.1.2.5' AND dst_ip='10.2.3.8' AND src_vrf!=dst_vrf; - Non‑zero result confirms leak.
- Query flow records:
-
Remediate
- Apply missing RT or filter via config push.
- Verify that the leaf now shows the RT in BGP and the route‑map is applied.
- Re‑run the ping test; leakage should cease.
-
Document drift
- Record the diff between intended and observed config.
- Add a test case to CI pipeline to prevent regression.
Common Pitfalls and Misconceptions
| Pitfall | Why It’s Wrong | Correct Approach |
|---|---|---|
| Assuming BGP convergence = correct policy | BGP only exchanges NLRI; it does not validate RT/filter correctness on each peer. | Verify per‑device import policies after convergence. |
| Believing that a missing RT will cause a total outage | If the leaf still has a default route or ECMP path, traffic may be forwarded incorrectly rather than dropped. | Check for unintended forwarding; missing RT can cause silent leaks. |
| Relying solely on link‑utilization metrics | Leaks may involve low‑volume traffic that does not affect overall utilization. | Inspect per‑tenant flow counters or security‑policy logs. |
| Thinking a filter is unnecessary when RTs are present | Filters provide granular control; without them, any RT‑matching route is imported. | Always review both RT and filter configurations together. |
| Overlooking ECMP hash‑dependent leaks | Leak may appear only for certain flow hashes, making it intermittent. | Vary source ports or packet sizes during testing to expose all paths. |