Skip to content
LinkState
Go back

When failed rollback leaks a tenant across one leaf

Tenant Leaks in Partial Rollback Scenarios

Introduction

A tenant leak occurs when traffic that should be confined to a specific logical tenant (VRF, VPN, or security zone) is inadvertently allowed to traverse into another tenant’s forwarding domain. In Ethernet‑VPN (EVPN) fabrics with MP‑BGP control plane, isolation is enforced primarily by route‑targets (RTs) and filtering constraints (import/export policies or route‑maps).

A leak is partial when the misconfiguration is isolated to a subset of devices (e.g., a single leaf switch) while the rest of the fabric remains correctly programmed. The control plane continues to converge, so the underlay and overlay stay operational, but the data‑plane forwarding decision on the affected leaf deviates from the intended policy, allowing packets to cross tenant boundaries.

Common Causes

CauseDescriptionTypical Symptom
Missing RT on leafLeaf does not advertise or import the RT that marks a tenant’s routes.Routes appear in the wrong VRF table; traffic forwarded based on longest‑prefix match without RT check.
Incorrect filtering constraintImport/export route‑map or prefix‑list absent or overly permissive.Routes that should be filtered are installed, causing cross‑tenant reachability.
Partial rollbackConfiguration change (e.g., RT addition) applied to only a subset of leaves due to failed commit, staged rollout, or mis‑applied patch.Only the non‑updated leaf exhibits leak behavior; other leaves enforce correctly.
Human error in policy‑as‑codeTemplated variables (e.g., {{ tenant_id }}) not resolved for a specific node.Rendered config differs from intended state on that node only.
Software bug in RT handlingLeaf’s forwarding ASIC fails to apply RT check under certain conditions (e.g., ECMP load‑balancing).Leak appears only for certain flow hashes.

Understanding Route‑Targets and Filtering Constraints

Route‑Target Fundamentals

In EVPN, a route‑target is an extended community attached to BGP NLRI that signals which VRF should import or export the route.

Mathematically:

if (route.RT ∩ VRF.import_RTs ≠ ∅) then install route in VRF

RTs travel as an optional transitive BGP attribute; they do not affect underlay forwarding. The data‑plane enforcement occurs when the forwarding ASIC first derives the VRF context from the incoming interface/VLAN, then performs a longest‑prefix match (LPM) within that VRF’s FIB. If a route was incorrectly imported due to a missing or wrong RT, the packet is forwarded using that VRF’s FIB, potentially reaching a destination belonging to another tenant.

Filtering Constraint Basics

Filtering constraints are policy mechanisms applied at the BGP import/export stage to further restrict which routes are accepted based on criteria beyond RT matching (e.g., IP prefix, MAC address, VNI, or route‑type). Common implementations:

A filtering constraint can be whitelisting (only allow matching routes) or blacklisting (deny matching routes). Evaluation order is deterministic:

  1. RT match (mandatory for EVPN routes).
  2. If RT matches, evaluate import/export route‑map (if present).
  3. If the route‑map returns permit, the route is installed; otherwise, it is dropped.

If a leaf lacks an import map that should deny a certain prefix, the RT check alone may permit the route, leading to a leak.

Interaction Between Route‑Targets and Filtering Constraints

Install(route) = RT_match(route) AND (Filter(route) == permit OR no Filter configured)

Thus, a missing RT is a hard failure (route never matches any VRF), whereas a missing or overly permissive filter is a soft failure (route matches RT but should have been blocked). In a partial rollback scenario, the leaf may have correct RTs but lack the intended filter, or vice‑versa, creating a leak that does not break overall BGP convergence but violates segmentation.

Identifying Partial Rollback Scenarios

Symptoms

SymptomObservationLikely Root Cause
Intermittent tenant‑to‑tenant reachabilityPing/trace from host A (tenant X) to host B (tenant Y) succeeds only when the flow hashes through leaf L₁, fails when hashed through leaf L₂.Leaf L₁ missing filter/RT; L₂ correct.
BGP show ip bgp vpnv4 vrf XRoutes present in VRF X on leaf L₁ that have RT Y (belonging to tenant Y) but are absent on other leaves.Import RT missing or filter absent on L₁.
Flow‑stat countersIncrementing rx_drop on leaf L₂ for traffic destined to tenant Y, while tx_ok increments on L₁ for same traffic.L₂ drops due to missing RT; L₁ forwards incorrectly.
Compliance scan alertsScanners flag unauthorized traffic between security zones only during peak hours (when specific ECMP paths are used).Leak only visible on subset of flows.
No BGP session flapsAll BGP peers remain Established; no route‑withdrawal storms.Control plane stable; issue is data‑plane/policy misapplication.

Detection Methods

  1. Policy‑as‑code diff

    • Render intended config (e.g., from Ansible/Terraform) for each leaf.
    • Compare with show running-config using batdiff or ntc‑templates.
    • Look for missing route-target import/export lines or missing import map statements.
  2. BGP RT verification

    • On each leaf: show bgp vpnv4 vrf <VRF> | include <RT>
    • Zero matches for an expected RT indicates a missing import.
  3. Forwarding plane validation

    • Use ping with specific source/destination and vary source port to force ECMP hash (e.g., ping -s 1472 -p 0xabcd).
    • Capture packets on both leaves with tcpdump -i <if> -w leak.pcap and verify VLAN/VNI tags.
  4. Telemetry correlation

    • Pull sFlow/NetFlow records and group by src_vrf, dst_vrf.
    • Any non‑zero flow where src_vrf != dst_vrf and the flow is not in the approved communication matrix indicates a leak.
  5. Automated drift detection

    • Tools like Network Source of Truth (NSoT), NetBox, or Slurp’it store intended RT/filter objects.
    • Periodic jobs run ansible‑network‑automation modules to compare intended vs. actual and raise alerts on divergence.

Tools and Techniques

ToolUse CaseExample Command
batdiffConfig diff between intended and renderedbatdiff intended/leaf01.cfg <(ssh leaf01 "show run")
bgpq3Generate prefix‑lists/RT lists from IRR for validationbgpq3 -A AS65000 -j leaf01-import
ansible.iosxr.iosxr_commandRun show commands across fabric- iosxr_command: commands: ["show bgp vpnv4 vrf tenantA"]
ntc‑templatesParse structured output for diffingparse_output("cisco_iosxr.show_bgp", output)
Wireshark/tcpdumpVerify VNI/VLAN tags on leaking packetstcpdump -i eth0 -nn -s 0 -w leak.pcap 'vxlan and vxlan.vni == 5001'
gNMISubscribe to BGP RT telemetry in real timegnmic -a leaf01:9339 subscribe --path "/bgp/vpnv4/route-target"
Falco (network plugin)Alert on unexpected inter‑VRF trafficRule: evt.type = sendto and fd.sport > 1024 and proc.name = "ping" and evt.args contains "dst_vrf != src_vrf"

Troubleshooting a Partial Rollback

Step‑by‑Step Guide

  1. Define the observed symptom

    • Record exact source/destination IPs, VNI/VLAN, and time window where leakage occurs.
    • Example: 10.1.2.5 (VRF RED) → 10.2.3.8 (VRF BLUE) observed at 14:03–14:07 UTC.
  2. Collect intended policy

    • Extract RT and filter definitions from the source‑of‑truth (e.g., Git repo).
    • Example intended snippet for leaf:
      vrf RED  
        address-family ipv4 unicast  
          import route-target 65000:100  
          import map RED-IMPORT  
        !  
      route-map RED-IMPORT permit 10  
        match ip address prefix-list RED-ALLOWED  
      !  
      ip prefix-list RED-ALLOWED seq 5 permit 10.1.0.0/16 le 24  
  3. Render config on each leaf

    • Pull show running-config vrf RED and show route-map RED-IMPORT.
    • Compare line‑by‑line with intended.
  4. Validate RT presence

    • show bgp vpnv4 vrf RED | include 65000:100
    • If missing on a leaf → RT import gap.
  5. Validate filter presence/effect

    • show route-map RED-IMPORT
    • If absent or missing match ip address prefix-list RED-ALLOWEDfilter gap.
  6. Check BGP RIB vs. FIB

    • show bgp vpnv4 vrf RED (RIB)
    • show route vrf RED | include 10.2.3.0/24 (FIB)
    • If route present in RIB but missing from FIB → possible ASIC RT‑check failure (rare).
  7. Data‑plane verification

    • On the suspect leaf, start a continuous ping with varying source ports to force different ECMP paths:
      for i in {1..100}; do ping -c 1 -s 1472 -p $(printf "%02x" $i) 10.2.3.8; done  
    • Capture on both leaves and inspect VNI tags.
  8. Correlate with telemetry

    • Query flow records:
      SELECT * FROM netflow  
      WHERE src_ip='10.1.2.5' AND dst_ip='10.2.3.8' AND src_vrf!=dst_vrf;  
    • Non‑zero result confirms leak.
  9. Remediate

    • Apply missing RT or filter via config push.
    • Verify that the leaf now shows the RT in BGP and the route‑map is applied.
    • Re‑run the ping test; leakage should cease.
  10. Document drift

    • Record the diff between intended and observed config.
    • Add a test case to CI pipeline to prevent regression.

Common Pitfalls and Misconceptions

PitfallWhy It’s WrongCorrect Approach
Assuming BGP convergence = correct policyBGP only exchanges NLRI; it does not validate RT/filter correctness on each peer.Verify per‑device import policies after convergence.
Believing that a missing RT will cause a total outageIf the leaf still has a default route or ECMP path, traffic may be forwarded incorrectly rather than dropped.Check for unintended forwarding; missing RT can cause silent leaks.
Relying solely on link‑utilization metricsLeaks may involve low‑volume traffic that does not affect overall utilization.Inspect per‑tenant flow counters or security‑policy logs.
Thinking a filter is unnecessary when RTs are presentFilters provide granular control; without them, any RT‑matching route is imported.Always review both RT and filter configurations together.
Overlooking ECMP hash‑dependent leaksLeak may appear only for certain flow hashes, making it intermittent.Vary source ports or packet sizes during testing to expose all paths.

Share this post on:

Previous Post
Migrating tc classifiers to XDP with rollback discipline
Next Post
Hairpin service failures when a Pod calls itself