ACI Rogue Endpoint Clarification

waschminator · ‎04-28-2025

Hello,

can anyone explian me the rogue endpoint mechanism, if i get these 4 error messages below does it mean that the MAC is made static on the correspondig interfaces?

11:47:39 descr : EP MAC 6C:92:CF:E7:E0:F0 under bd ebat_csrv:BD_2964 vrf ebat_csrv:VRF-ebat_csrv is rogue on interface tunnel111 of Node 1167, Pod 1, moving from interface Tunnel96 (0x18010060) with Destination IP (10.46.168.83).
11:47:47 descr : EP MAC 6C:92:CF:E7:E0:F0 under bd ebat_csrv:BD_2964 vrf ebat_csrv:VRF-ebat_csrv is rogue on interface eth1/93 of Node 1391, Pod 1, moving from interface Tunnel30 (0x1801001e) with Destination IP (10.46.184.88).
11:48:01 descr : EP MAC 6C:92:CF:E7:E0:F0 under bd ebat_csrv:BD_2964 vrf ebat_csrv:VRF-ebat_csrv is rogue on interface tunnel84 of Node 1168, Pod 1, moving from interface Tunnel96 (0x18010060) with Destination IP (10.46.168.81).
11:48:04 descr : EP MAC 6C:92:CF:E7:E0:F0 under bd ebat_csrv:BD_2964 vrf ebat_csrv:VRF-ebat_csrv is rogue on interface eth1/93 of Node 1392, Pod 1, moving from interface Tunnel100 (0x18010064) with Destination IP (10.46.168.81).

in the GUI Endpointint tracker the MAC is marked as detached/attached. is it correct that learning for this MAC is disabled, it is bound statically to the interface and traffic is dropped or the length of the hold interval?

Remi-Astruc · ‎05-05-2025

Hi @waschminator ,

It means the MAC is flapping between Leafs 1391-1392 1/93 and other Leafs in the Fabric. When the protection is triggered, it means the dynamic learning is stopped for that MAC and sticked arbitrarily on one of the flapping interfaces (similar to a static MAC entry, if you will) during the Hold timer. When the Hold timer expires, the dynamic learning is back to normal, and protection can kick in again if necessary.

Regards

Remi Astruc