My Scenario: I have TN-Common vrf-common(enforced) BD-A (only holds EPG-A) EPG-A (only provides DHCP services, and does not provide DNS or any other shared service). User Tenant-Test vrf-1(unenforeced) vrf-2(enforced). NO CONTRACT IS Used, as I believe DHCP is a 'special case in ACI'.
Hosts in the user tenant CAN get a DHCP. However, when I look at the routing tables, I see the route leaks from vrf-common tenant to the user vrfs (vrf-1 & vrf-2). In the common tenant, I do not see the routes for the hosts in the user tenant. If I follow the routing table, the traffic would route asymmetrically and the DHCP offer would return to the client through a firewall. However, after capturing packets on the firewall, the routing path is NOT USED as we do not see any packets making it to the firewall.
Also, on the user leafs, If I search for endpoint of the DHCP server (show ip endpoint 1.1.1.1, as example) it returns nothing. DHCP must be a special case in ACI but I'm just wanting to understand this behavior and how it is programmed on the leafs. Zoning filters don't provide anything allowing for DHCP. I know auditors will ask me this question and I need to provide them something.
Thanks to whomever can help me!