We have Same issue. after upgrading to 17.12.91 (cat9k_iosxe.17.12.01.SPA.bin) it's working as expected.

@Purnendra we have same issue in past and it's Bug CSCdz21299 I Would you request you to open a TAC Case and verify the them. 

@adeebtaqui I would say Use Access layer switch as L3 is Neither Right Nor Wrong. it's totally up to design. if you are using same Vlan access the all Access switch then i would say use that as a L2. Advantage: you can use same vlan across the campus...

@Sectech1 you can add allowed host entry on high priority on existing ACL, like 409 permit ip any <IP_you_Want_to_Allow> 0.0.0.0 if still you facing issue, i would request please share output of below commands sh ip access-listsh run | Sec access-lis...

Could you verify duplex configuration and also is their any encapsulation configured, if yes then both side it should be the same.