|Pivotal Cloud Foundry||1.10|
Possible broadcast storm can cause network-wide outages in situations where Cisco ACI is the underlying network infrastructure on which Pivotal Cloud Foundry is installed.
Cisco ACI introspects into VMware host vNICs and sees all the bridge NICs being created per container. Normally, these are NAT'ed out via IP masquerade in the Linux kernel, but Cisco ACI is learning them as L2 interfaces and directly publishing the 10.254/22 range of the internal container network on the fabric. If there is another subnet in the network that uses the same address range used by the containers (10.254/22 range), this may cause network loops triggering a broadcast storm.
Enable "Enforce Subnet Check for IP Learning" in Cisco ACI configuration.
The setting change is also documented in the Cisco ACI best practices:
Enforce Subnet Check for IP Learning—If this option is checked, the fabric will not learn IP addresses from a subnet other than the one configured on the bridge domain. For example, if a bridge domain is configured with a subnet address of 10.1.1.0/24, the fabric would not learn the IP address of an endpoint by using an address that is outside of this range, such as 18.104.22.168/24. This feature does not affect the data path; in other words, it will not drop packets coming from the wrong subnet. The feature simply prevents the fabric from learning endpoint information in this scenario.