To limit both local and remote endpoint learning to instances where the source IP address belongs to a bridge-domain subnet in the VRF instance, the action that should be taken inside the Cisco APIC is to enable the “Enforce Subnet Check” feature. This configuration ensures that IP addresses outside the configured subnets for the bridge domain are not learned, preventing mis-learning of IP addresses that do not belong to the fabric12.