I'm not 100% yet, but I will confirm.  Here's my initial guess.

In this manner there's no for creating some of the usual policies.  When you deploy an EPG to the AEP directly, you're making the EPG available on every port the AEP maps to (via Interface Policy Group & Interface Profile polices).  This removes the need for static path bindings.

I would use caution as there's much less granularity in terms of being able to use a single AEP but restrict which EPGs are deployed to a AEP's subset of interfaces.

Robert

Thanks

I think this could be a useful feature.

In a world where we might want Server Admins to create End Point Groups and Contracts, the Server Admin still needs to be aware of the physical interface numbers for bare-metal servers to bind to their new EPGs.  This rather spoils the idea of abstracting all the physical stuff.

I was wondering if we could bundle all or the Tenant's bare-metal servers into one Physical Domain and one AEP and give them a single EPG bound to the AEP as a default home for their servers.  The Tenant Server Admin could then create micro segmentation EPGs based on IP address to make new groups of bare-metal servers .

And, they'd never lose track of a server by deleting a static path binding, they'd always drop back into the default AEP bound EPG.

Would that work?

John

Thanks Jason,

I notice that you can't mix EPG via AEP method with static paths you have to:

-Deploy the EPGs from the AEP by choosing an encap (the vlan doesn't even need a pool or domain) as tagged =works for trunks only.

-Create 1 Interface Policy Group +1AEP  for every untagged port on same EPG  

Could you pls confirm if this is how it's supposed to be configured?

"I notice that you can't mix EPG via AEP method with static paths"

You could use a mix of static binding and AEP/EPG deployment, but the static binded ports must use a different AEP than the AEP using the AEP/EPG deployment. See example below:

Leaf 101 Eth1/20 and 1/22 are using AEP 1
AEP 1 is tied to a physical domain which maps to a VLAN pool containing VLANs 1900-2000
Associate AEP 1 with EPG 1 trunking VLAN 1901
Go to the EPG and associate the physical domain

Results:
Leaf1# show vlan id 19 ext

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
19 jw:jw:jw1 active Eth1/20, Eth1/22

VLAN Type Vlan-mode Encap
---- ----- ---------- -------------------------------
19 enet CE vlan-1901

Leaf 101 Eth1/36 uses AEP 2
AEP 2 is tied to the same physical domain as AEP 1 which maps to the same pool (VLANS 1900 - 2000)
Go the EPG and:
A) Associated the physical domain
B) Apply the static path for VLAN 1901 to be trunked through Eth1/36

Results:

Leaf1# show vlan id 19 ext

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
19 jw:jw:jw1 active Eth1/20, Eth1/22, Eth1/36

VLAN Type Vlan-mode Encap
---- ----- ---------- -------------------------------
19 enet CE vlan-1901

"Deploy the EPGs from the AEP by choosing an encap (the vlan doesn't even need a pool or domain) as tagged =works for trunks only."

This is false. The VLAN still needs to be part of the VLAN pool which maps to the physical domain. That same physical domain must map to:
a. the AEP
b. the EPG

Without the mapping, you may possibly see VLANs deploy; however this is unstable and unsupported. You would expect to see F0467 raised under the EPG. See below:

VLANs can also work for untagged and 802.1p; however only 1 EPG/VLAN can be untagged/802.1p per interface. All other VLANs on the interface must be tagged.

Create 1 Interface Policy Group +1AEP for every untagged port on same EPG

1 AEP can be used for all ports in the same EPG regardless of tagged/untagged.

Jason