Solved: How to configure same encap-VLAN in two different tenant on same Leaf

irenof · ‎04-24-2025

Hi all,

I am trying to configure 2 static bindings for two EGPs belonging to two different Tenant, but it does not work as expected.

Here the recap of the situation:

Tenant A -> EPG vl_100 -> Leaf 111 -> port eth1/5 -> vlan 100

Tenant B -> EPG vl_100 -> Leaf 111 -> port eth1/6 -> vlan 100

Interface policy is 1G_pol binded to a single AAEP -> PHY_DOM-> vlan_pool

When I configure the second static bind, I get an error about the sme encap is used in the other EPG, but of a different tenant.

I solved with the tutorial of @RedNectar , https://rednectar.net/2016/12/11/cisco-aci-per-port-vlan-feature/.

But it is for EPG under the same Tenant...

Is that the only possible solution even in the case of two Tenants, or can I change something in AAEP, PHYs domain, vlan pool? Maybe to separate the Tenants?

Thanks

UPDATE

I tried splitting the AAEP, Phy dom, Vlan pool in two, once per-tenant and I create two Inter policy poinitng to the two new AAEP, but the problem remains. I can fix it only with the per-port scope l2 policy

UPDATE

Reading rednectar's post comments, I saw that this has to be also done for different tenant! My last question is: Can I set for both interface policies the vlan per-port scope?

Remi-Astruc · ‎04-24-2025

The moment you set interfaces to re-use a Vlan Encap on a same Leaf, you have to set them as Per-port Scope, however only one of them could still be Global Scope if that's something you want.

Setting all interfaces with Per-port Scope can be set as a standard in some environments, but be careful about the reduced "Ports x Vlans" scalability.

Regards

Remi Astruc

View solution in original post

Remi-Astruc · ‎04-24-2025

Hi @irenof ,

Yes, your both "Updates" are correct. You need to set per-port scope for both interfaces.

Regards

Remi Astruc

irenof · ‎04-24-2025

hi @Remi-Astruc, thank you for your response. I asked the last question because in the rednectar post he configure only one interface with the per-port policy. But in my case, since I have to different Tenant, I would like to create simmetric configurations by setting for all the interface policies of both tenant the same vlan scope.
More important. can I set the vlan scope for every policy -> interface regardles the case the EPG is duplicated in both tenants? Like a default practice.

thanks

Remi-Astruc · ‎04-24-2025

The moment you set interfaces to re-use a Vlan Encap on a same Leaf, you have to set them as Per-port Scope, however only one of them could still be Global Scope if that's something you want.

Setting all interfaces with Per-port Scope can be set as a standard in some environments, but be careful about the reduced "Ports x Vlans" scalability.

Regards

Remi Astruc

irenof · ‎04-24-2025

@Remi-Astrucyou are right. I read about scalability after my last response and I changed my idea. I will leave the default "global" scope as default. In case the same VLAN encap occurs for different tenants on the same switch, I will set the new interface with the “per-port” policy, leaving the other ports with the same VLAN alredy configured (i.e for the other tenant) with the global scope. Tenants have different phy domain and vlan pool, so all should work.

Many thanks!

Irenof

RedNectar · ‎04-24-2025

Hi @irenof ,

Glad @Remi-Astruc was able to sort this out while I was sleeping! Maybe I should update my post with a "same tenant" example.

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

irenof · ‎04-24-2025

Hi @RedNectar! thanks for joining the conversation. Your post does not mention the "different tenants",, but only TenantName. So I asked the question. But later I read better the comments zone under your post and I found the question of a user asking for "same EPGs, but different tenants" (i.e. my case). It might be helpful to specify this situation in your valuable post as well!

Thanks again to both of you!

Irenof