Showing results for 
Search instead for 
Did you mean: 
Fahad Afzal

How to address overlapping VLANS in ACI Physical Domains


Hello there,

We have a running ACI environment which was migrated from legacy network using Network Centric approach ( VLAN = BD = EPG). Various AEPs and Physical Domains were created as shown below:


AEP1 > PhysicalDomain1 > VLANPool1 > VLAN 1-5
AEP2 > PhysicalDomain2 > VLANPool2 > VLAN 1-10
AEP3 > PhysicalDomain3 > VLANPool3 > VLAN 1-15


EPG1 > PhysicalDomain1, PhysicalDomain2, PhysicalDomain3 > EncapVLAN1

EPG2 > PhysicalDomain1, PhysicalDomain2, PhysicalDomain3 > EncapVLAN2

EPG3 > PhysicalDomain1, PhysicalDomain2, PhysicalDomain3 > EncapVLAN3


All have been working well for couple of years (including LACP enabled workloads using VPC between the pairs of Leaves). However, when we tried to connect a new LACP enabled server recently, we faced endpoint learning issues. On digging in, we found that it was happening because VLAN overlapping. The VPC pairs used different fabric_encap for the same external VLAN ID. Removing duplicate Physical Domain from the EPG resolved the issue straightaway.


Now our concern is the rest of working workloads. All EPGs have multiple Physical Domains, having unique AEPs but each AEP has overlapping VLANs. If the leaf gets rebooted, it may take a different fabric_encap and that might cause endpoint learning issues between the VPC pairs.


Could you suggest a best possible solution to remove the overlapping VLANs? Is it wise to have a Single Physical Domain contains a single AEP that has VLAN1-2000 and that is applied to all ports in Access Policy and attach to all EPGs? Wouldn't it increase unwanted traffic in the fabric?


Please suggest. Thanks in advance!



in general, if you do not have a specific requirement to have more than one AEP /physical Domain/VLAN pool consolidate everything into a single object. 

You will need to have dedicated AEP etc. for IPN or ISN but the rest could use a single set of objects. 


So, single Physical Domain/AEP/VLAN Pool would be OK for 14 leaves? Wouldn't it increase broadcast traffic in the fabric, especially when Flooding is enabled on EPG/BD level due to legacy switch connectivity?

Physical Domain/AEP/VLAN Pool  are fabric policies and have nothing to do with number of leafs of traffic shaping. 


I meant to ask if it is safe for up to 14 leaves.


You will need to have dedicated AEP etc. for IPN or ISN but the rest could use a single set of objects.

Could you please elaborate about IPN and ISN

again , number of leafs is not relevant  and has nothing to do with number of AAEPs / domains/ pools.


IPN inter-pod and ISN inter-site network for multi-pod / multi-site


One more, I would recommend NOT to have range of the VLANs in the pool  (like 5-3000) but add VLANs individually , later if you may need to remove VLAN from the pool, you will be able to.

Postman JSON and Excel will let you add any number of VLANs very easy. 


Right, individual VLANs would be wise for future modifications.


Can you share any template of JSON or Excel? I think creating a Physical Domain/AEP/VLAN Pool would be easy to add as it is a one time job, but assigning the DN to Access Polices on all interface (approx. 500 ports) will be a challenge.


Do you have any suggestion to quickly change the DN on existing Interface Access Policies safely?

I don't have script ready  to share , but is very easy top create one.  If you are working with APIC you need to master JSON /postman anyways.

Got to fabric > Access policy > pools > vlan  select your pool , on the right side right click on any vlan (ex 10) and "save as" 

Now if you replace "10" with {{VLAN}}  variable  you have a script you can run in postman runner with CSV file that lists all your VLANs. 


Another useful tool in APIC config (gear in top right corner) all API inspector. 


There are a lot of docs how to use postman in the web.




Fahad Afzal

6askorobogatov Thanks for your comments. They have been very helpful.
 So we will create a single Physical Domain associated with a single AEP that has all VLAN IDs we are using for the bare-metal servers. Assign the AEP to all interfaces connected to bare-metal servers and add the Physical Domain to all EPGs (static port configuration under EPGs will remain as it is).