Hi - In reading the Cisco documentation on the best practices for OTV implementation [1], I am unable to determine if FHRP isolation can be applied per-VLAN or not.  While I understand the vACL and ARP inspection commands prevent the HSRP packets from traversing the overlay, and that these are applied per-VLAN, the filter that is then applied to the IS-IS control plane (as per the example at the very end) appears to not take VLAN in to account thus prevents (??) neighboring overlay sites the ability to learn those MAC addresses.

In my specific situation, all SVI's which are spanned between the data centres using OTV are enabled for HSRP on all Nexus 7000-series switches however for a selected few VLAN's we wish to enable FHRP isolation so that those VLAN's egress traffic is via the local data centre switches and not carried over the overlay.  So, by enabling the vACL and ARP inspection for those specific VLAN's, I believe one of the data centre switches will become active (based on priority) at each data centre, however will the IS-IS control plane filter affect those which are not subject to the vACL and ARP inspection?

otv-isis default

  vpn Overlay0

    redistribute filter route-map OTV_HSRP_filter

From other documentation I am to believe that this filter prevents the neighboring site from learning the HSRP-specific MAC address and prevents the OTV VDC from reporting MAC addresses flapping between the internal interfaces and the overlay.  I have not been able to find for this scenario and am unsure what the real impact will be if only half of the best practice example is implemented.

Hoping someone has some thoughts - Thanks!

[1] https://www.cisco.com/c/dam/en/us/products/collateral/switches/nexus-7000-series-switches/guide_c07-728315.pdf