Green cube has several vlans that need to terminate to VPC cloud. VLANs are set by another team(s) and mostly match ingress/egress to the network. Inter-vlan traffic needs to be denied on all interfaces except to the VPC trunk.

IP addresses, macs will always be unknown/changing.

The above configuration works. Is this the best way to go about segregating the hosts per vlan? Is it normal to have to 'flip' the vlan primary/isolated to achieve the same vlan tag at both ends? Do all vlans need to be sent over the vni?

I'd appreciate any advice - thank you!