Thank you Laz. I ended up using VRF Lite and iBGP between my Edge router and the Spine switches (so your Per-Tenant VRF solution). I actually ended up putting the Edge router on SD-WAN and using the Service VPNs to peer with the different customer VRFs of the L3 VNIs that I had to include on the Spine switches for this to work. This excellent document provides the guidance for it:
I have a question: the problem that I found with this design is ROAS: with VRF lite or Per-Tenant VRF on the Spine Switch, then I had to configure ROAS on both the SPINE and the Edge router dedicating a subinterface per VRF. That is also what Cisco says to do on their document that I attached. Now, since I have 2 spines, I ended creating a multi-access area with the WAN Edge routers! The same thing I avoided with this complex VXLAN topologies on the Access layer now I just have it on the Core layer! Is this how it is supposed to be done? Or maybe use Tunnels to avoid ROAS?
Also, this implies another limitation and is scalability: on the Leaf switches I can scale up to more than 5000 customers if I include all of them in the count (this is, I might have 200 customers on a LEAF, 2000 different customers on another, then some mixed, …) but the challenge comes when the customer VRFs have to be configured on the SPINE switches with the L3 VNI. Since I only have 4095 (with reserved a little less) VLANs, I can only support that number of customers per spine considering that all my customers (which are more than 4095) need a L3 VNI (or even multiple). So at that point I would just have to distribute the L3 VNIs across the SPINEs? Is that how it is done in a real world scenario? Perhaps you or Rene have experienced this and can provide some insight.
Thanks,
Jose