06-15-2020 06:42 PM
Hi everyone,
We were wondering if it is possible to shape egress traffic in an EPG; we cannot apply DPP under the L3Out because it will be shared between more than 100 final customers and we need some internet access control for download & Upload. The internet service is offered per EPG (per-client) with contracts to our L3Out ExtEPG.
We are using APIC version 4.2(4i) and N9K-C93180YC-FX switches for Border Leaves.
I´ve just read this guide:
...It seems only works for ingress traffic but need to validate. Please, can anyone confirm?.
Thanks in advance, regards.
Isa M.
Solved! Go to Solution.
06-15-2020 07:26 PM
06-15-2020 07:26 PM
06-15-2020 08:21 PM
06-15-2020 08:53 PM
06-15-2020 09:18 PM
06-15-2020 09:26 PM
06-16-2020 09:02 PM
Hi Francesco,
Unfortunately we cannot add an extra L3 device to perform this job.
After thinking a little more about it, I found a possible workaround,but first, let me introduce you to our "current topology":
*We have just one "L3Out_Internet" to a pair of Cisco ASR1001 (BGP over OSPF) that every client must use to reach internet. Configuration on client side uses its individual Bridge Domain "BD_VLAN_100" with one subnet (e.g. IP address = 187.188.1.30/28) and assignment to "EPG_Client_A" with its port-path mapping & Encap VLAN=100 (BD=EPG=VLAN). L3Out assignment to said BD and individual Contract were already configured.
*Client must first send his traffic to BD (default Gateway) and then to "L3Out_Internet" to reach ASR1001 and Internet. Nothing special in this situation. The requirement was to perform Data Plane Policing at EPG level in order to shape both Download/Upload traffic (lets say 10Mbps) for "Client_A", but, it was impossible to perform traffic shaping for egress traffic! ...
So we decided to try this:
-->Deleted BD and EPG objects for Client_A and instead configured a new "L3Out_Client_A"; under its Logical-Interface-Profile an IP 187.188.1.30/28 was assigned under SVI interface with trunk mode (and VLAN = 100).
Neither dynamic routing protocol nor static route were configured under this new L3Out, just IP address for SVI.
-->Then performed "Transit Routing" to communicate L3Out_Client_A with L3Out_Internet.
-->Contract betwen external EPGs and "External Subnets for the External EPG & Export Route Control Subnet" check boxes were selected in accordance to networks learning flow.
-->Finally, we apply DPP under L3Out_Client_A and both Download/Upload traffic were shaped correctly (as expected to config guide). With this "alternative" we don´t impact other client´s bandwidth traffic. We can continue to create next L3Outs per Client basis without modifying our current ASR1001 configuration nor L3Out_Internet policy.
***My question to this is, Do you know some "limitation or scalability problem" to this kind of configuration?
Thanks again for your time ..
regards
I.M
08-16-2022 11:48 PM
Hello Isaias,
could you please inform me about your final solution?
because I faced the same issue and I need your experience about it.
Thanks a lot
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide