We were wondering if it is possible to shape egress traffic in an EPG; we cannot apply DPP under the L3Out because it will be shared between more than 100 final customers and we need some internet access control for download & Upload. The internet service is offered per EPG (per-client) with contracts to our L3Out ExtEPG.
We are using APIC version 4.2(4i) and N9K-C93180YC-FX switches for Border Leaves.
I´ve just read this guide:
...It seems only works for ingress traffic but need to validate. Please, can anyone confirm?.
Thanks in advance, regards.
Solved! Go to Solution.
Unfortunately we cannot add an extra L3 device to perform this job.
After thinking a little more about it, I found a possible workaround,but first, let me introduce you to our "current topology":
*We have just one "L3Out_Internet" to a pair of Cisco ASR1001 (BGP over OSPF) that every client must use to reach internet. Configuration on client side uses its individual Bridge Domain "BD_VLAN_100" with one subnet (e.g. IP address = 18.104.22.168/28) and assignment to "EPG_Client_A" with its port-path mapping & Encap VLAN=100 (BD=EPG=VLAN). L3Out assignment to said BD and individual Contract were already configured.
*Client must first send his traffic to BD (default Gateway) and then to "L3Out_Internet" to reach ASR1001 and Internet. Nothing special in this situation. The requirement was to perform Data Plane Policing at EPG level in order to shape both Download/Upload traffic (lets say 10Mbps) for "Client_A", but, it was impossible to perform traffic shaping for egress traffic! ...
So we decided to try this:
-->Deleted BD and EPG objects for Client_A and instead configured a new "L3Out_Client_A"; under its Logical-Interface-Profile an IP 22.214.171.124/28 was assigned under SVI interface with trunk mode (and VLAN = 100).
Neither dynamic routing protocol nor static route were configured under this new L3Out, just IP address for SVI.
-->Then performed "Transit Routing" to communicate L3Out_Client_A with L3Out_Internet.
-->Contract betwen external EPGs and "External Subnets for the External EPG & Export Route Control Subnet" check boxes were selected in accordance to networks learning flow.
-->Finally, we apply DPP under L3Out_Client_A and both Download/Upload traffic were shaped correctly (as expected to config guide). With this "alternative" we don´t impact other client´s bandwidth traffic. We can continue to create next L3Outs per Client basis without modifying our current ASR1001 configuration nor L3Out_Internet policy.
***My question to this is, Do you know some "limitation or scalability problem" to this kind of configuration?
Thanks again for your time ..