Solved: Re: Data Plane Policing for Egress traffic policing under an EPG (VLAN)

Isaias1010 · ‎06-15-2020

Hi everyone,

We were wondering if it is possible to shape egress traffic in an EPG; we cannot apply DPP under the L3Out because it will be shared between more than 100 final customers and we need some internet access control for download & Upload. The internet service is offered per EPG (per-client) with contracts to our L3Out ExtEPG.

We are using APIC version 4.2(4i) and N9K-C93180YC-FX switches for Border Leaves.

I´ve just read this guide:

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/4-x/security/b-Cisco-APIC-Security-Configuration-Guide-421/b-Cisco-APIC-Security-Configuration-Guide-421_chapter_01100.html

...It seems only works for ingress traffic but need to validate. Please, can anyone confirm?.

Thanks in advance, regards.

Isa M.

Francesco Molino · ‎06-15-2020

Not checked the new release notes but it wasn’t supported. This is what the documentation said:
Egress traffic policing is not supported for the EPG level policer.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎06-15-2020

Not checked the new release notes but it wasn’t supported. This is what the documentation said:
Egress traffic policing is not supported for the EPG level policer.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Isaias1010 · ‎06-15-2020

Hi Francesco,
Thanks for your quick reply,

I really need that feature working to shape traffic on the egress direction, is there some alternative?
Has somebody deployed such kind of requirement by using EPG (VLAN)?

I really appreciate some options...

best,
Isa M.

Francesco Molino · ‎06-15-2020

Don’t know your exact design but if you need to do that for multiple customer, applying on the L3 won’t work because even if you apply a specific dscp in your contract for the particular flow, at the end you’llhave only 3 classes to play with.
Other solution would have been applying it on the L2 interface but I believe these are also shared right?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Isaias1010 · ‎06-15-2020

Hi Francesco

Yes, that's correct, both L3Out and its Routed interfaces are shared for internet access to multiple customers. On the client side, we receive a L2 device with 802.1q trunk interface with al least 3 VLANs: VMs service, Backup services & internet service. The last one is delivered over one EPG (mapped to the same L2 interface with its VLAN-ID for Encap), so we believed to shape at EPG level. In that way we wouldn't need to create more L3Outs objects.
It seems Im stucked, but maybe find an alternative solution....

I really appreciate your help.

Regards
Isa

Francesco Molino · ‎06-15-2020

Maybe adapt the design to not do policing on your aci but on the upstream after you passed the l3out on a firewall or router.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Isaias1010 · ‎06-16-2020

Hi Francesco,

Unfortunately we cannot add an extra L3 device to perform this job.

After thinking a little more about it, I found a possible workaround,but first, let me introduce you to our "current topology":

*We have just one "L3Out_Internet" to a pair of Cisco ASR1001 (BGP over OSPF) that every client must use to reach internet. Configuration on client side uses its individual Bridge Domain "BD_VLAN_100" with one subnet (e.g. IP address = 187.188.1.30/28) and assignment to "EPG_Client_A" with its port-path mapping & Encap VLAN=100 (BD=EPG=VLAN). L3Out assignment to said BD and individual Contract were already configured.

*Client must first send his traffic to BD (default Gateway) and then to "L3Out_Internet" to reach ASR1001 and Internet. Nothing special in this situation. The requirement was to perform Data Plane Policing at EPG level in order to shape both Download/Upload traffic (lets say 10Mbps) for "Client_A", but, it was impossible to perform traffic shaping for egress traffic! ...

So we decided to try this:
-->Deleted BD and EPG objects for Client_A and instead configured a new "L3Out_Client_A"; under its Logical-Interface-Profile an IP 187.188.1.30/28 was assigned under SVI interface with trunk mode (and VLAN = 100).

Neither dynamic routing protocol nor static route were configured under this new L3Out, just IP address for SVI.

-->Then performed "Transit Routing" to communicate L3Out_Client_A with L3Out_Internet.

-->Contract betwen external EPGs and "External Subnets for the External EPG & Export Route Control Subnet" check boxes were selected in accordance to networks learning flow.

-->Finally, we apply DPP under L3Out_Client_A and both Download/Upload traffic were shaped correctly (as expected to config guide). With this "alternative" we don´t impact other client´s bandwidth traffic. We can continue to create next L3Outs per Client basis without modifying our current ASR1001 configuration nor L3Out_Internet policy.

***My question to this is, Do you know some "limitation or scalability problem" to this kind of configuration?

Thanks again for your time ..

regards
I.M

najarian · ‎08-16-2022

Hello Isaias,

could you please inform me about your final solution?

because I faced the same issue and I need your experience about it.

Thanks a lot

Mohammad najarian
CCIE #65604