Dear all,
I’m in the process of configuring a couple fo Nexus 9K switches (VPC) and are planning to provide internet to various clients via separate VLANs. A few questions:
What’s the best approach to limit bandwidth per client (thus on a VLAN basis)? I’m currently looking at traffic shapping and policing - and it needs to apply to both ingress/egress.
Since I’m using a VPC, is it possible to set up a policy that functions as one?
In order to achieve what you describe, you can apply either policing or shaping. These two features on Nexus devices have different behaviors. You can see these behaviors in detail here:
Note that for policing, you will have to apply shared policers which applies bandwidth limits across multiple interfaces. You must ensure that you have the appropriate NX-OS version and platform for this. In addition, you must ensure, for both policing and shaping, that you have the appropriate NX-OS version and platform, as well as the appropriate license to activate the feature. Various versions/platforms have some limitations such as egress only shaping or policing. More info can be found in the above documentation.
Concerning vPC configuration, this is independent of the shaping or policing feature. You can create a vPC so that the two Nexus devices will operate as one. You can then configure either policing or shaping and such a configuration would be applied across both switches. There are some restrictions and limitations, which are also described in the documents above.
Thanks for your feedback. I need to be able to apply these policies on a per VLAN basis and while shaping sounds less “intrusive” I don’t seem to have that option. Policing on the other hand, I can apply per VLAN (via matching)
Indeed, I will play with the TCAM table to make room for egress policing.
I will do some more tests with VPCs, since I’ve had some issues where it would seem that each switch in the VPC applies its own service policy, where for example I would set up a 100Mbit policer and the client would ultimately get 200 Mbit, since downstream switch would be connected via 2x links in a port-channel… At least, that was the only explanation I could think of.
Thanks for sharing your experiences, and let us know how you get along. Just to confirm your suspicion, you are correct, that the policy when applied is applied for each switch. The Cisco documentation I shared in my previous post states the following:
When the shared policer is applied on interfaces or a VLAN with member ports that are across different cores or instances, the rate becomes two times the configured CIR rate.
Dat makes sense - even though it’s not entirely clear if this sentence is only valid for shared policers.
On my type of VPC switches (9372PX) I don’t have the shared policer option anyway.
Thanks again!