The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
I haven't worked with the Nexus series, but generally you can't shape ingress (although you can police).
Normally in vs. out on an interface, VLAN or otherwise, is similar to ACLs, i.e. in for ingress traffic to that interface and out for egress traffic on the interface. Since you note the servers are on those VLANs, you could police them as the traffic ingresses the interface they are connected to or police/shape the traffic to the servers as it egresses the interface toward them. (Normally you want to police or shape ASAP.) Although since you didn't describe the topology in full, from what you did describe, the traffic might bypass the switch(es) VLAN interface(s) going between VLANs 20 and 21.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...