Creating a workload VPN intent

A workload intent assigns fabric resources to specific sources of demand, as described in Elements of a workload intent.

Prerequisites

Before you create a new workload intent, ensure the following:

  • The region that will contain the workload intent has been created; see Deployment regions.
  • All fabrics that will participate in the workload intent have been created and successfully deployed; see Fabric intents.
  • Any QoS profiles you intend to use with this workload intent have been created; see Creating and managing QoS profiles.
  • Any ACL profiles you intend to use with this workload intent have been created; see Creating and managing ACL profiles.
  • Any LAGs you intend to act as sub-interfaces for your workload intent have already been created within the system; see Creating LAGs.

Procedure overview

Creating a workload intent involves the following sub-tasks, each consisting of multiple steps:

  1. Create the basic workload intent
  2. Add subnets to the workload intent
  3. Add sub-interfaces to the workload intent

Next steps

You are now ready to add subnets as described in Adding subnets to the workload intent.

Creating the basic workload intent

  1. Click to open the main menu.
  2. From the menu, select Workload VPN Intents.
  3. Click the + CREATE A WORKLOAD VPN INTENT button to display a set of fabric templates.
    Templates are displayed in a grid view by default. To switch to the list view, select in the template selection screen. Click to return to the grid view.
  4. Click VPN Template and click CREATE.
    The Workload VPN Intents page displays in Workload Design view. The left panel of the page shows basic parameters for you to configure.
  5. Configure basic parameters:
    1. Enter a Workload VPN Intent Name. This name must be unique among all the workload intents managed by the system.
    2. Optional: Enter a Description.
  6. Choose a Fabric Intent Type (either Real or Digital Sandbox).
  7. Select one or more fabric intents to participate in the workload intent:
    1. Click the Edit ( ) icon next to Fabric Intents. The system opens a list of fabric Intent, filtered to show only deployed fabrics.
    2. Check the box at the left edge of the row for each fabric you want to include as part of your workload intent.
    3. Click the SELECT INTENTS button. The system closes the Fabric Intents page and returns you to the Workload VPN Intent creation page.
  8. Click to save the latest change to the workload design.
    The display updates to show the selected fabric intent's topology. The system advances the workload intent's Detailed Status to Created and its Version to 1.0.

You are now ready to proceed to Adding subnets to the workload intent.

Adding subnets to the workload intent

  1. If you are not continuing directly from the procedure Creating the basic workload intent, first open the Workload VPN Intent view by doing the following:
    1. Click to open the main menu.
    2. From the menu, select Workload VPN Intents.
  2. In the View drop-down, select Subnets.
  3. Do the following for each bridged subnet you want to add to the workload intent:
    1. Click +CREATE A SUBNET. The Workload Subnets page displays.
    2. Enter a Name for the subnet.
      Because the workload name is unique, you can re-use subnet names in different workload intents.
    3. Optionally, enter a Description for the subnet.
    4. Select a subnet Type of Bridged.
    5. Click +ADD.
      An Add Entry dialog displays.
    6. Optionally, enter an IP address for the subnet's IP Anycast Gateway.
      This IP address acts as an IRB interface. The subnet can span one, two, or more nodes.
    7. Click ADD.
    8. Continue to add gateways until the list is complete.
      The system can currently accommodate up to four gateways.
    9. If your subnet includes IPv4 addresses, set the IPv4 Learn Unsolicited ARP Enabled drop-down to either True or False.
    10. If your subnet includes IPv6 addresses, set the IPv6 Learn Unsolicited ARP Enabled drop-down to either True or False.
    11. In the ACL Profile field, select an existing profile that the system should apply to the current subnet's traffic.
      An ACL profile can only be applied to a bridged subnet for which an IP gateway IP address has been configured.
    12. Set the Workload Specific ACL Optimization drop-down to either On or Off.
      Setting this value to On causes the system to verify that the selected ACL profile's source IP address range is contained within the set of Gateway IP addresses you enter for this subnet.

      Setting this value to Off disables this validation check.

    13. Select an IP Maximum Transmission Unit (MTU) value.
    14. Click the CREATE button.
  4. Do the following for each routed subnet you want to add to the workload intent:
    1. Click +CREATE A SUBNET.
    2. Enter a Name for the subnet.
      Because the workload name is unique, you can re-use subnet names in different workload intents.
    3. Optionally, enter a Description for the subnet.
    4. Select a subnet Type of Routed.
      You do not add an IRB IP address here. Later, you connect the routed subnet to a sub-interface which attaches to a VRF instance.
    5. Click the CREATE button.
  5. In the View drop-down, select Workload Design.
  6. Click to save the latest change to the workload design.

You are now ready to proceed to Adding sub-interfaces to the workload intent.

Adding sub-interfaces to the workload intent

If you intend to select sub-interfaces by their label, you must have assigned labels to the intended sub-interfaces as described in Assigning labels to an edge link interface.
A workload sub-interface consists of an edge-link port or LAG with which you associate ACL and QoS policies. Each sub-interface is associated with a previously created subnet.

The Fabric Services System supports two methods for selecting the edge link port or LAG that constitutes a sub-interface:

  • Node and Interface: explicitly select a node and then an interface on that node.
  • Port Group Label: assign the Edge-Link label to a set of objects, and then select the label from among those previously created and assigned to underlay interfaces. All interfaces with the specified label are selected.

To add one or more sub-interfaces to the workload intent:

  1. Do one of the following:
    • Open the subnet list and click the More actions icon ( ) at the right edge of the row. Select Create Sub-Interface from the displayed list.
    • Select Sub-Interfaces from the Workload VPN intent's View menu and then click +CREATE A SUB-INTERFACE in the resulting sub-Interfaces page.
  2. In the Basic Properties panel, do the following:
    1. Optionally, enter a Description for the subnet.
    2. Select a subnet VLAN ID.
    3. Select an ACL Profile.
    4. If this is a sub-interface associated with a routed subnet, set the Workload Specific ACL Optimization drop-down to either On or Off.
      Setting this value to On causes the system to verify that the selected ACL profile's source IP address range is contained within the set of Gateway IP addresses you enter for this sub-interface.

      Setting this value to Off disables this validation check.

  3. Do one of the following:
    • To select sub-interfaces by label, go to step 4.
    • To select sub-interfaces by selecting individual nodes and ports, go to step 5.
  4. In the Associations panel, do the following:
    1. In the Association Type drop-down, select Port Group Label.
    2. In the Port Group Label field, click to open the Label Picker dialog.
    3. From the list of labels, locate the "Edge-Link" label you created previously to identify the edge link ports. Click the from the left end of the row beside the label.
    4. Click SELECT to close the Label Picker dialog.
    5. Repeat sub-steps 4.b through 4.d until you have selected all of the intended sub-interfaces.
    6. Go to step 6.
  5. In the Association panel, do the following:
    1. Select an existing Subnet.
    2. Note that the Association Type is set to Node and Interface. This is a read-only value.
    3. Select a Node ID associated with a leaf node.
      You must select a leaf node here, because only leaf nodes possess the edge link connections required by the eventual workload.
    4. Select an Interface Name to identify a specific interface on the selected node.
    5. Click +ADD above the IP Gateway field.
      The interface you select here can be a LAG, if the LAG has already been provisioned.
    6. Enter an IP address and click ADD.
    7. Repeat sub-steps 5.e and 5.f until the IP Gateway list is complete.
  6. In the QoS panel, assign QoS profiles for the following:
    • QoS Classifier IPv4
    • QoS Rewrite Rules IPv4 (only for a routed subnet)
    • QoS Classifier IPv6
    • QoS Rewrite Rules IPv6 (only for a routed subnet)
  7. Click the CREATE button.
  8. In the View drop-down, select Workload Design.
  9. Click to save the latest change to the workload design.
  10. Click GENERATE WORKLOAD.
    The system generates configuration data for the nodes involved in the workload intent and advances the workload State to Configuration Generated. The workload Version remains 1.0.

Configuring BGP

Because you create BGP within a workload intent, you must have created a workload intent before you configure BGP.

Border Gateway Protocol (BGP) is an inter-AS routing protocol. An AS is a network or a group of routers logically organized and controlled by common network administration. BGP enables routers to exchange network reachability information, including information about other autonomous systems that traffic must traverse to reach other routers in another AS.

When you use BGP as the provider edge (PE) or customer edge (CE) routing protocol, you configure external peering between the provider's AS and the customer network AS.

When you create eBGP links between leaf nodes and customer autonomous systems, the customer autonomous systems may learn of routes through the fabric from different sources. The eBGP links created with the Fabric Services System are configured so that a customer AS prefers the route it learns from its local peer, because that is likely the most efficient path. This is achieved using the BGP Local Preference attribute, which the Fabric Services System sets to a value of 130 for links between peers (while other links generally have a preference value of 100). This behavior is automatic and is not configurable.

  1. Choose one of the following:
    • If you are configuring BGP for a workload intent that has not yet been deployed, open the workload intent in Workload Design view and go to step 2.
    • If you are configuring BGP for a workload intent that is already deployed, begin by creating a new candidate version of the existing workload intent as described in Creating a new version of a workload intent.
  2. From the View drop-down, select Routing.
    The Routing page displays, showing a list of nodes within the workload's fabric or fabrics that are available for BGP configuration.
  3. Select the row of a node on which to configure BGP.
  4. Click the More actions icon () at the right edge of the row and select Open BGP from the displayed action menu.
  5. Create a BGP group.
    • To create a BGP group with some default values, go to step 6.
    • To create a BGP group and configure all available values manually, go to step 8
  6. Create the initial PE-CE BGP Group.
    1. In the Workload BGP panel, enter the following global parameters for the workload PE-CE BGP:
      • Router ID
      • Peer AS
      • Local AS
    2. Click SAVE.
    The system saves the global parameters, and creates a new BGP Group that appears in the list on the BGP Groups panel. This BGP Group is a read-only collection of the BGP configuration parameters you entered, plus some automatic configuration settings.

    This group is a prerequisite for the creation of one or more BGP neighbors.

  7. Go to step 9.
  8. Create a PE-CE BGP group:
    1. In the Create BGP Groups panel, click + CREATE BGP GROUP.
    2. Enter a Group Name.
    3. Click the BFD toggle to enable or disable bidirectional forwarding for the group.
    4. Enter a Connect-Retry value.
    5. Click the Override Peer AS toggle to enable or disable this override. If enabled, enter a Peer AS.
    6. Click the Override Local AS toggle to enable or disable this override. If enabled, enter a Local AS.
    7. Use the IPv4 Unicast drop-down to enable or disable this feature.
    8. Use the IPv6 Unicast drop-down to enable or disable this feature.
    9. Enter a Minimum-Advertisement-Interval value.
    The system saves the global parameters, and creates a new BGP Group that appears in the list on the BGP Groups panel. This BGP Group is a read-only collection of the BGP configuration parameters you entered.

    This group is a prerequisite for the creation of one or more BGP neighbors.

  9. Create a BGP neighbor:
    1. In the BGP Neighbors panel, click + CREATE BGP NEIGHBOR.
    2. Enter the following values:
      • Peer Address
      • Local Address
      • Group Name: a default group name is suggested; retain this value or enter a new one.
    3. Configure the following settings:
      • Override Peer AS: This override is disabled by default. To enable this override, click the Override Peer AS toggle and enter a Peer AS value.
      • Override Local AS: This override is disabled by default. Optionally, click the toggle to enable this override and enter a local AS value.
      • Override IPv4 Unicast: This override is disabled by default. Optionally, click the toggle to enable this override and enter an IPv4 Unicast value.
      • Override IPv6 Unicast: This override is disabled by default. Optionally, click the toggle to enable this override and enter an IPv6 Unicast value.
    4. Click CREATE.
      The Create BGP Neighbor overlay closes. The new neighbor appears in the list of BGP neighbors on the Create BGP overlay.
  10. Repeat step 9 until all required BGP neighbors have been created.
  11. On the Create BGP overlay, click SAVE.
  12. Update the workload intent with the new BGP information:
    1. On the Workload VPN Intents page, click the View drop-down and select Workload Design.
    2. Click GENERATE WORKLOAD.
      The workload data updates to include the new BGP information.

      The system also adds default policy information to the workload configuration. To view the new workload in detail, you can view the configuration code directly by following the procedure Viewing a workload intent as code.