Elements of a workload intent

Every workload intent allocates resources that belong to one or more fabric intents that already exist in the system.

As part of workload intent design, you must select the participating fabric intent or intents. All traffic managed by the workload intent is confined to these participating fabric intents (and, more specifically, only to the subnets and sub-interfaces you select within those fabric intents).

A single fabric intent can support multiple workload intents.

A sub-network, or subnet, is a set of one or more nodes on a selected fabric.

When creating a workload intent, you identify each subnet as either bridged or routed.

• Bridged subnets can be assigned to a network-instance of type MAC-VRF. They are associated with a MAC-VRF network instance, and allow for configuration of bridge table and VLAN ingress/egress mapping.

  When adding a bridged subnet to a workload VPN intent, you associate an IP Anycast Gateway, and can associate an ACL.

  With Gateway IP, a MAC-VRF is attached to the default or ip-vrf network-instance by a single Integrated Routing and Bridging (IRB) interface. This allows routing between different MAC-VRF instances of a particular tenant or group of servers.

• Routed subnets can be assigned to a network-instance of type mgmt, default, or ip-vrf. They allow for configuration of IPv4 and IPv6 settings.

For each subnet, you identify the set of sub-interfaces over which tenant traffic can travel. These sub-interfaces can be physical or logical ports, including Link Aggregation Groups (LAGs).

Each LAG you select as a sub-interface must have been configured previously within the system as part of the Fabric Intent design, and the interfaces participating in a LAG can be located on a single node, or on multiple nodes (constituting a multi-home LAG or MH-LAG).

For each sub-interface, you can define Quality of Service (QoS) profiles that prioritize traffic, and an Access Control List that identifies the packets to be accepted or rejected.

The Fabric Services System supports Quality of Service (QoS) policies for assigning traffic to forwarding classes and remarking traffic at egress before it leaves a router. DSCP classifier policies map incoming packets to the appropriate forwarding classes, and DSCP rewrite-rule policies mark outgoing packets with an appropriate DSCP value based on the forwarding class.

After you have defined one or more QoS policies, you can assign them to workload intents to help manage the traffic associated with that workload.

For the procedure to create a QoS profile, see Creating a QoS profile.

For the steps to apply a QoS profile within a workload intent, see the "Create a sub-interface" section of the procedure Creating a workload VPN intent.

An Access Control List (ACL) profile defines a set of packet types that should be either accepted or rejected. When assigned to a subnet (for bridged subnets) or sub-interface (routed or bridged), the ACL defines the traffic that is permitted on those workload intent resources.

An ACL profile is assembled from one or more match groups. Each match group defines a particular set of properties that could be possessed by packets. The ACL then uses these match groups to specify a set of packet properties, and then includes an instruction to either accept or reject packet that conform to those properties.

Match groups thereby provide an easy way to define a set of IP addresses once, and then re-use that information in multiple ACLs.

For the procedure to create a match group, see Creating a match group.

For the procedure to create an ACL profile, see Creating an ACL profile.

For the steps to apply an ACL profile within a workload intent, see the procedures Adding subnets to the workload intent (for bridged subnets) and Adding sub-interfaces to the workload intent (for routed subnets).