Workload VPN intent creation

A workload VPN intent assigns fabric resources to specific sources of demand.

Prerequisites

Before you create a new workload VPN intent, ensure the following:

  • The region that will contain the workload VPN intent has been created.
  • All fabrics that will participate in the workload VPN intent have been created and successfully deployed.
  • The QoS profiles that you intend to use with this workload VPN intent have been created.
  • The ACL profiles that you intend to use with this workload VPN intent have been created.
  • The LAGs that you intend to act as sub-interfaces for your workload VPN intent have already been created within the system.

Procedure overview

Creating a workload VPN intent involves the following sub-tasks, each consisting of multiple steps:

  1. Create the basic workload VPN intent
  2. Add subnets to the workload VPN intent
  3. Add sub-interfaces to the workload VPN intent

Creating the basic workload VPN intent

  1. Click to open the main menu.
  2. From the menu, select Workload VPN Intents.
  3. Click + CREATE A WORKLOAD VPN INTENT to display a set of fabric templates.
    Templates are displayed in a grid view by default. To switch to the list view, select in the template selection screen. Click to return to the grid view.
  4. Click on a VPN template, then click CREATE.
    The Workload VPN Intents page displays in Workload Design view. The left panel of the page shows basic parameters for you to configure.
  5. Configure basic parameters.
    • Workload VPN Intent Name - enter a name that is unique among all the workload VPN intents managed by the system
    • Description - enter an optional description
    • Fabric Intent Type - in the drop-down list, click Real or Digital Sandbox
  6. Select one or more fabric intents to participate in the workload VPN intent:
    1. Click the Edit ( ) icon next to Fabric Intents. The system opens a list of fabric intents, filtered to show only deployed fabrics.
    2. Check the box at the left edge of the row for each fabric you want to include as part of your workload VPN intent.
    3. Click SELECT INTENTS. The system closes the Fabric Intents page and returns you to the Workload VPN Intent creation page.
  7. Click to save the latest change to the workload design.
    The display updates to show the selected fabric intent's topology. The system advances the workload VPN intent's Detailed Status to Created and its Version to 1.0.

Proceed to Adding subnets to the workload VPN intent.

Adding subnets to the workload VPN intent

  1. If you are not continuing directly from the procedure Creating the basic workload VPN intent, first open the Workload VPN Intent view by doing the following:
    1. Click to open the main menu.
    2. From the menu, select Workload VPN Intents.
  2. In the view drop-down list, select Subnets.
  3. Click +CREATE A SUBNET.
  4. Configure the basic parameters for the subnet.
    • Name - specify the name of the subnet; because the workload name is unique, you can re-use subnet names in different workload VPN intents
    • Description - enter an optional description of the subnet
  5. Specify the type of subnet.
    In the Type drop-down list, select the type of subnet:
    • bridged subnet - click Bridged, then continue with step 6.
    • routed subnet - click Routed, then continue to step 9.

      You do not add an IRB IP address here. Later, you connect the routed subnet to a sub-interface which attaches to a VRF instance.

  6. Configure parameters for the bridged subnet.

    Set the following parameters:

    • IP Anycast Gateway (V4/V6) - this IP address acts as an IRB interface. The subnet can span one, two, or more nodes.

      Click +ADD to add an IP address. In the Add IP Anycast Gateway form that displays, add the IP address. If the IP address is the primary, click the Primary field. Click ADD.

    • If your subnet includes IPv4 addresses, enable the following fields:
      • IPv4 Learn Unsolicited ARP Enabled
      • IPv4 Host Route Enabled
    • If your subnet includes IPv6 addresses, enable the following fields:
      • IPv6 Learn Unsolicited ARP Enabled
      • IPv6 Host Route Enabled
    • ACL Profile - select an existing profile that the system should apply to the current subnet's traffic. An ACL profile can only be applied to a bridged subnet for which an IP gateway IP address has been configured.
    • BFD - enable the toggle to use BFD.
      Note: BFD is supported only on bridged subnets for which a gateway IP address has been configured.
    • IP Maximum Transmission Unit - specify the MTU value
  7. Optional: Set a specific pool VNI from which the Fabric Services System allocates VNI and route targets for an IP-VRF or MAC-VRF object within a workload VPN intent.
    You can use these settings to configure the Fabric Services System to automatically derive a route target, while ensuring that the values used do not overlap with existing services elsewhere in the data center. You can update the following fields:
    • VNI: specify a VNI from the VNI pool for the given subnet
    • Provision Type: select Automatically Derived or Manual. If you select Manual, you can set the following fields:
      • Import Route Target - specify the name of a BGP policy to use as an import policy
      • Export Route Target - specify the name of a BGP policy to use as an export policy
  8. Optional: Enable MAC duplication detection.
    1. In the Mac Duplication Detection pane, enable the Mac Duplication Detection field.
    2. Configure the relevant parameters.
      Set the following parameters:
      • Action: select from the following values:
        • stop learning - the MAC address is not relearned on this or any sub-interface
        • blackhole - frames received on this or any other sub-interface are dropped if the MAC sources address or if the mac-vrf MAC destination address matches a blackhole MAC address. The MAC source address is still learned.
        • oper-down - the sub-interface is disabled with an error message indicating MAC duplicated detected; arriving frames on a different sub-interface with the same source address are dropped
      • Hold Down Time - the time to wait from the moment a MAC address is declared duplicate before it is flushed from the bridge table, after which the monitoring process for the mac is restarted
      • Monitoring Window - the period during which the moves are observed
      • Num Moves - the number of moves during the monitoring window after which a MAC address is considered a duplicate
  9. Click CREATE.
    The newly added subnet appears in the Subnets view.
  10. In the view drop-down list, select Workload Design.
  11. Click to save the latest change to the workload design.

Proceed to Adding sub-interfaces to the workload VPN intent.

Adding sub-interfaces to the workload VPN intent

If you intend to select sub-interfaces by their label, you must have assigned labels to the intended sub-interfaces.
A workload sub-interface consists of an edge-link port or LAG with which you associate ACL and QoS policies. Each sub-interface is associated with a previously created subnet.

The Fabric Services System supports two methods for selecting the edge link port or LAG that constitutes a sub-interface:

  • Node and Interface: explicitly select a node and then an interface on that node.
  • Interface Label Selector: assign the Edge-Link label to a set of objects, and then select the label from among those previously created and assigned to underlay interfaces. All interfaces with the specified label are selected.

To add one or more sub-interfaces to the workload VPN intent:

  1. Do one of the following:
    • Open the subnet list and click the More actions icon ( ) at the right edge of the row. Select Create Sub-Interface from the displayed list.
    • Select Sub-Interfaces from the Workload VPN intent's view menu and then click +CREATE A SUB-INTERFACE in the resulting sub-interfaces page.
  2. In the Basic Properties pane, set the following parameters:
    • Description - enter an optional description
    • Encap Type - for bridged subnets, configures the encapsulation settings:
      • UnTagged - specifies that untagged frames can be captured on tagged interfaces
      • Single Tagged - you can specify one of the following options:
        • Vlan ID Any - specifies that non-configured VLAN IDs or untagged traffic are classified to a layer-2 sub-interface
        • Vlan ID - specify a value from 1 to 4094
    • ACL Profile -select an ACL profile
    • IP Gateway (V4/V6) section - click +ADD.

      In the IP Anycast Gateway form, enter an IP address. The interface you select here can be a LAG, if the LAG has already been provisioned.

      If the IP address is the primary gateway, set the Primary field. To form a BGP peering session between a multi-netted interface and a neighbor, one of the gateway IP addresses must be set to primary. Click SAVE. Continue adding IP address until the IP gateway list is complete.

  3. Specify the type of association.
    In the Association Type drop-down list
    • to select sub-interfaces by label, select Interface Label Selector and go to step 4.
    • to select sub-interfaces by selecting individual nodes and ports, select Node and Interface, then go to step 5.
  4. In the Associations panel, select Interface Label Selector.
    1. In the Interface Label Selector field, click to open the Label Picker form.
    2. From the list of labels, locate the "Edge-Link" label you created previously to identify the edge link ports. Click on the left end of the row beside the label.
    3. Click SELECT to close the Label Picker form.
    4. Repeat sub-steps 4.a through 4.c until you have selected all of the intended sub-interfaces.
    5. Go to step 6.
  5. In the Association pane, select the node ID and interface.
    1. In the Node ID field, select a node ID associated with a leaf node.
      You must select a leaf node here, because only leaf nodes possess the edge link connections required by the eventual workload.
    2. In the Interface Name field, select an to identify a specific interface on the selected node.
  6. If MAC duplication detection is enabled for the subnet to which this sub-interface belongs, set the Action field.
    Select from the following values:
    • use-network-instance-action - the sub-interface action is inherited from the mac-vrf action; this is the default setting
    • stop learning - the MAC address is not relearned on this sub-interface
    • blackhole - frames received on this sub-interface are dropped if the MAC sources address or if the mac-vrf MAC destination address matches a blackhole MAC address (the MAC source address is still learned)
    • oper-down - the sub-interface is disabled with an error message indicating MAC duplicated detected; arriving frames on a different sub-interface with the same source address are dropped
  7. In the QoS pane, assign QoS profiles for the following fields:
    • QoS Classifier IPv4
    • QoS Rewrite Rules IPv4 - only for a routed subnet
    • QoS Classifier IPv6
    • QoS Rewrite Rules IPv6 - only for a routed subnet
  8. Click the CREATE button.
  9. In the view drop-down list, click Workload Design.
  10. Click to save the latest change to the workload design.
  11. Click GENERATE WORKLOAD.
    The system generates configuration data for the nodes involved in the workload VPN intent and advances the workload state to Configuration Generated. The workload version remains 1.0.

Configuring BGP

Because you create BGP within a workload VPN intent, you must have created a workload VPN intent before you configure BGP.

Border Gateway Protocol (BGP) is an inter-AS routing protocol. An AS is a network or a group of routers logically organized and controlled by common network administration. BGP enables routers to exchange network reachability information, including information about other autonomous systems that traffic must traverse to reach other routers in another AS.

When you use BGP as the provider edge (PE) or customer edge (CE) routing protocol, you configure external peering between the provider's AS and the customer network AS.

When you create eBGP links between leaf nodes and customer autonomous systems, the customer autonomous systems may learn of routes through the fabric from different sources. The eBGP links created with the Fabric Services System are configured so that a customer AS prefers the route it learns from its local peer, because that is likely the most efficient path. This is achieved using the BGP Local Preference attribute, which the Fabric Services System sets to a value of 130 for links between peers (while other links generally have a preference value of 100). This behavior is automatic and is not configurable.

You can optionally specify global import and export BGP policies for a workload BGP group. You can also specify import and export policies at the BGP group or BGP neighbor level to override the settings at the global or group level.
Note: The Fabric Services System does not check the validity of the policy names that you specify; the BGP policies are assumed to be configured on the node using the global configuration override feature or some other mechanism.
  1. Choose one of the following:
    • If you are configuring BGP for a workload VPN intent that has not yet been deployed, open the workload VPN intent in Workload Design view and go to step 2.
    • If you are configuring BGP for a workload VPN intent that is already deployed, begin by creating a new candidate version of the existing workload VPN intent.
  2. From the view drop-down list, select Routing.
    The Routing page displays, showing a list of nodes within the workload's fabric or fabrics that are available for BGP configuration.
  3. Select the row of a node on which to configure BGP.
  4. Click the icon () at the right edge of the row and select Open BGP from the displayed More actions menu.
  5. Create a BGP group.
    • To create a BGP group with some default values, go to step 6.
    • To create a BGP group and configure all available values manually, go to step 8
  6. Create the initial PE-CE BGP group.
    1. In the Workload BGP pane, set the global parameters for the workload PE-CE BGP:
      • Router ID - the router ID
      • Autonomous System- the BGP instance-level local AS
      • Import Policy- the name of a BGP policy to use as an import policy
      • Export Policy - the name of a BGP policy to use as an export policy
    2. Click SAVE.
    The system saves the global parameters and creates a new BGP group that appears in the list on the BGP Groups pane. This BGP group is a read-only collection of the BGP configuration parameters you entered, plus some automatic configuration settings.

    This group is a prerequisite for the creation of one or more BGP neighbors.

  7. Go to step 9.
  8. Create a PE-CE BGP group.
    1. In the Create BGP Groups pane, click + CREATE BGP GROUP.
    2. Set the following parameters for the BGP group
      • Group Name the name of the BGP group
      • BFD- click the toggle to enable or disable bidirectional forwarding on the BGP sessions established by neighbors belonging to this group
      • Connect-Retry - the duration of the connect-retry timer
      • Override Peer AS - specify a peer AS to use for neighbors that belong to this group
      • Local AS - specify a local AS to use for neighbors that belong to this group
      • IPv4 Unicast - select Enable to advertise/receive IPv4 unicast routes to neighbors belonging to this group
      • IPv6 Unicast - select Enable to advertise/receive IPv6 unicast routes to neighbors belonging to this group
      • Minimum-Advertisement-Interval - the minimum advertisement interval for all neighbors in this group
      • Import Policy- the name of a BGP policy to use as the import policy
      • Export Policy - the name of a BGP policy to use as the export policy
    The system saves the global parameters and creates a new BGP group that appears in the list on the BGP Groups pane. This BGP group is a read-only collection of the BGP configuration parameters you entered.

    This group is a prerequisite for the creation of one or more BGP neighbors.

  9. Create a BGP neighbor.
    1. In the BGP Neighbors pane, click + CREATE BGP NEIGHBOR.
    2. Set the following parameters in the Basic Properties pane:
      • Peer Address - the peer address of its neighbor in IPv4 or IPv6 format
      • Local Address - the local address to use for this peering session
      • Group Name - a default group name is suggested; retain this value or enter a new one.
      • Override Peer AS - by default, this field is disabled and the main or group BGP configuration peer AS is used by all peers belonging to this group; if enabled, enter a peer AS
      • Override Local AS by default, this field is disabled and the main or group BGP configuration local AS is used by all peers belonging to this group; if enabled, specify a local AS to use for any neighbor that belongs to this group
      • Prepend Local AS - if the local AS override is enabled for a BGP neighbor, you can optionally disable prepending the global AS
      • IPv4 Unicast - select Enable to advertise/receive IPv4 unicast routes to neighbors belonging to this neighborhood
      • IPv6 Unicast - select Enable to advertise/receive IPv6 unicast routes to neighbors belonging to this neighborhood
      • Import Policy- the name of a BGP policy to use as the import policy
      • Export Policy - the name of a BGP policy to use as the export policy
    3. Click CREATE.
      The Create BGP Neighbor overlay closes. The new neighbor appears in the list of BGP neighbors on the Create BGP overlay.
  10. Repeat step 9 until all required BGP neighbors have been created.
  11. On the Create BGP overlay, click SAVE.
  12. Update the workload VPN intent with the new BGP information:
    1. On the Workload VPN Intents page, click the view drop-down list and select Workload Design.
    2. Click GENERATE WORKLOAD.
      The workload data updates to include the new BGP information. The system also adds default policy information to the workload configuration.

      To view the new workload in detail, you can view the configuration code.

Editing router definitions

You can edit the VNI and route targets for the default router.

  1. From the main menu, select Workload VPN Intents.
  2. Locate the workload VPN intent and at the right edge of its row, click the Table Row Actions the icon and select Open.
  3. From the Workload VPN Intent drop-down list, select Routers.
  4. At the right edge of the row for the default router, click theTable Row Actions icon and select Open.
  5. Configure route target definitions.
    You can update the following fields:
    • VNI
    • Provision Type: select Automatically Derived or Manual. Select Manual to specify route targets for the subnet; set the following fields:
      • Import Route Target - specify the name of a BGP policy to use as an import policy
      • Export Route Target - specify the name of a BGP policy to use as an export policy