Workload VPN intent creation

A workload VPN intent assigns fabric resources to specific sources of demand.

Prerequisites

Before you create a new workload VPN intent, ensure the following:

  • The region for the workload VPN intent has been created.
  • All fabrics you intent to use in with this workload VPN intent have been created and successfully deployed.
  • The QoS profiles that you intend to use with this workload VPN intent have been created.
  • The ACL profiles that you intend to use with this workload VPN intent have been created.
  • The LAGs that you intend to act as sub-interfaces for your workload VPN intent have already been created within the system.

Procedure overview

Creating a workload VPN intent involves the following sub-tasks, each consisting of multiple steps:

  1. Creating the basic workload VPN intent
  2. Adding subnets to the workload VPN intent
  3. Adding sub-interfaces to the workload VPN intent

Empty workload intents

At a high-level, the deployment of a workload intent involves the following tasks:
  1. Generating the configuration
  2. Adding the workload intent to the deployment queue
  3. Deploying queue item
When automation create or create or manipulate a workload intent, they do not need to know about internal states that would prevent deployment. The system allows the creation and deployment an empty workload intent without generating an error message, including the following cases:
  • there is no change in the candidate version
  • there are one or more subnets and routers, but no sub-interfaces
  • there a no subnets or routers and no sub-interfaces
  • other situations that normally would not allow deployment that are not error states

Workload VPN intent parameter descriptions

This section describes the required and optional workload VPN intent parameters and the appropriate values that you can set in the platform.

Workload VPN intent parameters

Workload design parameters

Parameter

Description

Values

Workload VPN Intent Name

This parameter specifies a unique name for the workload VPN intent.

Any string value

Description

This parameter specifies an optional description for the workload VPN intent.

Any string value
Fabric Intent Type This parameter specifies the fabric intent environment. Real or Digital Sandbox

Fabric Intents

This parameter identifies one or more fabrics that you want to include in the workload VPN intent.

Select from existing fabric intents

Labels

This parameter specifies the labels to apply to the workload VPN intent

The labels are not selected during workload VPN intent creation, but you can apply labels to the workload VPN intent itself later.

Supported labels

Subnet parameters

Subnet configuration parameters

The following table describes the parameters that you set when you configure a subnet.

Parameter

Description

Values

Name

This parameter specifies the name of the subnet.

String

Description

This parameter specifies the optional description for the subnet.

String

Type

This parameter specifies the type of subnet.

Bridged

Routed

Loopback

IP Anycast Gateway (V4/V6)

IP Gateway (V4/V6): For bridged subnets, specify an IP gateway to act as an IRB interface.

Primary: To form a BGP peering session between a multinetted interface and a neighbor, set one of the addresses as primary.

An IP address with a required CIDR
Router This parameter specifies the router to attach this subnet. Accept the default router presented or select an existing router from the drop-down list
BFD This parameter enables bidirectional forwarding detection (BFD) for a bridged subnet.

IP MTU

For bridged subnets, this parameter specifies the maximum transmission unit allowed.

1500 or higher
VNI This parameter specifies the unique VXLAN network identifier (VNI) from the selected VNI pool. If no value is specified, the Fabric Services System assigns a VNI from the VNI pool.
Provision Type
This parameter specifies whether the route targets are automatically derived or manually set. If set to Manual, you can set the following parameters:
  • Import Route Target
  • Export Route Target
Automatically Derived (the default) or Manual
Import Route Target This parameter specifies the name of a BGP policy to use as an import policy. String
Export Route Target This parameter specifies the name of a BGP policy to use as an export policy. String
Layer 2 proxy ARP
L2 proxy ARP This parameter enables or disables Layer 2 proxy ARP on a bridged network. When this parameter is enabled, you can set the following parameters:
  • Table size
  • Duplicate IP Detection
Note: You cannot enable this parameter if a gateway has been attached to the subnet.
 Default: disabled
Table size This parameter specifies the size of proxy ARP table, that is, the maximum number of entries. Default: 250
Duplicate IP Detection This field enables duplicate IP address detection for the subnet. When this field is enabled, you can configure the following settings:

Hold Down Time

Monitoring Window

Num Moves

 Default: disabled
Hold Down Time This parameter specifies the time, in minutes, from the moment an IP address is considered duplicate to the moment the IP address is removed from the proxy ARP table. Integer

Default: 9
Monitoring Window

This field specifies the number of minutes that the system monitors a proxy ARP table entry following an IP address move.

 Default: 3 minutes
Num Moves

This field specifies the maximum number of moves a proxy ARP table entry can have during the monitoring window before the IP is considered duplicate.

Default: 5 moves
Layer 3 proxy ARP and related settings
L3 ProxyArp Enabled This parameter enables Layer 3 proxy ARP for a bridged subnet that is configured with a gateway IP address. For a routed subnet, Layer 3 proxy ARP is enabled on the sub-interface. Default: disabled
IPv4 Host Route Enabled This parameter enables the dynamic population of IPv4 host routes.

When the L3 ProxyArp Enabled parameter is enabled, this parameter is also enabled. You can disable it if L3 ProxyArp Enabled is disabled.
IPv4 Learn Unsolicited ARP Enabled For IPv4 addresses within the subnet, this parameter enables the learning of ARP entries out of any ARP packet arriving at the IRB sub-interface, regardless of whether there was an ARP-Request sent from the IRB.

When the L3 ProxyArp Enabled parameter is enabled, this parameter is also enabled. You can disable it if L3 ProxyArp Enabled is disabled.
L3ProxyND Enabled This parameter enables Layer 3 proxy neighbor discovery (ND) for a bridged subnet that is configured with a gateway IP address. For a routed subnet, Layer 3 proxy ARP is enabled on the sub-interface. Default: disabled
IPv6 Host Route Enabled This parameter enables the dynamic population of IPv6 host routes. When the L3 ProxyArp Enabled parameter is enabled, this parameter is also enabled. You can disable it if L3 ProxyArp Enabled is disabled.
IPv6 Learn Unsolicited ARP Enabled For IPv6 addresses within the subnet, this parameter enables the learning of Neighbor Discovery Request entries out of any Neighbor Discovery Request packet arriving at the IRB sub-interface, regardless of whether there was a Neighbor Discovery Request issued from the IRB. Default: disabled
ACL parameters
Ingress ACL IPv4

This parameter specifies an existing profile that the system applies to the ingress IPv4 traffic on this subnet.

Select an existing IPv4 ACL profile from the drop-down list.
Ingress ACL IPv6

This parameter specifies an existing profile that the system applies to the ingress IPv6 traffic on this subnet.

Select an existing IPv6 ACL profile from the drop-down list.
Egress ACL IPv4

This parameter specifies an existing profile that the system applies to the egress IPv4 traffic on this subnet.

Select an existing IPv4 ACL profile from the drop-down list.
Egress ACL IPv6

This parameter specifies an existing profile that the system applies to the egress IPv6 traffic on this subnet.

Select an existing IPv6 ACL profile from the drop-down list.

MAC duplication and detection parameters

The following table describes the parameters that you set when MAC duplication and detection is enabled for the subnet.
Parameter Description Values
Mac Duplication Detection

This parameter enables MAC duplication detection for the subnet. When this parameter is enabled, you can set the following parameters:

Action

Hold Down Time

Monitoring Window

Num Moves

 Default: disabled
Action This parameter specifies the action to take on the sub-interface upon detecting that at least one MAC address is a duplicate:
  • stop learning : the MAC address is not relearned on this or any sub-interface
  • blackhole: frames received on this or any other sub-interface are dropped if the MAC sources address or if the MAC-VFR MAC destination address matches a blackhole MAC address (the MAC source address is still learned)
  • oper-down: the sub-interface is disabled with an mac-dup-detected error message; arriving frames on a different sub-interface with the same source address are dropped
Default: stop learning
Hold Down Time This parameter specifies the time to wait from the moment a MAC address is declared duplicate before it is flushed from the bridge table, after which the monitoring process for the MAC address is restarted. 2 to 60 minutes

Default: 9
Monitoring Window This parameter specifies the period, in minutes, during which the moves are observed. 1 to 15

Default: 3

Sub-interface parameters

Sub-interface configuration parameters

Parameter

Description

Values

Subnet

The subnet with which this sub-interface is associated.

Select an existing subnet from the drop-down list

Description

A description you provide for the selected sub-interface.

String

IP Gateway (V4/V6)

 IP address of the forwarding device.

If the IP address is the primary gateway , set the Primary field. To form a BGP peering session between a multi-netted interface and a neighbor, one of the gateway IP addresses must be set to primary.

Enter the IP address of the gateway device.
Encap Type For bridged subnets, this parameter configures encapsulation settings:
  • UnTagged - specifies that untagged frames can be captured on tagged interfaces
  • Single Tagged - you can specify one of the following options:
    • Vlan ID Any - specifies that non-configured VLAN IDs and untagged traffic are classified to a layer-2 sub-interface
    • Vlan ID - specify a value from 1 to 4094
 UnTagged or Single Tagged

IP MTU

The maximum transmission unit for the sub-interface; this is the maximum size for an IP packet that is not fragmented in the course of transmission.

1500+

Association parameters

Association Type

The method used to associate this sub-interface with its "parent" subnet.

Node and Interface, Interface label selector

Node ID

The node within the fabric on which the current sub-interface is located.

Select an existing leaf node within the fabric or fabrics associated with this workload VPN intent.

Interface Name

The specific interface on the selected node with which this sub-interface is associated. This setting can be a LAG.

Select an interface from the drop-down list.
Layer 3 proxy ARP and related parameters
L3 ProxyArp Enabled This parameter enables L3 proxy ARP for a sub-interface attached to routed subnet. default: disabled
IPv4 Host Route Enabled This parameter enables the dynamic population of IPv4 host routes. When the L3 ProxyArp Enabled parameter is enabled, this parameter is also enabled. You can disable it if L3 ProxyArp Enabled is disabled.
IPv4 Learn Unsolicited ARP Enabled For IPv4 addresses within the subnet, this parameter enables the learning of ARP entries out of any ARP packet arriving at the IRB sub-interface, regardless of whether there was an ARP-Request sent from the IRB. When the L3 ProxyArp Enabled parameter is enabled, this parameter is also enabled. You can disable it if L3 ProxyArp Enabled is disabled.
L3ProxyND Enabled This parameter enables L3 proxy ND for a sub-interface attached to routed subnet. default: disabled
IPv6 Host Route Enabled This parameter enables the dynamic population of IPv6 host routes. When the L3ProxyND Enabled parameter is enabled, this parameter is also enabled. You can disable it if L3ProxyND Enabled is disabled.
IPv6 Learn Unsolicited ARP Enabled For IPv6 addresses within the subnet, this parameter enables the learning of Neighbor Discovery Request entries out of any Neighbor Discovery Request packet arriving at the IRB sub-interface, regardless of whether there was a Neighbor Discovery Request issued from the IRB. default: disabled
MAC duplication and detection parameters (if enabled on the subnet)
Action This parameter specifies the action to take on the sub-interface (if action is use-net-instance-action) upon detecting at least one MAC addresses is duplicate on the sub-interface:
  • stop learning - the MAC address is not relearned on this or any subinterface
  • blackhole - frames received on this or any other subinterface are dropped if the MAC sources address or if the mac-vrf MAC destination address matches a blackhole MAC address (the MAC source address is still learned)
  • oper-down - the sub-interface is disabled with an error mac-dup-detected; arriving frames on a different subinterface with the same source address are dropped
ACL parameters
Ingress ACL IPv4

This parameter specifies an existing profile that the system should apply to the ingress IPv4 traffic on this sub-interface.

Select an existing IPv4 ACL profile from the drop-down list.
Ingress ACL IPv6

This parameter specifies an existing profile that the system should apply to the ingress IPv6 traffic on this sub-interface.

Select an existing IPv6 ACL profile from the drop-down list.
Egress ACL IPv4

This parameter specifies an existing profile that the system should apply to the egress IPv4 traffic on this sub-interface.

Select an existing IPv4 ACL profile from the drop-down list.
Egress ACL IPv6

This parameter specifies an existing profile that the system should apply to the egress IPv6 traffic on this sub-interface.

Select an existing IPv6 ACL profile from the drop-down list.

QoS parameters

QoS Classifier

A QoS classifier profile maps incoming packets to the appropriate forwarding classes.

Select an existing QoS profile from the drop-down list.
QoS Rewrite Rule QoS rewrite rule policies mark outgoing packets with an appropriate DSCP value based on the forwarding class.

Select an existing QoS profile from the drop-down list.

BGP parameters

Table 1. Workload BGP parameter descriptions
Parameter Description

Values
Node name This parameter is automatically set based on the node being configured by the operator. default
Router ID This parameter specifies the router ID.
Autonomous System This parameter specifies the BGP instance level local AS.
Import Policy This parameter specifies the name of a BGP policy to use as an import policy.

String

Optional
Export Policy This parameter specifies the name of a BGP policy to use as an import policy.

String

Optional

BGP group configuration

Table 2. BGP basic properties
Parameter Description Required

Values/Range
Group Name This parameter specifies the name of the BGP group. The default group name cannot be changed. Yes
BFD This parameter enables or disables bidirectional forwarding on the BGP sessions established by neighbors that belong to this group. Yes disabled
Connect-Retry This parameter sets the duration of the connect-retry timer. Yes 120
Peer AS If set, the main BGP configuration peer AS is used by all peers that belong to this group. This parameter specifies a peer AS to use for any neighbor that belong to this group (does not override at the neighbor level). No False

Optional
Local AS By default, the main BGP configuration local AS is used by all peers that belong to this group. You can specify a local AS to use for any neighbor that belongs to this group (does not override at the neighbor level). No 1
Prepend Global AS If Prepend Global AS is enabled, the global AS value is prepended to the AS path of inbound routes from each eBGP peer that belongs to the group. No disabled
Prepend Local AS By default, Prepend Local AS is disabled. If enabled, the local AS value is prepended to the AS path of inbound routes from each eBGP peer that belongs to the group. No disabled
Toggle Max Hops By default, eBGP sessions have a maximum hop of 1 configured. If an operator changes the maximum hops to any value greater than 1, enable this parameter and set this parameter with the maximum number of hops. No 1 to 255
IPv4 Unicast Select Enable to advertise and receive IPv4 unicast routes to neighbors belonging to this group. Yes disabled
IPv6 Unicast Select Enable to advertise and receive IPv6 unicast routes to neighbors belonging to this group. Yes disabled
Minimum-Advertisement-Interval This parameter specifies how long a BGP router waits before sending an advertisement for all neighbors in this group. Yes 1
Import Policy This parameter specifies the name of a BGP policy to use as an import policy. No String

Optional
Export Policy This parameter specifies the name of a BGP policy to use as an export policy. No String

Optional

BGP neighbor configuration

Table 3. Basic BGP neighbor properties
Parameter Description

Values/Range
Peer Address This parameter specifies the peer address of a neighbor in IPv4 or IPv6 format.
Local Address This parameter specifies the local address to use for this peering session. The value can by any IPv4 or IPv6 interface within the workload intent.
Group Name By default, the system provides a group name; you can retain this value or specify a new one. default
Override Peer AS By default, this parameter is disabled and the peer AS value configured in the main or group BGP configuration is used by all peers that belong to this group. To override the default, enable this parameter and enter a peer AS to use for this peering session. disabled or specify a peer AS
Override Local AS

By default, this parameter is disabled and local AS setting in the main BGP configuration is used by all peers that belonging to this group. When this parameter is enabled, specify a local AS to use for any neighbor that belongs to this group (and are not overriding at the neighbor level)

When this parameter is enabled, you can also optionally prepend the global AS and the local AS.		 disabled or specify local AS
Toggle Max Hops This parameter specifies the maximum number of hops for a BGP session. 1 to 255
Override IPv4 Unicast This parameter specifies whether IPv4 unicast routes are advertised and received to and from neighbors belonging to this group. default: disabled
Override IPv6 Unicast This parameter specifies whether IPv4 unicast routes are advertised and received to and from neighbors belonging to this group. This setting overrides any configuration at the group or global level. default: disabled
Import Policy This parameter specifies the name of a BGP policy to use as an import policy. string
Export Policy This parameter specifies the name of a BGP policy to use as an export policy. string

Router parameters

Table 4. Router configuration parameters
Parameter Description Value
Name This parameter specifies the name of the router. String
Description This parameter specifies the optional description for the router. String
VNI Pool By default, the Fabric Services System deploys with a default VNI pool. For bridged subnets, you can select from which VNI pool a VNI gets automatically allocated to a new subnet. You can select from any available VNI pool. You can change the VNI pool after the subnet has been deployed. Default VNI Pool
VNI By default, the system assigns a VNI from the pool. This parameter specifies an available VNI from the selected VNI pool.
Provision Type By default, route targets are automatically derived. When this parameter is set to Manual, you can specify route targets for the subnet using following parameters:
  • Import Route Target
  • Export Route Target
Automatically Derived (the default) or Manual

Creating the basic workload VPN intent

  1. Click to open the main menu and select Workload VPN Intents.
  2. Click + CREATE A WORKLOAD VPN INTENT to display a set of fabric templates.
    Templates are displayed in a grid view by default. To switch to the list view, select in the template selection screen. Click to return to the grid view.
  3. Click on a VPN template, then click CREATE.
    The Workload VPN Intents page displays in Workload Design view. The left panel of the page shows basic parameters for you to configure.
  4. Configure basic parameters.
    • Workload VPN Intent Name
    • Description
    • Fabric Intent Type
  5. Select one or more fabric intents to participate in the workload VPN intent.
    1. Click next to Fabric Intents. The system opens a list of fabric intents, filtered to show only deployed fabrics.
    2. Check the box at the left edge of the row for each fabric you want to include as part of your workload VPN intent.
    3. Click SELECT INTENTS.
  6. Click to save the latest change to the workload design.
    The display updates to show the selected fabric intent's topology. The system advances the workload VPN intent's Detailed Status to Created and its Version to 1.0.

Proceed to Adding subnets to the workload VPN intent.

Adding subnets to the workload VPN intent

  1. If you are not continuing directly from the procedure Creating the basic workload VPN intent, first open the Workload VPN Intent view by doing the following:
    1. Click to open the main menu.
    2. From the menu, select Workload VPN Intents.
  2. In the view drop-down list, select Subnets.
  3. Click +CREATE A SUBNET.
  4. Configure the basic parameters for the subnet.
    • Name
    • Description
  5. In the Type drop-down list, specify the type of subnet.
    • bridged subnet - click Bridged, then continue with step 6.
    • routed subnet - click Routed.

      In the Router field, accept the default router or select an existing router. Then, continue to step 14.

      You do not add an IRB IP address here. Later, you connect the routed subnet to a sub-interface which attaches to a VRF instance.

    • loopback subnet - click Loopback.

      In the Router field, accept the default router or select an existing router. Then, continue to step 14.

  6. Configure parameters for the bridged subnet.

    Set the following parameters:

    • IP Anycast Gateway (V4/V6) - this IP address acts as an IRB interface. The subnet can span one, two, or more nodes.

      Click +ADD to add an IP address. In the Add IP Anycast Gateway form that displays, add the IP address. If the IP address is the primary, click the Primary field. Click ADD. You can add up to four gateways.

    • Router
  7. Optional: For bridged subnets with a configured gateway, enable layer 3 IPv4 proxy ARP, IPv6 proxy ND, and related settings.
    • L3 ProxyArp Enabled
      Enabling L3 IPv4 proxy ARP also enables the following parameters; when L3 IPv4 proxy ARP is disabled, you can enable them independently:
      • IPv4 Learn Unsolicited ARP Enabled
      • IPv4 Host Route Enabled
    • L3 ProxyND Enabled

      Enabling L3 IPv6 proxy ND also enables IPv6 Learn Unsolicited ARP Enabled; when L3 IPv6 proxy ND is disabled, you can enable it independently.

  8. Optional: Enable bidirectional forwarding detection (BFD).
  9. Optional: Accept the default or select a new value for the IP MTU parameter IP.
  10. Optional: Configure ACL settings.
    Select existing ACL profiles for the following parameters:
    • Ingress ACL Profile IPV4
    • Ingress ACL Profile IPv6
    • Egress ACL Profile IPV4
    • Egress ACL Profile IPv6
  11. Optional: Set a specific pool VNI from which the Fabric Services System allocates VNI and route targets for an IP-VRF or MAC-VRF object within a workload VPN intent.
    You can use these settings to configure the Fabric Services System to automatically derive a route target, while ensuring that the values used do not overlap with existing services elsewhere in the data center. You can update the following fields:
    • VNI
    • Provision Type
      • Import Route Target
      • Export Route Target
  12. Optional: For bridged subnets without a configured gateway, enable L2 proxy ARP settings.

    When you enable L2 proxy ARP, you can also set the L2 ARP table size. You can also configure the following duplicate IP detection parameters:

    Hold Down Time

    Monitoring Window

    Num Moves

  13. Optional: Enable MAC duplication detection.
    For parameter descriptions, see workload-vpn-intent-creation.html#subnet-params__table_zqj_rkf_nwb.
  14. Click CREATE.
    The newly added subnet appears in the Subnets view.
  15. In the view drop-down list, select Workload Design.
  16. Click to save the latest change to the workload design.

Proceed to Adding sub-interfaces to the workload VPN intent.

Adding sub-interfaces to the workload VPN intent

If you intend to select sub-interfaces by their label, you must have assigned labels to the intended sub-interfaces.
Each sub-interface is associated with a previously created subnet. A workload sub-interface consists of an edge-link port or LAG with which you associate ACL and QoS policies.

The Fabric Services System supports two methods for selecting the edge link port or LAG that constitutes a sub-interface:

  • Node and Interface: explicitly select a node and then an interface on that node.
  • Interface Label Selector: assign the Edge-Link label to a set of objects, and then select the label from among those previously created and assigned to underlay interfaces. All interfaces with the specified label are selected.

To add one or more sub-interfaces to the workload VPN intent:

  1. Do one of the following:
    • From the Subnets view, find the subnet and click at the end of its row and select Create Sub-Interface.
    • Select Sub-Interfaces from the Workload VPN intent's view menu and click +CREATE A SUB-INTERFACE.
  2. Provide an optional description for the sub-interface
  3. Optional: Configure ACL settings.
    Specify existing ACL profiles for the following parameters:
    • Ingress ACL Profile IPV4
    • Ingress ACL Profile IPv6
    • Egress ACL Profile IPV4
    • Egress ACL Profile IPv6
  4. For routed and loopback sub-interfaces, specify a gateway.
    In the IP Gateway (V4/V6) section, click +ADD.

    In the IP Anycast Gateway form, enter an IP address. The interface you select here can be a LAG, if the LAG has already been provisioned.

    If the IP address is the primary gateway, set the Primary field.

  5. Optional: If the interface is for a routed subnet, enable layer 3 proxy ARP and proxy ND settings.
    • L3 ProxyArp Enabled.
      Enabling L3 IPv4 proxy ARP also enables the following parameters; when L3 IPv4 proxy ARP is disabled, you can enable them independently:
      • IPv4 Learn Unsolicited ARP Enabled
      • IPv4 Host Route Enabled
    • L3 ProxyND Enabled

      Enabling L3 IPv6 proxy ND also enables IPv6 Learn Unsolicited ARP Enabled; when L3 IPv6 proxy ND is disabled, you can enable it independently.

  6. In the Association Type drop-down list, specify the type of association.
    • to select sub-interfaces by label, select Interface Label Selector and go to step 7.
    • to select sub-interfaces by selecting individual nodes and ports, select Node and Interface, then go to step 8.
  7. In the Associations panel, select Interface Label Selector.
    1. In the Interface Label Selector field, click to open the Label Picker form.
    2. From the list of labels, locate the "Edge-Link" label you created previously to identify the edge link ports. Click on the left end of the row beside the label.
    3. Click SELECT to close the Label Picker form.
    4. Repeat sub-steps 7.a through 7.c until you have selected all of the intended sub-interfaces.
    5. Go to step 9.
  8. In the Association pane, select the node ID and interface.
    1. In the Node ID field, select a node ID associated with a leaf node.
      You must select a leaf node here, because only leaf nodes possess the edge link connections required by the eventual workload.
    2. In the Interface Name field, select an to identify a specific interface on the selected node.
    3. If the subnet is a loopback subnet, select from the list of available loopback interfaces from the manual topology fabric shown.
  9. Optional: For bridged subnets, if MAC duplication detection is enabled for the subnet to which this sub-interface belongs, set the Action field.
  10. Optional: Assign QoS profiles.

    Qos DSCP Classifier

    Qos DSCP Rewrite Rules

  11. Click CREATE.
  12. In the view drop-down list, click Workload Design.
  13. Click to save the latest change to the workload design.
  14. Click GENERATE WORKLOAD.
    The system generates configuration data for the nodes involved in the workload VPN intent and advances the workload state to Configuration Generated. The workload version remains 1.0.

Configuring BGP

Because you create BGP within a workload VPN intent, you must have created a workload VPN intent before you configure BGP.

Border Gateway Protocol (BGP) is an inter-AS routing protocol. An AS is a network or a group of routers logically organized and controlled by common network administration. BGP enables routers to exchange network reachability information, including information about other autonomous systems that traffic must traverse to reach other routers in another AS.

When you use BGP as the provider edge (PE) or customer edge (CE) routing protocol, you configure external peering between the provider's AS and the customer network AS.

When you create eBGP links between leaf nodes and customer autonomous systems, the customer autonomous systems may learn of routes through the fabric from different sources. The eBGP links created with the Fabric Services System are configured so that a customer AS prefers the route it learns from its local peer, because that is likely the most efficient path. This is achieved using the BGP Local Preference attribute, which the Fabric Services System sets to a value of 130 for links between peers (while other links generally have a preference value of 100). This behavior is automatic and is not configurable.

You can optionally specify global import and export BGP policies for a workload BGP group. You can also specify import and export policies at the BGP group or BGP neighbor level to override the settings at the global or group level.
Note: The Fabric Services System does not check the validity of the policy names that you specify; the BGP policies are assumed to be configured on the node using the global configuration override feature or some other mechanism.
  1. Choose one of the following:
    • If you are configuring BGP for a workload VPN intent that has not yet been deployed, open the workload VPN intent in Workload Design view and go to step 2.
    • If you are configuring BGP for a workload VPN intent that is already deployed, begin by creating a new candidate version of the existing workload VPN intent.
  2. From the view drop-down list, select Routing.
  3. Locate the row of the node on which to configure BGP. Click at the right edge of the row and select Open BGP from the displayed More actions menu.
  4. Create a BGP group.
    • To create a BGP group with some default values, go to step 5.
    • To create a BGP group and configure all available values manually, go to step 7
  5. Create the initial PE-CE BGP group.
    1. In the Workload BGP pane, set the global parameters for the workload PE-CE BGP:
      • Router ID
      • Autonomous System
      • Import Policy
      • Export Policy
    2. Click SAVE.
    The system saves the global parameters and creates a new BGP group that appears in the list on the BGP Groups pane. This BGP group is a read-only collection of the BGP configuration parameters you entered, plus some automatic configuration settings.

    This group is a prerequisite for the creation of one or more BGP neighbors.

  6. Go to step 8.
  7. Create a PE-CE BGP group.
    1. In the Create BGP Groups pane, click + CREATE BGP GROUP.
    2. Set parameters for the BGP group.
      Set the appropriate parameters for your deployment scenario.
      • Group Name
      • BFD
      • Connect-Retry
      • Peer AS
      • Local AS
      • Toggle Max Hops
      • IPv4 Unicast
      • IPv6 Unicast
      • Minimum-Advertisement-Interval
      • Import Policy
      • Export Policy
    The system saves the global parameters and creates a new BGP group that appears in the list on the BGP Groups pane. This BGP group is a read-only collection of the BGP configuration parameters you entered.

    This group is a prerequisite for the creation of one or more BGP neighbors.

  8. Create a BGP neighbor.
    1. In the BGP Neighbors pane, click + CREATE BGP NEIGHBOR.
    2. Set parameters in the Basic Properties pane.
      • Peer Address
      • Local Address
      • Group Name
      • Override Peer AS
      • Override Local AS
      • Toggle Max Hops
      • Override IPv4 Unicast
      • Override IPv6 Unicast
      • Import Policy
      • Export Policy
    3. Click CREATE.
  9. Repeat step 8 until all required BGP neighbors have been created.
  10. On the Create BGP overlay, click SAVE.
  11. Update the workload VPN intent with the new BGP information.
    1. On the Workload VPN Intents page, click the view drop-down list and select Workload Design.
    2. Click GENERATE WORKLOAD.
      The workload data updates to include the new BGP information. The system also adds default policy information to the workload configuration.

      To view the new workload in detail, you can view the configuration code.

Creating a router

Use this procedure to create a router.

  1. From the main menu , select Workload VPN Intents.
  2. In the view drop-down list, select Routers.
  3. Click +CREATE WORKLOAD ROUTER.
  4. In the General pane, set the following parameters:
    • Name
    • Description
  5. In the Router Definition pane, accept the default settings or set the following parameters:
    • VNI
    • Provision Type
    • If Provision Type is set to Manual, configure the following parameters:
      • Import Route Target
      • Export Route Target

Editing router definitions

You can edit the VNI and route targets for a router instance

  1. From the main menu, select Workload VPN Intents.
  2. Locate the workload VPN intent and at the right edge of its row, click and select Open.
  3. From the Workload VPN Intent drop-down list, select Routers.
  4. At the right edge of the row for the router, click the Table Row Actions icon and select Open.
  5. Configure route target definitions.
    You can update the following fields:
    • VNI
    • Provision Type: select Automatically Derived or Manual. Select Manual to specify the following route targets for the subnet:
      • Import Route Target
      • Export Route Target