Workload VPN intent creation

A workload VPN intent assigns fabric resources to specific sources of demand.

Prerequisites

Before you create a new workload VPN intent, ensure the following:

  • The region for the workload VPN intent has been created.
  • All fabrics that you intend to use in with this workload VPN intent have been created and successfully deployed.
  • The QoS profiles that you intend to use with this workload VPN intent have been created.
  • The ACL profiles that you intend to use with this workload VPN intent have been created.
  • The LAGs that you intend to act as sub-interfaces for your workload VPN intent have already been created within the system.

Procedure overview

Creating a workload VPN intent involves the following sub-tasks, each consisting of multiple steps:

  1. Creating the basic workload VPN intent
  2. Adding subnets to the workload VPN intent
  3. Adding sub-interfaces to the workload VPN intent
  4. Configuring routing for the workload, as described in Routing

Empty workload intents

At a high-level, the deployment of a workload intent involves the following tasks:
  1. Generating the configuration
  2. Adding the workload intent to the deployment queue
  3. Deploying queue item
The system allows the creation and deployment an empty workload intent without generating an error message, including the following cases:
  • there is no change in the candidate version
  • there are one or more subnets and routers, but no sub-interfaces
  • there a no subnets or routers and no sub-interfaces
  • other situations that normally would not allow deployment that are not error states

Workload VPN intent parameter descriptions

This section describes the required and optional workload VPN intent parameters and the appropriate values that you can set in the platform.

Workload VPN intent parameters

Table 1. Workload design parameters

Parameter

Description

Values

Workload VPN Intent Name

Specifies a unique name for the workload VPN intent.

Any string value

Description

Specifies an optional description for the workload VPN intent.

Any string value
Fabric Intent Type Specifies the fabric intent environment. Real or Digital Sandbox

Fabric Intents

Identifies one or more fabrics that you want to include in the workload VPN intent.

If no fabric is selected, all fabrics in the region are part of the workload intent, and you can create a sub-interface on any fabric within the region. Selecting a fabric intent creates a restriction list composed only of sub-interfaces that belong to the selected fabric intents.

Select from existing fabric intents or leave blank.

Labels

Specifies the labels to apply to the workload VPN intent

The labels are not selected during workload VPN intent creation, but you can apply labels to the workload VPN intent itself later.

Supported labels

Subnet parameters

Table 2. Subnet configuration parameters

Parameter

Description

Values

Name

Specifies the name of the subnet.

String

Description

Provides a description for the subnet.

String

Type

Specifies the type of subnet.

 Bridged, Routed, or Loopback

IP Anycast Gateway (V4/V6)

IP Gateway (V4/V6): For bridged subnets, specifies an IP gateway to act as an IRB interface.

An IP address with a required CIDR
Anycast Gateway MAC address Specifies an anycast gateway MAC address. This option is available if an IP anycast gateway is set. MAC address
Primary Sets an address as the primary address. The primary address is used to form a BGP peering session between a multinetted interface and a neighbor. Default: disabled
Router Specifies the router to attach this subnet. the default router presented or select an existing router from the drop-down list
BFD Enables or disables bidirectional forwarding detection (BFD) for the subnet.

When BFD is enabled, the default settings for Desired Minimum Transit Interval, Desired Minimum Transit Interval, and Required Minimum Receive apply.

BFD is applicable to bridged, routed, and loopback subnets.
Desired Minimum Transit Interval Specifies the minimum interval between the transmission of BFD control packets that this system wants to use. Default: 1,000,000 microseconds
Required Minimum Receive Specifies the required minimum interval between received BFC control packet that this system requires. Default: 1,000,000 microseconds
Detection Multiplier Specifies the multiplier used to determine the BFD detection interval.

BFD detection interval = Detection Multiplier x Desired Minimum Transit Interval

 1 to 5

Default: 3

IP MTU

For bridged subnets, specifies the maximum transmission unit allowed.

1500 or higher
VNI Specifies the unique VXLAN network identifier (VNI) from the selected VNI pool. If no value is specified, the Fabric Services System assigns a VNI from the VNI pool.
Provision Type
Specifies whether the route targets are automatically derived or manually set. If set to Manual, you can set the following parameters:
  • Import Route Target
  • Export Route Target
Automatically Derived (the default) or Manual
Import Route Target Specifies the name of a BGP policy to use as an import policy. String
Export Route Target Specifies the name of a BGP policy to use as an export policy. String
Layer 2 proxy ARP
L2 proxy ARP Enables or disables Layer 2 proxy ARP on a bridged network. When this parameter is enabled, you can set the following parameters:
  • Table size
  • Duplicate IP Detection
Note: You cannot enable this parameter if a gateway has been attached to the subnet.
 Default: disabled
Table size Specifies the size of proxy ARP table, that is, the maximum number of entries. Default: 250
Duplicate IP Detection Enables duplicate IP address detection for the subnet. When this field is enabled, you can configure the following settings:

  • Hold Down Time

  • Monitoring Window

  • Num Moves

 Default: disabled
Hold Down Time Specifies the time from the moment an IP address is considered duplicate to the moment the IP address is removed from the proxy ARP table. Integer

Default: 9 minutes
Monitoring Window

Specifies the number of minutes that the system monitors a proxy ARP table entry following an IP address move.

 Default: 3 minutes
Num Moves

Specifies the maximum number of moves a proxy ARP table entry can have during the monitoring window before the IP is considered duplicate.

Default: 5 moves
Layer 3 proxy ARP and related settings
L3 ProxyArp Enabled Enables Layer 3 proxy ARP for a bridged subnet that is configured with a gateway IP address. For a routed subnet, Layer 3 proxy ARP is enabled on the sub-interface. Default: disabled
IPv4 Host Route Enabled Enables the dynamic population of IPv4 host routes.

When the L3 ProxyArp Enabled parameter is enabled, this parameter is also enabled. You can disable it if L3 ProxyArp Enabled is disabled.
IPv4 Learn Unsolicited ARP Enabled For IPv4 addresses within the subnet, enables the learning of ARP entries out of any ARP packet arriving at the IRB sub-interface, regardless of whether there was an ARP-Request sent from the IRB.

When the L3 ProxyArp Enabled parameter is enabled, this parameter is also enabled. You can disable it if L3 ProxyArp Enabled is disabled.
L3ProxyND Enabled Enables Layer 3 proxy neighbor discovery (ND) for a bridged subnet that is configured with a gateway IP address. For a routed subnet, Layer 3 proxy ARP is enabled on the sub-interface. Default: disabled
IPv6 Host Route Enabled Enables the dynamic population of IPv6 host routes.

When the L3 ProxyArp Enabled parameter is enabled, this parameter is also enabled. You can disable it if L3 ProxyArp Enabled is disabled.
IPv6 Learn Unsolicited ARP Enabled For IPv6 addresses within the subnet, enables the learning of Neighbor Discovery Request entries out of any Neighbor Discovery Request packet arriving at the IRB sub-interface, regardless of whether there was a Neighbor Discovery Request issued from the IRB. Default: disabled
ACL parameters
Ingress ACL IPv4

Specifies an existing profile that the system applies to the ingress IPv4 traffic on this subnet.

An existing IPv4 ACL profile from the drop-down list
Ingress ACL IPv6

Specifies an existing profile that the system applies to the ingress IPv6 traffic on this subnet.

An existing IPv6 ACL profile from the drop-down list
Egress ACL IPv4

Specifies an existing profile that the system applies to the egress IPv4 traffic on this subnet.

An existing IPv4 ACL profile from the drop-down list
Egress ACL IPv6

Specifies an existing profile that the system applies to the egress IPv6 traffic on this subnet.

An existing IPv6 ACL profile from the drop-down list MAC duplication and detection parameters
Mac Duplication Detection

Enables MAC duplication detection for the subnet. When this parameter is enabled, you can set the following parameters:

Action

Hold Down Time

Monitoring Window

Num Moves

 Default: disabled
Action Specifies the action to take on the sub-interface upon detecting that at least one MAC address is a duplicate:
  • stop learning: the MAC address is not relearned on this or any sub-interface
  • blackhole: frames received on this or any other sub-interface are dropped if the MAC sources address or if the MAC-VFR MAC destination address matches a blackhole MAC address (the MAC source address is still learned)
  • oper-down: the sub-interface is disabled with an mac-dup-detected error message; arriving frames on a different sub-interface with the same source address are dropped
Default: stop learning
Hold Down Time Specifies the time to wait from the moment a MAC address is declared duplicate before it is flushed from the bridge table, after which the monitoring process for the MAC address is restarted. 2 to 60 minutes

Default: 9
Monitoring Window Specifies the period, in minutes, during which the moves are observed. 1 to 15

Default: 3

Sub-interface parameters

Table 3. Sub-interface configuration parameters

Parameter

Description

Values

Subnet

Specifies the subnet with which this sub-interface is associated.

An existing subnet

Description

Describes the selected sub-interface.

String

IP Gateway (V4/V6)

 Specifies the IP address of the forwarding device.

If the IP address is the primary gateway, set the Primary field. To form a BGP peering session between a multi-netted interface and a neighbor, one of the gateway IP addresses must be set to primary.

IP address of the gateway device
Encap Type Configures encapsulation settings for bridged subnets:
  • UnTagged – specifies that untagged frames can be captured on tagged interfaces
  • Single Tagged – specify one of the following options:
    • Vlan ID Any – specifies that non-configured VLAN IDs and untagged traffic are classified to a Layer 2 sub-interface
    • Vlan ID – specifies the VLAN ID, a value from 1 to 4094
  • Single Tagged Range – click + ADD to open the ADD VLAN Range form where you can enter the low end and high end of the VLAN range. You can add up to eight non-overlapping ranges.
UnTagged, Single Tagged, or Single Tagged Range

IP MTU

Specifies the maximum transmission unit for the sub-interface; this is the maximum size for an IP packet that is not fragmented in the course of transmission.

1500 or higher

Association parameters

Association Type

Specifies the method used to associate this sub-interface with its "parent" subnet.

Node and Interface, Interface label selector

Node ID

Specifies the node within the fabric on which the current sub-interface is located.

Select an existing leaf node within the fabric or fabrics associated with this workload VPN intent

Interface Name

Specifies the interface on the selected node with which this sub-interface is associated. This setting can be a LAG.

An interface
Layer 3 proxy ARP and related parameters
L3 ProxyArp Enabled Enables L3 proxy ARP for a sub-interface attached to routed subnet. Default: disabled
IPv4 Host Route Enabled Enables the dynamic population of IPv4 host routes. When the L3 ProxyArp Enabled parameter is enabled, this parameter is also enabled. You can disable it if L3 ProxyArp Enabled is disabled.
IPv4 Learn Unsolicited ARP Enabled For IPv4 addresses within the subnet, enables the learning of ARP entries out of any ARP packet arriving at the IRB sub-interface, regardless of whether there was an ARP-Request sent from the IRB. When the L3 ProxyArp Enabled parameter is enabled, this parameter is also enabled. You can disable it if L3 ProxyArp Enabled is disabled.
L3ProxyND Enabled Enables L3 proxy ND for a sub-interface attached to routed subnet. default: disabled
IPv6 Host Route Enabled Enables the dynamic population of IPv6 host routes. When the L3ProxyND Enabled parameter is enabled, this parameter is also enabled. You can disable it if L3ProxyND Enabled is disabled.
IPv6 Learn Unsolicited ARP Enabled For IPv6 addresses within the subnet, enables the learning of Neighbor Discovery Request entries out of any Neighbor Discovery Request packet arriving at the IRB sub-interface, regardless of whether there was a Neighbor Discovery Request issued from the IRB. default: disabled
MAC duplication and detection parameters (if enabled on the subnet)
Action Specifies the action to take on the sub-interface upon detecting that at least one MAC addresses is duplicate on the sub-interface:
  • stop learning – the MAC address is not relearned on this or any subinterface
  • blackhole – frames received on this or any other sub interface are dropped if the MAC sources address or if the mac-vrf MAC destination address matches a blackhole MAC address (the MAC source address is still learned)
  • oper-down – the sub-interface is disabled with an error mac-dup-detected; arriving frames on a different sub-interface with the same source address are dropped
ACL parameters
Ingress ACL IPv4

Specifies an existing profile that the system applies to the ingress IPv4 traffic on this sub-interface.

An existing IPv4 ACL profile
Ingress ACL IPv6

Specifies an existing profile that the system applies to the ingress IPv6 traffic on this sub-interface.

An existing IPv4 ACL profile
Egress ACL IPv4

Specifies an existing profile that the system applies to the egress IPv4 traffic on this sub-interface.

An existing IPv4 ACL profile
Egress ACL IPv6

Specifies an existing profile that the system should apply to the egress IPv6 traffic on this sub-interface.

An existing IPv4 ACL profile

QoS parameters

QoS Classifier

Specifies an existing QoS classifier profile that maps incoming packets to the appropriate forwarding classes.

An existing QoS profile
QoS Rewrite Rule Specifies an existing QoS profile that defines the rewrite rule policies to mark outgoing packets with an appropriate DSCP value based on the forwarding class.

An existing QoS profile

Router parameters

Table 4. Router configuration parameters
Parameter Description Value
Name This parameter specifies the name of the router. String
Description This parameter specifies the optional description for the router. String
VNI Pool By default, the Fabric Services System deploys with a default VNI pool.
For bridged subnets, you can:
  • select from which VNI pool a VNI gets automatically allocated to a new subnet
  • change the VNI pool after the subnet has been deployed.
 Default VNI pool
VNI Specifies an available VNI from the selected VNI pool. Default: system-assigned VNI from the pool
Provision Type By default, route targets are automatically derived. When this parameter is set to Manual, you can specify route targets for the subnet using following parameters:
  • Import Route Target
  • Export Route Target
Automatically Derived (the default) or Manual

Creating the basic workload VPN intent

  1. Click to open the main menu and select Workload VPN Intents.
  2. Use the Region Selector at the top of the page to select the region in which to create the workload VPN intent.
    Note: You cannot change the region selection after you begin creating the workload VPN intent. If you select a new region in the Region Selector while creating a workload VPN intent, the creation form closes and you are returned to the Workload VPN Intents page.
  3. Click + CREATE A WORKLOAD VPN INTENT to display a set of fabric templates.
    Templates are displayed in a grid view by default. To switch to the list view, select in the template selection screen. Click to return to the grid view.
  4. Click on a VPN template, then click CREATE.
  5. Configure basic parameters.
    • Workload VPN Intent Name
    • Description
    • Fabric Intent Type
  6. Optional: Select any number of fabrics intents or no fabric intents to participate in the workload intent.

    If no fabric is selected, all fabrics in the region are part of the workload intent, and you can create a sub-interface on any fabric within the region. Selecting a fabric intent creates a restriction list composed only of sub-interfaces that belong to the selected fabric intents.

    1. Click next to Fabric Intents.
    2. Check the box at the left edge of the row for each fabric you want to include as part of your workload intent.
    3. Click SELECT INTENTS.
  7. Click to save the latest change to the workload design.
    The display updates to show the selected fabric intent's topology. The system advances the workload VPN intent's Detailed Status to Created and its Version to 1.0.

Proceed to Adding subnets to the workload VPN intent.

Adding subnets to the workload VPN intent

  1. If you are not continuing directly from the procedure Creating the basic workload VPN intent, first open the Workload VPN Intent view by doing the following:
    1. Click to open the main menu.
    2. From the menu, select Workload VPN Intents.
    3. Use the Region Selector at the top of the page to select the region in which to create the workload VPN intent.
  2. In the view drop-down list, select Subnets.
  3. Click +CREATE A SUBNET.
  4. Configure the basic parameters for the subnet.
    • Name
    • Description
  5. In the Type drop-down list, specify the type of subnet.
    • bridged subnet – click Bridged, then continue with step 6
    • routed subnet – click Routed

      In the Router field, accept the default router or select an existing router. Then, continue to step 14.

      Do not add an IRB IP address here. Later, you connect the routed subnet to a sub-interface that attaches to a VRF instance.

    • loopback subnet – click Loopback

      In the Router field, accept the default router or select an existing router. Then, continue to step 14.

  6. Configure parameters for the bridged subnet.

    Set the following parameters:

    • IP Anycast Gateway (V4/V6) – this IP address acts as an IRB interface

      The subnet can span one, two, or more nodes.

      Click +ADD to add an IP address. In the Add IP Anycast Gateway form that displays, add the IP address. If the IP address is the primary, click the Primary field. Click ADD. You can add up to four gateways.

    • Anycast Gateway MAC address–This option is available if an IP anycast gateway is set.
    • Router – for related information, see Routers.
  7. Optional: For bridged subnets with a configured gateway, enable Layer 3 IPv4 proxy ARP, IPv6 proxy ND, and related settings.
    • L3 ProxyArp Enabled
      Enabling Layer 3 IPv4 proxy ARP also enables the following parameters; when Layer 3 IPv4 proxy ARP is disabled, you can enable them independently:
      • IPv4 Learn Unsolicited ARP Enabled
      • IPv4 Host Route Enabled
    • L3 ProxyND Enabled

      Enabling Layer 3 IPv6 proxy ND also enables IPv6 Learn Unsolicited ARP Enabled; when Layer 3 IPv6 proxy ND is disabled, you can enable it independently.

  8. Optional: Enable BFD and related BFD timers.
  9. Optional: Accept the default or select a new value for the IP MTU parameter IP.
  10. Optional: Configure ACL settings.
    Select existing ACL profiles for the following parameters:
    • Ingress ACL Profile IPV4
    • Ingress ACL Profile IPv6
    • Egress ACL Profile IPV4
    • Egress ACL Profile IPv6
  11. Optional: Set a specific pool VNI from which the Fabric Services System allocates VNI and route targets for an IP-VRF or MAC-VRF object within a workload VPN intent.
    You can use these settings to configure the Fabric Services System to automatically derive a route target, while ensuring that the values used do not overlap with existing services elsewhere in the data center. You can update the following fields:
    • VNI
    • Provision Type
      • Import Route Target
      • Export Route Target
  12. Optional: For bridged subnets without a configured gateway, enable L2 proxy ARP settings.

    When you enable L2 proxy ARP, you can also set the L2 ARP table size. You can also configure the following duplicate IP detection parameters:

    • Hold Down Time

    • Monitoring Window

    • Num Moves

  13. Optional: Enable MAC duplication detection.
  14. Click CREATE.
    The newly added subnet appears in the Subnets view.
  15. In the view drop-down list, select Workload Design.
  16. Click to save the latest change to the workload design.

Proceed to Adding sub-interfaces to the workload VPN intent.

Adding sub-interfaces to the workload VPN intent

If you intend to select sub-interfaces by their label, you must have assigned labels to the intended sub-interfaces.
Each sub-interface is associated with a previously created subnet. A workload sub-interface consists of an edge-link port or LAG with which you associate ACL and QoS policies.

The Fabric Services System supports two methods for selecting the edge-link port or LAG that constitutes a sub-interface:

  • Node and interface – explicitly select a node and then an interface on that node
  • Interface label selector – assign the Edge-Link label to a set of objects, and then select the label from among those previously created and assigned to underlay interfaces. All interfaces with the specified label are selected
  1. Open a Create Sub-Interface form.
    • From the Subnets view, find the subnet, click at the end of its row, and select Create Sub-Interface.
    • From the Workload VPN intent's view menu, select Sub-Interfaces and click + CREATE A SUB-INTERFACE.
  2. Provide an optional description for the sub-interface.
  3. Optional: Configure ACL settings.
    Specify existing ACL profiles for the following parameters:
    • Ingress ACL Profile IPV4
    • Ingress ACL Profile IPv6
    • Egress ACL Profile IPV4
    • Egress ACL Profile IPv6
  4. For routed and loopback sub-interfaces, specify a gateway.
    1. In the IP Gateway (V4/V6) section, click +ADD.
    2. In the IP Anycast Gateway form, enter an IP address. The interface you select here can be a LAG, if the LAG has already been provisioned.
    3. Set the Anycast Gateway MAC address– field. This option is available if an IP anycast gateway is set.
    4. If the IP address is the primary gateway, set the Primary field.
  5. Optional: If the interface is for a routed subnet, enable layer 3 proxy ARP and proxy ND settings.
    • L3 ProxyArp Enabled
      Enabling L3 IPv4 proxy ARP also enables the following parameters; when L3 IPv4 proxy ARP is disabled, you can enable them independently:
      • IPv4 Learn Unsolicited ARP Enabled
      • IPv4 Host Route Enabled
    • L3 ProxyND Enabled

      Enabling L3 IPv6 proxy ND also enables IPv6 Learn Unsolicited ARP Enabled; when L3 IPv6 proxy ND is disabled, you can enable it independently.

  6. In the Association Type drop-down list, specify the type of association.
    • To select sub-interfaces by label, select Interface Label Selector and go to step 7.
    • To select sub-interfaces by selecting individual nodes and ports, select Node and Interface, then go to step 8.
  7. In the Associations panel, select Interface Label Selector.
    1. In the Interface Label Selector field, click to open the Label Picker form.
    2. From the list of labels, locate the "Edge-Link" label you created previously to identify the edge link ports. Click on the left end of the row beside the label.
    3. Click SELECT to close the Label Picker form.
    4. Repeat sub-steps 7.a through 7.c until you have selected all of the intended sub-interfaces.
    5. Go to step 9.
  8. In the Association pane, select the node ID and interface.
    1. In the Node ID field, select a node ID associated with a leaf node.
      You must select a leaf node here, because only leaf nodes possess the edge link connections required by the eventual workload.
    2. In the Interface Name field, select an interface to identify a specific interface on the selected node.
    3. If the subnet is a loopback subnet, select a loopback interface from the manual topology fabric shown.
  9. Optional: For bridged subnets, if MAC duplication detection is enabled for the subnet to which this sub-interface belongs, set the Action field.
  10. Optional: Assign QoS profiles.
    Specify a profile for the following fields:
    • Qos DSCP Classifier
    • Qos DSCP Rewrite Rules
  11. Click CREATE.
  12. In the view drop-down list, click Workload Design.
  13. Click to save the latest change to the workload design.
  14. Click GENERATE WORKLOAD.
    The system generates configuration data for the nodes involved in the workload VPN intent and advances the workload state to Configuration Generated. The workload version remains 1.0.

Creating a router

Use this procedure to create a router.

  1. From the main menu , select Workload VPN Intents.
  2. In the view drop-down list, select Routers.
  3. Use the Region Selector at the top of the page to select the region in which to create the router.
  4. Click +CREATE WORKLOAD ROUTER.
  5. In the General pane, set the following parameters:
    • Name
    • Description
  6. In the Router Definition pane, accept the default settings or set the following parameters:
    • VNI
    • Provision Type
    • If Provision Type is set to Manual, configure the following parameters:
      • Import Route Target
      • Export Route Target

Routing

BGP, static routes, and aggregate routes are configured within the routing section a workload intent.

BGP

BGP is an inter-AS routing protocol. An AS is a network or a group of routers logically organized and controlled by common network administration. BGP enables routers to exchange network reachability information, including information about other AS that traffic must traverse to reach other routers in another AS.

When you use BGP as the provider edge (PE) or customer edge (CE) routing protocol, you configure external peering between the provider's AS and the customer network AS.

When you create eBGP links between leaf nodes and customer autonomous systems, the customer autonomous systems may learn of routes through the fabric from different sources. The eBGP links created with the Fabric Services System are configured so that a customer AS prefers the route it learns from its local peer, because that is likely the most efficient path. This setting is achieved using the BGP Local Preference attribute, which the Fabric Services System sets to a value of 130 for links between peers (while other links generally have a preference value of 100). This behavior is automatic and is not configurable.

Static routes

The Fabric Services System supports static routes to next-hop addresses.

A static route is made up of two parts:
  • one or more next-hop groups
  • routes that reference the next-hop group
To configure a static route within a workload intent, configure at least one next-hop group containing a next hop, then configure one or more routes. Different routes can reference the same or different next-hop groups.

Aggregate routes

A BGP aggregate route is a configured route that combines a set of routes into a single route.

Displaying the routing view for a node

Use this procedure to display the active routing protocols configured for a node. You can view BGP settings (global, next-hop groups, and neighbors), static routes, and aggregate routes configured for the node. This view is read-only.
  1. From the main menu , select Workload VPN Intents.
  2. Use the Region Selector at the top of the page to select the region containing a workload VPN intent.
  3. Double-click a workload intent, then from the view drop-down list, select Routing.
  4. In the Protocols drop-down list, select Active Protocols by Node.
  5. Double-click a node to display active routing protocols for that node.
    You can filter the configured settings per router in the Router Name field. Routers that have been created and deployed are displayed in this field.

BGP parameters

Table 5. Global BGP parameters
Parameter Description

Values
Global BGP Name Specifies the name for this global BGP configuration. String
Local AS Specifies the global BGP local AS. Integer
Import Policy Specifies the name of a BGP policy to use as an import policy. Name of an existing BGP policy
Export Policy Specifies the name of a BGP policy to use as an export policy. Name of an existing BGP policy
Node and router assignment parameters
Node Name Specifies the node on which to apply this global BGP configuration. An existing node or the name of a node that does not yet exist
Router Name Specifies the router on which to apply this global BGP configuration. An existing router or the name of a router that does not yet exist
Router ID Specifies the router ID for the router.

BGP group configuration

Table 6. BGP basic group properties
Parameter Description

Values/Range
Group Name Specifies the name of the BGP group.

The system creates a default group, default-bgp-group.

 String
BFD Enables or disables bidirectional forwarding on the BGP sessions established by neighbors that belong to this group. Default: enabled
Connect-Retry Specifies the duration of the connect-retry timer. Default: 120
Peer AS Specifies the peer AS to use for any neighbor that belongs to this group (does not override at the neighbor level). Default: 1
Local AS Specifies a local AS to use for any neighbor that belongs to this group. This setting (does not override at the neighbor level.

By default, the global BGP configuration local AS is used by all peers that belong to this group.

Default: 1
Prepend Global AS Specifies whether to prepend the global AS value to the AS path of inbound routes from each eBGP peer that belongs to the group. Default: disabled
Prepend Local AS Specifies whether to prepend the local AS value to the AS path of inbound routes from each eBGP peer that belongs to the group. Default: disabled
Toggle Max Hops Specifies the number of maximum hops. By default, eBGP sessions have a maximum hop of 1 configured. 1 to 255
IPv4 Unicast Enables the router to advertise to and receive IPv4 unicast routes from neighbors that belong to this group. Default: enabled
IPv6 Unicast Enables the router to advertise to and receive IPv6 unicast routes from neighbors that belong to this group. Default: enabled
Minimum-Advertisement-Interval Specifies how long a BGP router waits before sending an advertisement for all neighbors in this group. Default: 1
Import Policy Specifies the BGP import policy. Name of an existing BGP policy
Export Policy Specifies the BGP export policy. Name of an existing BGP policy

BGP neighbor

Table 7. Basic BGP neighbor parameters
Parameter Description

Values/Range
Peer Address Specifies the IP address of the BGP peer. A valid IPv4 or IPv6 address
Local Address Specifies the local address to use for this peering session. A valid IPv4 or IPv6 address
Group Name Specifies the name of this neighbor group. String
Override Peer AS Specifies the peer AS to use for this peering session.

This value overrides the default peer AS value configured in the main or group BGP configuration used by all peers that belong to this group.

Default: disabled
Override Local AS Specifies the local AS to use for this peering session. This value overrides the local AS setting in the main BGP configuration is used by all peers that belong to this group. When this parameter is enabled, you can optionally prepend the global AS and the local AS. Local AS
Toggle Max Hops Specifies the maximum number of hops for a BGP session. 1 to 255
Override IPv4 Unicast Specifies whether IPv4 unicast routes are advertised to and received from neighbors that belong to this group. Default: disabled
Override IPv6 Unicast Specifies whether IPv6 unicast routes are advertised to and received from neighbors that belong to this group. This setting overrides any configuration at the group or global level. Default: disabled
Import Policy Specifies the name of a BGP policy to use as an import policy. Name of an existing BGP policy
Export Policy Specifies the name of a BGP policy to use as an export policy. Name of an existing BGP policy
Node and router assignment parameters
Node Name Specifies the node on which to apply the basic neighbor properties. An existing node or the name of a node that does not yet exist
Router Name Specifies the router on which to apply the basic neighbor properties. An existing routers or the name of a router that does not yet exist
Inherit Specifies that this neighbor inherits the basic settings from the template configured for the BGP neighbor group.

To modify the basic property settings, disable this parameter.

 Default: enabled

Configuring BGP

You configure BGP from within a workload intent. If you have not yet deployed the workload intent, you can freely modify its design. If the you have already deployed the workload VPN, create a new candidate version of the workload VPN.

At a high level, BGP configuration includes the following tasks:

  1. Configure the global BGP settings.

    This initial configuration is the template that you can apply to a specific node and router instance. The node and router do not need to exist in the workload intent when you assign the global BGP template, which means that you can pre-provision nodes by reapplying this global template to different unique node and router instances.

  2. Configure a BGP group.

    When you create a workload intent, the system creates a default BGP group for the workload, default-bgp-group. You can create additional BGP groups as needed and apply the group to multiple nodes as needed.

  3. Configure BGP neighbors.

    Just as with the creation of global BGP settings, you configure basic settings to create a template for a BGP neighbor. Then, you can assign this template to different unique node and router instances. If you want to create additional neighbors, but want change some of the settings in the template, during node assignment, disable the Inherit flag.

Note:
Release 23.8.1 includes the following high-level changes to BGP configuration:
  • In Release 23.4.1, BGP settings were configured per node; in Release 23.8.1, BGP global, group, and neighbor settings are configured per workload. This change allows for the pre-provisioning of nodes.
  • In Release 23.4.1, a single router ID was applied to all routing instances; in Release 23.8.1, you can assign a routing ID for each routing instance.
  • In the Release 23.8.1 Fabric Services System UI, global BGP routes created in Release 23.4.1 are identified in the Routing view, Node Assignment pane with an asterisk under the Router Name column. The router ID shown is applied to all routing instances. You can change this routing ID and the provide a router name as needed.
  • The BGP- Group view of a workload intent includes the Config-name column which displays the name of a deployed route deployed for the node in a previous release.
  1. From the main menu , select Workload VPN Intents.
  2. Use the Region Selector at the top of the page to select the region containing a workload VPN intent.
  3. Double-click a workload intent and from the view drop-down list, select Routing.
  4. Configure global BGP settings.
    1. In the Protocols drop-down list, click BGP, then select BGP- Global.
    2. Click + CREATE GLOBAL.
    3. In the Basic Properties pane, provide the global BGP name, local AS number, and optional import and export policies.
      Global import and export BGP policies are optional. You can also specify import and export policies at the BGP group or BGP neighbor level to override the settings at the global or group level. The system does not check the validity of the policy names that you specify; the BGP policies are assumed to be configured on the node using the global configuration override feature or some other mechanism.
    4. In the Node Assignment pane, click + ASSIGN NODES.

      Set the node name, router name, and router ID.

    5. Optional: Assign the global configuration to another node and routing instance.
      The node name and router name combination must be unique.
    6. Click CREATE.
    7. Optional: Create another global BGP template.
      Repeat steps 4.a through 4.f.
  5. Create a BGP group.
    1. In the Protocols drop-down list, click BGP, then select BGP- Group.
    2. Click + CREATE BGP GROUP.
    3. Set parameters for the BGP group.
      Set the appropriate parameters for your deployment scenario.
    4. Click CREATE.
  6. Create one or more BGP neighbors.
    1. From the Protocols drop-down list, click BGP, then select BGP- neighbor.
    2. Click + CREATE BGP NEIGHBOR.
    3. Configure the basic properties for a BGP neighbor.
      Set the following parameters as needed in the Basic Properties pane:
    4. Assign the basic properties of the BGP neighbor to a node and router instance.
      In the Node Assignment pane, click + ASSIGN NODES.
      • Specify the node name and router name.
      • To modify any of the basic property settings for this neighbor, disable the Inherit parameter.
      • When you are finished, click Save.
    5. Assign the basic properties of the BGP neighbor to another node and router instance as needed.
    6. Click CREATE.
  7. Update the workload VPN intent.
    1. On the Workload VPN Intents page, click the view drop-down list and select Workload Design.
    2. Click GENERATE WORKLOAD.

Static route parameters

Next Hop Group instance settings

Table 8. Next-hop group parameters
Field Name Description Value
Next Hop Group Name Specifies the name of the next-hop group. String
Description Describes the next-hop group. String
Blackhole Specifies that next-hop cannot be created for this next-hop group. Default: disabled
Generate-icmp If the Blackhole parameter is enabled, specifies whether the router generates ICMP messages for dropped packets. Default: disabled
Resolve When this parameter is enabled, SR Linux can use a resolved next-hop instead of a directly connected next-hop.

In SR Linux, this setting is configured per next-hop; in the Fabric Services System, this setting applies at a group level and is applied to every next hop within the group.

 Default: disabled
BFD Enables BFD on each of the next-hop instances within the group.

In SR Linux, this setting is configured per next-hop; in the Fabric Services System, this setting applies at a group level and is applied to every next hop within the group.

 Default: disabled
BFD Local Address Specifies a BFD local address to use for the BFD session, If BFD is enabled.

This setting applies to each next-hop instance within the next-hop group. If an IPv4 address is specified, it is applied to any next hop that is configured with an IPv4 address. Similarly, if an IPv6 address is specified, it is applied to any next hop that is configured with an IPv6 address.

IPv4 or IPv6 address, an existing gateway IP addresses within the 'router' (ip-vrf)
The Next Hops pane contains the parameters that configure a next-hop instance for the next-hop group. Each next-hop instance is defined by the following of parameters.
Index Specifies a number associated with this next-hop group. Integer
IP address Specifies the IP address for this next-hop group. IPv4 or IPv6
Admin State Specifies whether this next hop-group instance is enabled or disabled. Default: disabled
Inherit By default, the settings are inherited from the basic parameters. If disabled, specifies some settings can be modified. Default: enabled

Static Route Details parameters

Table 9. Basic properties
Parameter Description Value
Name Specifies the name of the static route. String
Description Provides an optional description for the route. String
Prefix Specifies the prefix of a subnet for this static route. IPv4 or IPv6 format
Next Hop Group Specifies the name of an existing next-hop group. String
Preference Specifies the preference for this static route. Default: 5
Table 10. Node assignment parameters
Parameter Description Value
Node Name Specifies the node on which to apply this static route. An existing node or the name of a node that does not yet exist
Router Name Specifies the router on which to add the static route. An existing router or the name of a router that does not yet exist
Inherit By default, specifies that the settings for this route are inherited from the basic parameters configured for the template.

To modify the basic property settings, disable this parameter.

 Default: enabled

Configuring static routes

Static routes are configured within a workload intent. If you have already deployed the workload VPN intent, create a new candidate version of the workload VPN intent before performing this procedure.

To configure a static route, configure at least one next-hop group. Then, create a static route that references that next-hop group. A next-hop group is not deployed unless it is referenced in a route.

  1. From the main menu , select Workload VPN Intents.
  2. Use the Region Selector at the top of the page to select the region containing a workload VPN intent.
  3. Double-click a workload intent, then from the view drop-down list, select Routing.
  4. Create one or more next-hop groups.
    1. In the Protocols drop-down list, highlight Static Routing, then click Static Routing - Next Hop Groups.
    2. Click + CREATE NEXTHOPGROUP.
    3. Configure basic parameters for the next-hop group.
      This step configures that template for the next hops. Set the following parameters:
      • Next Hop Group Name
      • Description
      • Blackhole
      • Generate -icmp
      • Resolve
      • If BFD is enabled, set a BFD local address
  5. Create the next hops for this next-hop group.
    1. In the Next Hops pane, click + CREATE.
    2. Set the index, IP address, and admin state for this next-hop instance.
    3. To change some settings for this next-hop instance, disable the Inherit parameter.
      You can enable or disable BFD, specify a BFD local address. You can also configure the BFD Local Discriminator and BFD Remote Discriminator.
    4. Click SAVE.
    5. Optional: Create additional next hops as needed.
      Repeat steps 5.a through 5.d.
  6. Configure a static route.
    1. In the Protocols drop-down list, highlight Static Routing, then click Static Routing - Static Routes.
    2. Configure the basic properties for the static route.
      In the Basic Properties pane:
      • Provide a name and an optional description for the route.
      • Provide a prefix for the subnet.
      • Select an existing next-hop for this static route.
      • Set the preference for the route.
  7. Assign the static route to a node and router instance.
    1. In the Node Assignment pane, click + ASSIGN NODES.
    2. Specify the node name and router name.
    3. To modify any of the basic settings for the static route, disable the Inherit parameter and make the changes as needed.
    4. When you are finished, click Save.
    5. Optional: Repeat sub-steps 7.a through 7.d to assign the static route to another node and router instance.
    6. Click CREATE.
  8. Update the workload VPN intent.
    1. On the Workload VPN Intents page, click the view drop-down list and select Workload Design.
    2. Click GENERATE WORKLOAD.

Aggregate route parameters

Table 11. Basic properties
Parameter Description Value
Name Specifies the name of the aggregate route. String
Description Provides an optional description for the route. String
Prefix Specifies the prefix of a subnet for this route. IPv4 or IPv6 format
Aggregator Address Specifies the IP address of the aggregator route. IPv4 or IPv6 format
Aggregator AS Number Specifies the AS number for this route. Integer
Summary Only Specifies that the activation of an aggregate route automatically blocks the advertisement of all of its contributing routes by BGP. Default: disabled
Generate -icmp If enabled, specifies that the router generates ICMP unreachable messages for the dropped packets. Default: disabled
Table 12. Node assignment parameters
Parameter Description Value
Node Name Specifies the node on which to apply this aggregate route. An existing node or the name of a node that does not yet exist
Router Name Specifies the router on which to add the aggregate route. An existing router or the name of a router that does not yet exist
Inherit Specifies that settings are inherited from the configured basic parameters template for the aggregate route. To modify the basic property settings, disable this parameter. Default: enabled

Configuring aggregate routes

You configure aggregate routes within a workload intent. If you have already deployed the workload VPN intent, create a new candidate version of the workload VPN intent before performing this procedure.

To configure aggregate routes, first configure basic parameters for the an aggregate route. This initial configuration is the template that you can apply to a specific node and router instance. By default, aggregate routes are applied to any node on with an attached. You can also apply the aggregate route only to a specific node or set of nodes.

  1. From the main menu , select Workload VPN Intents.
  2. Use the Region Selector at the top of the page to select the region containing a workload VPN intent.
  3. Double-click a workload intent, then from the view drop-down list, then select Routing.
  4. Create an aggregate route.
    1. In the Protocols drop-down list, highlight Aggregate.
    2. Click + CREATE AGGREGATE
    3. Configure the basic properties for the aggregate route.
      • Provide a name and an optional description for the aggregate route.
      • Provide a prefix.
      • Provide an aggregator address and aggregator AS number.
      • Specify if the route is summary only.
      • Specify if the router generates ICMP unreachable messages.
    4. Assign the aggregate route to a node and router instance.

      In the Node Assignment pane, click + ASSIGN NODES. Specify the node name and router name. To modify any of the basic property settings for this static route, disable the Inherit parameter and modify the settings as needed. When you are finished, click Save.

    5. Optional: Assign the aggregate route settings to another node and routing instance.
      Repeat steps 4.a through 4.d. The node name and router name combination must be unique within a workload intent.
  5. Click CREATE.
  6. Update the workload VPN intent.
    1. On the Workload VPN Intents page, click the view drop-down list and select Workload Design.
    2. Click GENERATE WORKLOAD.