efa tenant epg create

Creates a Layer 3 endpoint group.

Syntax

efa tenant epg create [--name epg-name | --tenant tenant-name | --description desc | --port ip-ethport | --po po-name | --switchport-mode { access | trunk | trunk-no-default-native } | --type { l3-hand-off | extension | port-profile } | --switchport-native-vlan-tagging | --switchport-native-vlan value | --ctag-range range | --ctag description desc |--vrf vrf-name | --l3-vni vni | --l2-vni vni | --anycast-ip ipv4 | --anycast-ipv6 ipv6 |--local-ip ipv4 | --local-ipv6 ipv6| --bridge-domain bd-name | --ipv6-nd-mtu mtu-value | --ipv6-nd-managed-config flag | --ipv6-nd-other-config other-flag | --ipv6-nd-prefix ipv6-prefix | --ipv6-nd-prefix-valid-lifetime lifetime | --ipv6-nd-prefix-preferred-lifetime pref-lifetime | --ipv6-nd-prefix-no-advertise | --ipv6-nd-prefix-config-type { no-autoconfig | no-onlink | off-link } | --single-homed-bfd-session-type { auto | software | hardware } | --ip-mtu mtu-value | --suppress-arp array | --suppress-nd array | --pp-mac-acl-in ext-mac-permit-any-mirror-acl | --pp-mac-acl-out ext-mac-permit-any-mirror-acl | --pp-ip-acl-in ext-ip-permit-any-mirror-acl | --pp-ip-acl-out ext-ip-permit-any-mirror-acl | --pp-ipv6-acl-in ext-ipv6-permit-any-mirror-acl | --np-mac-acl-in ctag:ext-mac-permit-any-mirror-acl | --np-mac-acl-out ctag:ext-mac-permit-any-mirror-acl | --np-ip-acl-in ctag:ext-ip-permit-any-mirror-acl | --np-ip-acl-out ctag:ext-ip-permit-any-mirror-acl | --np-ipv6-acl-in ctag:ext-ipv6-permit-any-mirror-acl | --dhcpv4-relay-address-ip ipv4 | --dhcpv6-relay-address-ip ipv6 | --dhcpv4-relay-gateway-ip ipv4 | --dhcpv4-relay-gateway-ip-interface ipv4 | --dhcpv6-relay-gateway-ip-interface ipv6 | --dhcpv4-relay-gateway-interface ipv4 | --dhcpv6-relay-gateway-interface ipv6 | --dhcpv6-relay-gateway-interface-ip ipv6 | --ip-icmp-redirect ctag:ip-icmp-redirect | --ipv6-icmp-redirect ctag:ipv6-icmp-redirect | --help ]

Parameters

--name epg-name: Specifies the name of the endpoint group.
--tenant tenant-name: Specifies the name of the associated tenant.
--description desc: Describes the endpoint group.
--port ip-ethport: Specifies the device IP address and Ethernet port details. Example: SW1_IP[0/1], SW2_IP[0/5,0/6], SW3_IP[0/7-10]
--po po-name: Lists port channels. Example: po1, po2
--switchport-mode { access | trunk | trunk-no-default-native }: Configures switch port mode on the interfaces. The default is trunk.
--type { l3-hand-off | extension | port-profile }: Configures the BGP service type. Valid values are l3-hand-off, port-profile, or extension. The default is extension.
--switchport-native-vlan-tagging: Enables the native VLAN characteristics on the ports of this endpoint group. Valid only if the switchport-mode parameter is set to trunk.
--switchport-native-vlan value: Configures native VLAN on the interfaces. Valid values are 2 through 4090, corresponding to the value of the ctag-range parameter.
--ctag-range range: Specifies the customer VLAN range in comma and hyphen separated format. Example: 2-20,30,40,50-55.
--ctag-description desc: Specifies a unique description of the ctag in the following format: ctag:l2-vni.
--vrf vrf-name: Specifies the VRF to which these networks are attached.
--l3-vni vni: Specifies the Layer 3 VNI to be used for this VRF.
--l2-vni vni: Specifies the Layer 2 VNI to be used for this network in the following format: ctag:l2-vni.
--anycast-ip ipv4: Specifies the IPv4 anycast address in the following format: ctag:anycast-ip.
--anycast-ipv6 ipv6: Specifies the IPv6 anycast address in the following format: ctag:anycast-ipv6.
--local-ip ipv4: Specifies the IPv4 local address in the following format: ctag,device-ip:local-ip.
--local-ipv6 ipv6: Specifies the IPv6 local address in the following format: ctag,device-ip:local-ipv6.
--bridge-domain bd-name: Specifies the bridge domain name in the following format: ctag:bridge-domain.
--ipv6-nd-mtu mtu-value: Sets the maximum transmission unit (MTU) for IPv6 neighbor discovery. Valid values range from 1280 through 65535. The format is ctag:mtu.
--ipv6-nd-managed-config flag: Sets the managed configuration flag for IPv6 router advertisement. The format is ctag:managedflag.
--ipv6-nd-other-config other-flag: Sets the other configuration flag for IPv6 router advertisement. The format is ctag:otherflag.
--ipv6-nd-prefix ipv6-prefix: Configures the IPv6 prefix address in the following format: ctag:prefix1,prefix2.
--ipv6-nd-prefix-valid-lifetime lifetime: Sets IPv6 prefix valid lifetime from 0 through 4294967295 in seconds. The format is ctag,prefix:validTime.
--ipv6-nd-prefix-preferred-lifetime pref-lifetime: Sets the IPv6 prefix preferred lifetime from 0 through 4294967295 in seconds. The format is ctag,prefix:preferredTime.
--ipv6-nd-prefix-no-advertise: Enables the prevention of prefix advertisement. The format is ctag,prefix:noadvertiseflag.
--ipv6-nd-prefix-config-type { no-autoconfig | no-onlink | off-link }: Sets the configuration type for the IPv6 prefix. The format is ctag,prefix:configType.
--single-homed-bfd-session-type { auto | software | hardware }: Specifies the BFD session type for the endpoint group. The default is auto, which means that the BFD session type is automatically determined based on the value of the type parameter: extension or L3 hand-off.
--ip-mtu mtu-value: Sets the IP maximum transmission unit (MTU) for the tenant network. Valid values range from 1280 through 9194. The format is ctag:ip-mtu.
--suppress-arp value: Sets suppress-arp flag to this network. The format is ctag:suppress-arp. Example: 1002:false.
--suppress-nd value: Sets suppress-nd flag to this network. The format is ctag:suppress-nd. Example: 1002:false.
--pp-mac-acl-in ext-mac-permit-any-mirror-acl: Apply MAC ACL in ingress direction on ethernet / portchannel interfaces. The only supported ACL name is ext-mac-permit-any-mirror-acl and only supported ACL type is extended. Format --pp-mac-acl-in <acl-name> Example: --pp-mac-acl-in ext-mac-permit-any-mirror-acl.
--pp-mac-acl-out ext-mac-permit-any-mirror-acl: Apply MAC ACL in egress direction on ethernet / portchannel interfaces. The only supported ACL name is ext-mac-permit-any-mirror-acl and only supported ACL type is extended. Format --pp-mac-acl-out <acl-name>. Example: --pp-mac-acl-out ext-mac-permit-any-mirror-acl.
--pp-ip-acl-in ext-ip-permit-any-mirror-acl: Apply IP ACL in ingress direction on ethernet / portchannel interfaces. The only supported ACL name is ext-ip-permit-any-mirror-acl and only supported ACL type is extended. Format --pp-ip-acl-in <acl-name>. Example: --pp-ip-acl-in ext-ip-permit-any-mirror-acl.
--pp-ip-acl-out ext-ip-permit-any-mirror-acl: Apply IP ACL in egress direction on ethernet / portchannel interfaces. The only supported ACL name is ext-ip-permit-any-mirror-acl and only supported ACL type is extended. Format --pp-ip-acl-out <acl-name>. Example: --pp-ip-acl-out ext-ip-permit-any-mirror-acl.
--pp-ipv6-acl-in ext-ipv6-permit-any-mirror-acl: Apply IPv6 ACL in ingress direction on ethernet / portchannel interfaces. The only supported ACL name is ext-ipv6-permit-any-mirror-acl and only supported ACL type is extended. Format --pp-ipv6-acl-in <acl-name>. Example: --pp-ipv6-acl-in ext-ipv6-permit-any-mirror-acl.
--np-mac-acl-in ctag:ext-mac-permit-any-mirror-acl: Apply MAC ACL in ingress direction on vlan. The only supported ACL name is ext-mac-permit-any-mirror-acl and only supported ACL type is extended. Format --np-mac-acl-in <ctag:acl-name>. Example: --np-mac-acl-in 101:ext-mac-permit-any-mirror-acl.
--np-mac-acl-out ctag:ext-mac-permit-any-mirror-acl: Apply MAC ACL in egress direction on vlan. The only supported ACL name is ext-mac-permit-any-mirror-acl and only supported ACL type is extended. Format --np-mac-acl-out <ctag:acl-name>. Example: --np-mac-acl-out 101:ext-mac-permit-any-mirror-acl.
--np-ip-acl-in ctag:ext-ip-permit-any-mirror-acl: Apply IP ACL in ingress direction on ve interface. The only supported ACL name is ext-ip-permit-any-mirror-acl and only supported ACL type is extended. Format --np-ip-acl-in <ctag:acl-name>. Example: --np-ip-acl-in 101:ext-ip-permit-any-mirror-acl.
--np-ip-acl-out ctag:ext-ip-permit-any-mirror-acl: Apply IP ACL in egress direction on ve interface. The only supported ACL name is ext-ip-permit-any-mirror-acl and only supported ACL type is extended. Format --np-ip-acl-out <ctag:acl-name>. Example: --np-ip-acl-out 101:ext-ip-permit-any-mirror-acl.
--np-ipv6-acl-in ctag:ext-ipv6-permit-any-mirror-acl: Apply IPv6 ACL in ingress direction on ve interface. The only supported ACL name is ext-ipv6-permit-any-mirror-acl and only supported ACL type is extended. Format --np-ipv6-acl-in <ctag:acl-name>. Example: --np-ipv6-acl-in 101:ext-ipv6-permit-any-mirror-acl.
--dhcpv4-relay-address-ip ipv4: DHCP Server IPv4 Address
--dhcpv6-relay-address-ip ipv6: DHCP Server IPv6 Address
--dhcpv4-relay-gateway-ip ipv4: DHCP ipv4 relay gateway.
--dhcpv4-relay-gateway-ip-interface ipv4: DHCP ipv4 relay gateway ip interface.
--dhcpv6-relay-gateway-ip-interface ipv6: DHCP ipv6 relay gateway interface.
--dhcpv4-relay-gateway-interface ipv4: DHCP ipv4 relay gateway interface.
--dhcpv6-relay-gateway-interface ipv6: DHCP ipv6 relay gateway interface.
--dhcpv6-relay-gateway-interface-ip ipv6: DHCP ipv6 relay gateway interface ip.
--ip-icmp-redirect ctag:ip-icmp-redirect: Sets IPv4 icmp redirect flag in the format ctag:icmp-redirect. Example: 1002:true.
--ipv6-icmp-redirect ctag:ipv6-icmp-redirect: Sets IPv6 icmpv6 redirect flag in the format ctag:icmpv6-redirect. Example: 1002:true.

Usage Guidelines

An empty endpoint group has no network-policy, network-property, or port-property.

An endpoint group can be created with a port-property but without a port-group. However, an endpoint group cannot be created with a port-group but without a port-property.

ARP suppression is enabled for all the possible broadcast domains, VLAN or BD, on the device.

CEP is handled by replicating all the tenant configuration on the MCT neighbor except for the endpoint configuration, because the endpoint does not exist on the MCT neighbor.

Event handling sets the corresponding tenant networks to the cfg-refreshed state. However, there is no way to re-push the refreshed configuration onto the devices.

The value of --single-homed-bfd-session-type is configured for one endpoint group and then propagated to all Ethernet and single-homed port channel interfaces defined for that endpoint group.

XCO does not distinguish between SRIOV (single-root input/output virtualization) and non-SRIOV connections. Therefore, it treats both connections the same way. If you want to use hardware-based BFD sessions for CEP non-SRIOV connections, then create an endpoint group that contains all the CEP non-SRIOV connections and set the --single-homed-bfd-session-type to hardware.

You use the --ip-mtu parameter to configure the Maximum Transmission Unit (MTU) for the tenant network. This value is then configured on the interface VE on the SLX device. The output of the efa tenant epg show --detail command includes the configured --ip-mtu <mtu-value>.

Examples

This example creates a VLAN-based Layer 3 endpoint group.

$ efa tenant epg create --name epg1 --tenant tenant11 --switchport-mode trunk 
--switchport-native-vlan 10 --switchport-native-vlan-tagging --port 10.20.216.15[0/11],10.20.216.16[0/11] 
--po po1 --vrf blue11 --ctag-range 10 --l2-vni 10:10010 --l3-vni 14191 --anycast-ip 10:10.10.10.1/24 
--anycast-ipv6 10:10::1/125 --local-ip 10,10.20.216.15:1.1.10.3/28  --local-ip 10,10.20.216.16:1.1.10.4/28 
--local-ipv6 10,10.20.216.15:10a:10::3/125 --local-ipv6 10,10.20.216.16:10a:10::4/125 --ipv6-nd-mtu 10:9000  
--ipv6-nd-prefix 10:1002::/125,1003::/125,1004::/125 --ipv6-nd-prefix-valid-lifetime 10,1002::/125:infinite 
--ipv6-nd-prefix-preferred-lifetime 10,1002::/125:1020304 --ipv6-nd-prefix-valid-lifetime 10,1003::/125:1020304 
--ipv6-nd-prefix-preferred-lifetime 10,1003::/125:1020304 --ipv6-nd-prefix-valid-lifetime 10,1004::/125:1020304 
--ipv6-nd-prefix-preferred-lifetime 10,1004::/125:infinite --ipv6-nd-prefix-config-type 10,1004::/125:no-onlink 
--ipv6-nd-prefix-config-type 10,1003::/125:off-link --ipv6-nd-prefix-config-type 10,1002::/125:no-autoconfig 
--ipv6-nd-managed-config 10:true --ipv6-nd-other-config 10:true --ctag-description 10:Network-10

EndpointGroup created successfully.

--- Time Elapsed: 16.922083265s ---

This example creates a VLAN-based L3-hand-off endpoint group.

$ efa tenant epg create --tenant tenant11 --name epg2 
--type l3-hand-off --switchport-mode trunk --port 10.20.216.15[0/18],10.20.216.16[0/18] --po po2 
--vrf blue11 --ctag-range 12 --l2-vni 12:10012 --l3-vni 14191 --local-ipv6 12,10.20.216.16:10:12a::1/127 
--local-ipv6 12,10.20.216.15:10:12a::2/127 --local-ip 12,10.20.216.16:1.1.12.1/29 
--local-ip 12,10.20.216.15:1.1.12.2/29

EndpointGroup created successfully.

--- Time Elapsed: 8.605943783s ---

This example creates a bridge-domain-based Layer 3 endpoint group.

$ efa tenant epg create --tenant tenant21 --name epg3 --type extension 
--switchport-mode trunk --po po11 --ctag-range 1002 --bridge-domain 1002:Net-30002 --l2-vni 1002:30002  
--vrf red11 --anycast-ip 1002:10.20.30.1/24

EndpointGroup created successfully.

--- Time Elapsed: 13.469697138s ---

This example creates a VLAN-based Layer 2 endpoint group.

$ efa tenant epg create --name epg4 --tenant tenant11 
--ctag-range 101-103 --switchport-mode trunk-no-default-native --port 10.20.216.15[0/17]

EndpointGroup created successfully.

--- Time Elapsed: 19.83265s ---

This example creates an endpoint group for which the BFD session type is automatically determined.

$ efa tenant epg create --name epg5 --tenant tenant11 --port 10.20.216.15[0/11]
,10.20.216.16[0/11] --po po1 --switchport-mode trunk --single-homed-bfd-session-type auto

This example creates an endpoint group with MTU values for Ctag 11 and Ctag 12.

$ efa tenant epg create --name ten1epg1 --tenant ten1 --port 10.20.246.17[0/1],
10.20.246.18[0/1] --switchport-mode trunk --ctag-range 11-12 --anycast-ip11:10.0.11.1/24 
--anycast-ip12:10.0.12.1/24 --anycast-ipv6 11:11::1/127 --anycast-ipv6 12:12::1/127 
--vrf ten1vrf1 --ip-mtu 11:7900 --ip-mtu 12:8900

This example creates an endpoint group with ICMP redirect.

efa tenant epg create --tenant "t1" --name "epg1" --type extension  
--switchport-mode trunk --single-homed-bfd-session-type auto  
--po po1  
--vrf vrf1 --ctag-range 19  
--l3-vni 5001 --anycast-ip 19:3.33.3.3/24 --bridge-domain 19:Auto-BD-2 --ctag-description "19:Tenant L3 Extended BD" --l2-vni 19:2 --ip-mtu 19:1600 
--ip-icmp-redirect 19:true  
--ipv6-icmp-redirect 19:true