CenturyLink Versa FlexVNF SD-WAN Configuration Guide

Transcription

1 CenturyLink Versa FlexVNF SD-WAN Configuration Guide v16.1r1 page 1 of 103

2 General Disclaimer Although CenturyLink has attempted to provide accurate information in this guide, CenturyLink does not warrant or guarantee the accuracy of the information provided herein. CenturyLink may change the programs or products mentioned at any time without prior notice. Mention of non-centurylink products or services is for information purposes only and constitutes neither an endorsement nor a recommendation of such products or services or of any company that develops or sells such products or services. ALL INFORMATION PROVIDED IN THIS DOCUMENT IS PROVIDED AS IS, WITH ALL FAULTS, AND WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED OR STATUTORY. CENTURYLINK AND ITS SUPPLIERS HEREBY DISCLAIM ALL WARRANTIES RELATED TO THIS GUIDE AND THE INFORMATION CONTAINED HEREIN, WHETHER EXPRESSED OR IMPLIED OR STATUTORY INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT, OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. CENTURYLINK AND ITS SUPPLIERS SHALL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR REVENUES, COSTS OF REPLACEMENT GOODS OR SERVICES, LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OF THE GUIDE OR ANY CENTURYLINK PRODUCT OR SERVICE, OR DAMAGES RESULTING FROM USE OF OR RELIANCE ON THE INFORMATION PROVIDED IN THIS GUIDE, EVEN IF CENTURYLINK OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Any Internet Protocol (IP) addresses and other information used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. Many of the CenturyLink products and services identified in this guide are provided with, and subject to, written software licenses and limited warranties. Those licenses and warranties provide the purchasers of those products with certain rights. Nothing in this guide shall be deemed to expand, alter, or modify any warranty or license or any other agreement provided by CenturyLink with any CenturyLink product, or to create any new or additional warranties or licenses CenturyLink, Inc. All rights reserved. page 2 of 103

3 Table of Contents Preface... 4 Introduction... 4 Audience... 4 Document conventions... 4 Technical support... 6 Chapter 1. Versa SD-WAN overview... 7 Versa Director... 8 Versa SD-WAN controller... 9 Versa FlexVNF... 9 Versa Analytics Chapter 2. Director Context vs Appliance Context Overview Chapter 3. Overview of Templates and Device Groups Overview How Templates relate to Device Groups and Branch Appliances Chapter 4. Configuring branch/hub services Configuring SD-WAN policies Configuring SLA Profiles Configuring Forwarding Profiles Configuring Application Detection Configuring SD WAN Policies Configuring Adaptive Shaping Configuring NextGen Firewall Configuring CGNAT Configuring Class of Service Configuring direct breakout to Internet Final branch configuration view on Versa Director Appendix 1: Configuring hardware devices in inventory Configuring branch device groups Appendix 2: Managing staging and post-staging templates Chapter 5. Versa Analytics Overview Overview SD-WAN analytics UI components Dashboard SD-WAN sites SD-WAN paths Logs page 3 of 103

4 Preface Introduction This guide explains configuring Versa FlexVNF Advanced Software-Defined WAN (SD-WAN) solution through Versa Director. Audience This document is for experienced network administrators and system administrators who are well-versed with virtualization concepts, technologies, and setup. Document conventions Convention Bold Italics Monospace Description Represents UI elements. Values to enter in the text fields or values in drop down menus. CLI or system code. Notes contain incidental information about the subject and call attention to exceptions. Tips provide great shortcuts, hints, and recommended settings/configurable values. Glossary Term Autonomous System (AS) BFD BGP CMS DSCP EBGP ESP FlexVNF Branch Description/Full Form Collection of networks under a common administration sharing a common routing strategy. Autonomous systems are subdivided by areas. An autonomous system must be assigned a unique 16-bit number by the IANA. Bidirectional Forwarding Detection Border Gateway Protocol Cloud Management System Differentiated Services Code Point External Border Gateway Protocol Encapsulating Security Payload Branch is the distributed routing and service node in an SD-WAN topology. page 4 of 103

5 FlexVNF Hub The FlexVNF hub is a uniquely named FlexVNF branch node, running the same FlexVNF software as a branch node, but potentially running multiple tenant organizations, additional scalable centralized services, and may run on elastic cloud and data-center based server resources. The FlexVNF hub may also act as a traffic exchange site in a distributed star topology, and may also assist in hosting IPsec connectivity for sites with restrictive NAT traversal requirements. Hub LEF MPLS NAT NAPT NLRI Post-staging Router SD-WAN Staging SD-WAN Controller Switch Tenant Organizations A common connection point for devices in a network. A hub contains multiple ports. When a packet arrives at one port, it is copied to the other ports so that all segments of the LAN can see all packets. Logging and Export Function Multiprotocol Label Switching Network Address Translation Network Address Port Translation Network Layer Reachability Information After the staging phase, the branch goes into the post-staging phase. During this phase, the branch is configured for communication with Versa Director. A router is a device that forwards data packets along networks. A router is connected to at least two networks and is located at gateways, the places where two or more networks connect. Software-Defined WAN A branch goes through a Staging phase. During the staging phase, the branch is delivered from a staging server to clients during its initial attachment to the network. The configuration contains a controller address, IPsec and authentication information to connect to the controller(s) hosting the site-specific SD-WAN. Controller is a specially configured FlexVNF acting as the primary control node for SD-WAN routing and IPSec connectivity. Rather than creating a full mesh of IPsec IKE and security associations, the controller manages the distribution of SD-WAN topology using BGP. A device that filters and forwards packets between LAN segments. Switches operate at the data link layer (layer 2) and sometimes the network layer (layer 3) of the OSI Reference Model. Tenant organizations are logical containers that enable grouping and partitioning between enterprise organizations (for example, HR, Finance) or customers (for example, Coca Cola, Pepsi). One or more parent organizations are created (for example, Service Provider), along with tenant organizations that are be defined within SD-WAN controllers, hubs and branch nodes. page 5 of 103

6 TTL VCSN VNF VNI VPN Time To Live Versa Control and Service Node Virtual Network Function Virtual Network Interface A virtual private network (VPN) is a technology that creates an encrypted connection over a less secure network. The benefit of using a VPN is that it ensures the appropriate level of security to the connected systems when the underlying network infrastructure alone cannot provide it. VRRP VXLAN Versa Director Versa Analytics Virtual Router Redundancy Protocol Virtual Extensible LAN VNF Manager for all controllers, SD-WAN hubs, and branch nodes. Versa Director is provisioned at one or more data centers with connectivity to management and control networks for the SD-WAN. The Versa Analytics node provides a pre-integrated solution to a full operational visibility into the SD-WAN topology. The Analytics node gathers IPFIX data from the controller, hub, and branch sites and archives and displays this data in readily accessible formats. Technical support sdwansupport@centurylink.com page 6 of 103

7 Chapter 1. Versa SD-WAN Overview Versa s Software-Defined WAN (SD-WAN) solution is for service providers and enterprises. The implementation design combines Versa FlexVNF, Versa Director, and Versa Analytics software to deliver key managed service capabilities, such as multi-tenancy, multi-service, elasticity, and zero-touch provisioning to maximize service agility. The SD-WAN solution topology is described in the following illustrations. page 7 of 103

8 The key components in the above network topology are explained in the following topics. Versa Director Versa Director is the Virtual Networks Function (VNF) manager that manages a set of FlexVNF software instances running on general purpose servers. Versa Director provides a single pane for provisioning, configuration, and management of FlexVNFs irrespective of: The functions provided by the FlexVNFs that can be intelligent transport or a combination of intelligent transport and other layer 4 through layer 7 network services. The location of the FlexVNF that can be branch-site, hub-site, or a cloud service provider. Versa Director performs the following functions: Responsible for the life-cycle management of the FlexVNFs. Zero touch provisioning of the FlexVNFs at the branch-sites and hub-sites. Centralized configuration and management of the SD-WAN controllers, branch-sites, and hub-sites. Supports generalized templates. A group of branch-sites having similar configuration can be bunched together and a template could be associated with this branch-group. Versa Director allows a provider to build a template, which can accommodate branch-specific arguments for variables within the template. LAN-side subnets, DHCP Pools, Access Policy Rules, and Policy Based Forwarding Rules are a few examples configurations that can be parameterized. Interfaces with Cloud Management Systems from VMware and OpenStack. Deployed as an Active-Standby pair for redundancy. page 8 of 103

9 Versa Director v15.2r4 and higher supports HTTPS protocol and not HTTP. Versa SD-WAN controller Versa SD-WAN controller plays a key role in the solution and serves as a primary attachment point to the Virtual Private Network (VPN). The SD-WAN controller provides a central control-plane entry point for zero-touch deployment of branches. The controller authenticates the branch FlexVNF instances by using PKI certificates as part of an IKE exchange. The secure channel established by using IKE, provides a transport-channel between a branch node and the SD-WAN controller for transport of routes, policy, and configuration. A single SD-WAN controller can serve as the attachment point for VPNs belonging to several different customers. The SD-WAN controllers can be deployed in a cluster for redundancy and scale. Additionally, each individual SD-WAN controller supports Intra-FlexVNF high availability. Versa FlexVNF FlexVNFs are service appliances that can exist at branch-sites, and hub-sites. A Versa FlexVNF can be deployed in either of the below high availability (HA) modes: Inter-VNF redundancy Intra-VNF redundancy In both cases, the service state is replicated from the active to standby component. A branch FlexVNF can be used for providing intelligent secure connectivity and multiple network services. Some of the FlexVNF connectivity features are: Secured connectivity Segmentation Support for multiple tenants and multiple VRFs Intelligent load-sharing of traffic over various access circuits, based on factors, such as: Company policy Any field of the received packet SLA requirements of layer 3 layer 7 applications Result of SLA monitoring of multiple paths between various branches Network state User identity Geographical location Time of the day Zero touch provisioning Centralized configuration, management, and policy enforcement Generalized templates Multiple layer 3 protocols: Multiprotocol BGP OSPF Static VRRP Multiple layer 2 protocols: Link Aggregation Control Protocol (LACP) Connectivity fault management Hierarchical QoS, including adaptive shaping page 9 of 103

10 High availability Some of the FlexVNF network services are: Versatile service chaining Direct Internet access Avoids sprawl of appliances with support for multiple services: Carrier Grade NAT (CGNAT) Stateful and NextGen Firewall URL Filtering DDoS File Blocking Antivirus (*Not yet supported by CenturyLink) Intrusion Prevention System Support for high availability with Stateful Replication Versa Analytics Versa Analytics (VAN) is a big data solution that analyzes logs, events, and provides powerful reports, analytics as well as feedback loop capabilities. It natively integrates with third party data reporting and existing SIEM products. FlexVNF at various branch-sites continuously provides monitoring data relating to link, network-path and services to the Versa Analytics server. Additionally, every service on the FlexVNF, such as NextGen Security module and URL Filtering module generate flow-level and aggregate log messages, which are consumed by VAN. All this data can be used for dynamic application based traffic steering, capacity planning, and security forensics. For SD-WAN, the Versa Analytics supports historical and real time data reporting for: Application usage based on total sessions, volume, bandwidth Application performance based on latency, jitter, packet loss Performance of various paths between any two branches Utilization of the different access circuit of branches Feedback information from Versa Analytics (VAN) is relayed to Versa Director. Each Versa FlexVNF at a remote site continuously provides monitoring information for link and services towards the Versa Analytics server. The traffic optimization and reroute application in Versa Analytics server uses this information to perform network-wide global analysis and optimization. This information relays back to Versa Director. page 10 of 103

11 Chapter 2. Director Context vs Appliance Context Overview This chapter explains the difference between the Director Context and Appliance Context in the Versa Director portal. It is important to understand what features are available in each section and this section will also focus on how changes to a network can be impacted by where they are made in the Director. *CenturyLink strongly recommends that any changes made by the customer are only done using the templates that are found in the Director Context. Any changes made using the Appliance Context are saved only on an individual appliance AND when the related template is updated in the future, it is likely that it will overwrite the previous change that was made using the Appliance Context. This includes any changes that would be made by CenturyLink SD WAN Support. Let s take a look at where we can find the 2 contexts in the Director portal. When you first login to the Director, you will land on the Appliances tab and the Director Context. You can switch between Director Context and Appliance Context with the drop-down menu on the far left. First, let s review the sections in the Director Context. Organizations Used to setup and manage customer tenants in the Director. Should only be used by CenturyLink SD WAN Support Engineers Config Templates The remainder of this guide will focus on this section of the Director Context. This is where a customer should go to make any changes to the templates and device groups and appliances on the network. The next chapter will provide an overview of templates and device groups. Workflows Used for initial deployment only and should only be used by CenturyLink SD WAN Support Engineers. Appliances Summary of appliances on the network. Administration Used for user accounts. Templates and Device Groups and Device Bind Data will also be found in this section. We will discuss each of those in more detail later in the guide. Analytics Powerful network analytics for your network. Monitor This tab provides a real time view of your network health and other monitoring and troubleshooting information. page 11 of 103

12 Now let s review the Appliance Context. *Notice the additional drop-down menu that shows an individual appliance is selected. Organizations This view of Organizations has very little functionality. It essentially just shows a view of some of the basic features for the related organization related to the selected appliance. Configurations This section has the same functionality of the Config Templates section in the Director Context. The main difference is that any changes made in this section apply ONLY to the selected appliance in the drop-down menu. *Again, CenturyLink strongly recommends no changes are made directly to an appliance in this section. If a change is made in a troubleshooting situation, it is imperative the change is quickly updated to the related template for the appliance and pushed out to the devices associated to that template. Administration Similar to the Administration section in the Director Context, but with limited functionality. Customers should not be making any updates in this section. page 12 of 103

13 Chapter 3. Overview of Templates and Device Groups Overview A branch is a node in the network that the provider is setting up for an organization (customer tenant). Every branch in the network is centrally managed by Versa Director via the FlexVNF controller. Typically, the configuration for every branch is provisioned through service templates, enabling zero touch provisioning, since a network can have hundreds of branches. When a new branch is detected for the first time, Versa Director locates the associated branch-group. Versa Director then creates a configuration file by substituting the parameterized variables in the branch template with branch specific values. Finally, the configuration file is deployed that specifies the operational configuration for this branch, which brings up the target branch. Below depicts how a single branch is related to a Device Group. The device groups are related to Post-Staging templates. Changes to the network covered in this guide will be made using the Post- Staging template and then pushed to all the related devices by this relationship. Branch (Single Appliance) = = = = = > Device Groups = = = = = > Post-Staging Template NOTE: Initial deployment of Post-Staging templates and Device Groups will be performed by CenturyLink SD WAN Support Engineers as a network is deployed and activated. CenturyLink SD WAN Support Engineers will strive to keep the smallest amount of Post-Staging Templates as possible to support a customer s network design. Different Post-Staging Templates are required if any of the following examples are different between branch appliances. Different WAN or LAN interfaces, additional or different VLANs, differences in SLA profiles and Forwarding Policies, differences in class of service, and any variation in firewall rules or settings. How Templates Relate to Device Groups and Branch Appliances Steps 1. Under the Director Context, go to Administration. Select SDWAN > Device Groups. Select an organization name from the Organization list. (This should default to your organization). The Name column shows the name of the Device Group and the branch devices related to that Device Group will be on the right side of the screen. 2. Under the Director Context, go to Administration. Select SDWAN > Device Bind Data. You will see 2 page 13 of 103

14 drop-down menus at the top of the screen. First is the Device Groups menu, and second is the Template menu. Changing your Device Groups selection will change the Template. *These 2 steps together can determine how a Template is related to a single branch appliance. More about Device Bind Data will be covered later in the guide. page 14 of 103

15 Chapter 4. Configuring Branch/Hub Services This chapter explains the procedure to configure services for a branch or hub in the SD-WAN context and covers the following tasks: Configuring SD-WAN policies Configuring Adaptive Shaping Configuring NextGen firewall Configuring CGNAT Configuring Class of Service Configuring Direct breakout to Internet Configuring SD-WAN policies This section has the following topics: Configuring SLA profiles ConfiguringConfiguring Forwarding Profiles Configuring Application Detection Configuring Policies Configuring SLA Profiles Service Level Agreement (SLA) profiles are configured to define the network performance parameters to monitor the performance of access circuits and links. An SLA profile defines performance parameters, such as packet delay, packet loss, and jitter for a link. A link or circuit is selected based on the threshold values specified in the SLA profile. Steps 1. Under the Director Context and Config Templates and select a template. In the Services tab, select SDWAN > SLA Profiles. From the Organization list, select an entity. page 15 of 103

16 2. Click to add an SLA profile. a. In Name, enter a name for the SLA profile. b. In Description, enter a description for the SLA profile. c. In Tags, enter the tags for the SLA profile. d. To enable low delay variation, select the Low Delay Variation check box. e. To enable low latency, select the Low Latency check box. f. In Low Packet Loss, select one of the available options. g. In Packet Delay-variation, enter the acceptable packet delay (in milliseconds). h. In Maximum Latency, enter the acceptable latency. i. In Maximum Packet Loss, enter the acceptable packet loss. j. In Maximum Forward Packet Loss, enter the acceptable packet loss. k. In Maximum Reverse Packet Loss, enter the acceptable packet loss. l. In Circuit Transmit Utilization, enter the number of circuit transmit utilization. m. In Circuit Receive Utilization, enter the number of circuit receive utilization. n. Click OK. This configures a SLA profile. An SLA profile is associated with a forwarding profile. The next step is to configure forwarding profiles. page 16 of 103

17 Configuring Forwarding Profiles Versa Director supports the configuration of forwarding profiles. A forwarding profile determines the traffic path based on real-time SLA performance of traffic. A forwarding profile defines the properties of WAN circuits to be selected for traffic. It defines properties, such as the load balancing method to be used for traffic, priority of circuits, circuit type (broadband or MPLS), circuit media, and other associated attributes. Forwarding profiles are associated with SLA profiles to determine the selection of WAN circuits in a given order of priority. Steps 1. Under the Director Context, go to Config Templates and select a template. In the Services tab, select SDWAN > Forwarding Profiles. From the Organization list, select an entity. 2. Click to add a forwarding profile. a. In Name, enter a name for the profile. b. In Description, enter a description for the profile. c. In Tags, enter the tags for the profile. d. In SLA profile, select the SLA profile. e. In Encryption, select the encryption mode. f. In Connection Selection Method, select the mode to balance traffic. g. In Recompute Timer, enter the switching time between circuits when the current circuit does not meet the SLA threshold values. h. In SLA Violation Action, select the action to be taken if the traffic does not meet the SLA thresholds. i. In Load Balancing Option, select a load balancing option. j. To apply switching during traffic flow, select the Evaluate Continuously check box. k. To ensure that traffic is sent out from the same circuit that was used for the inflow of traffic, select the Enable Symmetric Forwarding check box. page 17 of 103

18 l. To enable gradual migration, select the Enable Gradual Migration check box. m. To enable replication, select the Replication check box and specify the replication factor and other details. 3. To configure circuit properties for local and remote clients, click the Circuit Priorities tab. 4. Click to define the circuit properties. a. In Priority, enter the circuit priority. b. In Description, enter the description for the circuit. c. In Tag, enter the tag for the circuit. d. In the Circuit Names tab, enter the circuit name for the local and remote clients. Click to enter a circuit name. e. In the Circuit Types tab, select the type of circuit to be used for the local and remote clients. Click to select a circuit type (for local and remote clients) from the drop-down lists in the respective sections. page 18 of 103

19 f. In the Circuit Media tab, define the media of the circuit for local and remote clients. Click to select a circuit type for local and remote clients from the drop-down lists in the respective sections. page 19 of 103

20 5. Click the Avoid Connections tab to configure the links that should not be picked. These are defined for the local and remote client links. a. In the Local Circuit Names section, click to define the local circuit name to be skipped. b. In the Remote Circuit Names section, click to define the remote circuit name to be avoided. 6. Click OK. This configures a forwarding profile. The next task is to configure the conditions used to detect applications. Configuring Application Detection Steps 1. Under the Director Context, go to Config Templates and select a template. In the Services tab, select SDWAN > Application Detection. From the Organization list, select an entity. page 20 of 103

21 2. Click to define the settings. a. Application Dynamic Detection. Select Enable to dynamically switch between links when an application is detected during traffic flow. b. Application Cache. Select Enable if you want to save the destination IP address and port of an application when it is accessed for the first time. Saving the IP address and port enables a faster connection and a quicker response to the application, the next time a response is sent to the application. 3. Click OK. This configures the application detection settings. The next task is to configure SD-WAN policies. Configuring SD WAN Policies You can configure policies to select traffic based on matching criteria, such as the traffic source address, destination address, source zone, specific IP packet header information, and apply specific forwarding profiles to the selected traffic. This section covers the following topics: Configuring policies Configuring rules Configuring policies Steps page 21 of 103

22 1. Under the Director Context, go to Config Templates and select a template. In the Services tab, select SDWAN > Policies. From the Organization list, select an entity. 2. Click to add a policy. a. In Name, enter the policy name. b. In Description, enter the description for the policy. c. In Tags, enter the tags for the policy. 3. Click OK. This adds a policy name. (*CenturyLink deployment should have already added a Default Policy) The next step is to configure rules. Configuring rules Steps 1. Under the Director Context, go to Config Templates and select a template. In the Services tab, select SDWAN > Policies > Rules. From the Organization list, select an entity. page 22 of 103

23 2. Click to add a rule. a. In Name, enter a name for the rule. b. In Description, enter a description for the rule. 3. To configure source and/or destination addresses as the matching criteria to capture traffic, click the Source/Destination tab. a. In the Source Address section, click to select a source address. Source address refers to the originating address of incoming traffic. Source addresses can be classified on the basis of the originating country, region, or IP address. b. To block traffic to the selected source addresses in the section, select the Source Address Negate check box. page 23 of 103

24 c. In the Destination Address section, click to select a destination IP address. Destination address refers to the destination address of the traffic. Addresses are classified on the basis of countries, regions, or IP addresses. i. To add a new IP address, click + New Address. 1. In Name, enter the name. 2. In Description, enter the description. 3. In Tags, enter the tags. 4. In Type, select the type. 5. In IPv4Address/Prefix, enter the IP address. ii. To group IP addresses, click + New Address Group. 1. In Name, enter the name for the address group. 2. In Description, enter the description for the address group. 3. In Tags, enter the tags for the address group. 4. In Address, click to select a address. d. To block traffic to the selected destination addresses in this section, select the Destination Address Negate check box. e. In the Source Zone section, select the source zone of the traffic. Zone refers to a set of interfaces. page 24 of 103

25 Click to select a source zone from the drop-down list. i. To add a zone, click + New Zone. 1. In Name, enter the name for the zone. 2. In Description, enter the description for the zone. 3. In Tags, enter the tags for the zone. 4. In Zone Protection Profile, select a zone protection profile. 5. In Log Profile, select a log profile. 6. To select interface and networks, routing instances, and organizations, select the corresponding options and click to add those entities. f. In the Source Site ID section, select the source site IDs. g. In the Destination Site ID section, select the destination site IDs. 4. To configure matching criteria based on the IP packet header information, click the Headers/Schedule tab. page 25 of 103

26 a. In IP Version, select the version of IP. b. In IP Flags, indicate whether routers are allowed to fragment the data packets: More Fragments Don t Fragment c. In DSCP, click to add DSCP. Differentiated Services Code Point (DSCP) refers to the value or cost of the policy. d. Under the TTL section, select the condition and the value for the condition. This matches traffic on the basis of the selected IP version, IP flag, and TTL match condition in the packet's header. e. In Schedules, specify the frequency of the action to be taken. f. To create a new schedule, click + New Schedule. g. In the Services list, select the services to be allowed or blocked. Click to select a service from the drop-down list. The list includes predefined and user-defined services. Service is defined on the basis of the destination address and port. page 26 of 103

27 5. To select traffic based on applications and URLs, click the Applications/URL tab. Select the applications and application groups on which to apply this rule. a. In the Applications section, click to select an application from the drop-down list. The list includes predefined and user-defined applications. page 27 of 103

28 i. To add an application, click + New Application. ii. 1. In Name, enter the name for the application. 2. In Description, enter the description for the application. 3. In Host Pattern, enter the host pattern for the application. 4. In Application Timeout, enter the time after which the application must time out. 5. Select available options under Family, Sub-Family, Risk, Productivity, Security, SDWAN, and General columns. To add an application group, click + New Group. 1. In Name, enter a name for the application group. 2. In Description, enter the description for the application group. page 28 of 103

29 3. In Tags, enter the tags for the application group. 4. In Applications, click to select an application. iii. To add an application filter on the basis of which applications are filtered and shown in the list, click + New Filter. 1. In Name, enter the name for application filter. 2. In Description, enter the description for the application filter. b. In the URL Categories section, click to select a URL category from the drop-down list. The list includes the predefined and user-defined categories. i. To add a URL category, click + New URL Category. page 29 of 103

30 1. In Name, enter the name for the URL category. 2. In Description, enter a description for the URL category. 3. In Tags, enter the tags for the URL category. 4. In Confidence, enter a value. 5. In the URL Patterns tab, enter a pattern name and select its reputation from the drop-down list. Click. The pattern name enforces the rule definition, if the name string is present in the URL used by a user. 6. In the URL Strings tab, enter the URL strings to apply the rule upon and select the reputation from the drop-down list. Click to add the row. page 30 of 103

31 c. To select the forwarding profile and the action to be taken on the traffic, click the Forwarding tab. i. In Action, select the action to be taken on the traffic (Allow Flow, Deny Flow). ii. In Forwarding Profile, select the forwarding profile to be applied on the traffic. 6. Click OK. This configures an SD-WAN rule. page 31 of 103

32 Configuring Adaptive Shaping Adaptive shaping refers to the process when a hub dynamically sends a new traffic transmission rate to the branches that are connected to the hub. Based on the new transmission rate, the branches adjust the traffic volume sent to the hub. This is done because the hub has a WAN link with a downlink limit (for example, 100 MB). When the branches connected to the hub start sending traffic to the hub that exceeds the downlink limit of the hub WAN link, the hub can clog down or the ISP will drop the traffic before it even reaches the hub. In such a situation, the hub dynamically advertises a different transmission rate to the branches for them to adjust their transmission rate. Adaptive shaping helps in scaling the number of branches connected to the hub without manually changing the traffic transmission rate of each branch. Adaptive shaping configuration involves: Configuring the hub Associating interfaces with branches You must specify an input rate range for egress traffic on a WAN interface of a branch, which is advertised to other branches in the network. Adaptive shaping configuration on hub should be considered as a secondary solution. Configuring hub Steps 1. Under the Director Context, go to Config Templates and select a hub. In the Services tab, select SDWAN > System > Adaptive Shaping. page 32 of 103

33 2. Click to configure the shaping settings. The default adaptive shaping values are as displayed above. a. To activate the setting, select Enable. b. In High Threshold, enter the upper bandwidth limit (in percentage). When the total traffic bandwidth transmitted to the hub is beyond this value, the hub dynamically advertises a higher shaping rate to the connected branches. Effectively, the hub instructs the branches to reduce the traffic rate to the hub. c. In Low Threshold, enter the lower bandwidth limit (in percentage). When the total traffic bandwidth transmitted to the hub is below this value, the hub dynamically advertises a lower shaping rate. Effectively, the hub instructs the branches to increase the traffic rate to the hub. d. In Percentage Change, enter the percentage increment or decrement in the bandwidth rate, which is advertised to the branches until the transmission is below or above the high or low threshold value. e. In Damping Count, enter the number of times the hub checks the bandwidth transmitted by the branches connected to the hub. f. In Poll Interval, enter the time interval at which the checks are made. The checks are made for a total duration of Damping Count * Poll Interval. If the total traffic transmitted by the branches exceeds the uplink limit of the hub link, the hub advertises a shaping rate (bandwidth transmission rate) to the branches. g. Click OK. This configures adaptive shaping. page 33 of 103

34 The branches respond to the adaptive shaping requests from the hub, only if class of service is configured on its interfaces. Configuring NextGen Firewall This section has the following topics: Configuring predefined objects Configuring custom-defined objects Configuring security policies Configuring predefined objects This section explains configuring predefined objects and has the following topics: Predefined applications Predefined URL categories Predefined URL reputations Predefined services Predefined applications Versa supports ~2700 applications. Each application has the following predefined attributes defined per tenant: Family Sub Family Risks Productivity Application Tags: Security, SD-WAN, General Timeout page 34 of 103

35 The attributes of an application can be changed for each tenant. Steps 1. Under the Director Context, go to Config Templates and select a template. In the Objects & Connectors tab, select Objects > Predefined > Applications. From the Organization list, select an entity. 2. You can change the attributes such as risk, productivity, timeout, and the tags of an application. Click the application name (shown in the Applications column). page 35 of 103

36 a. Change the required attributes. 3. Click OK. This changes the attributes of the application for the selected organization. Predefined URL categories Similar URLs are grouped into categories. Versa has a list of predefined URL categories. Steps 1. Under the Director context, go to Config Templates and select a template. In the Objects & Connectors tab, select Objects > Predefined > URL Categories. Predefined URL reputations page 36 of 103

37 URLs are assigned a reputation indicator. This helps in identifying and grouping applications based on their reputation. Lower the value, higher the reputation of the URL. Steps 1. Under the Director Context, go to Config Templates and select a template. In the Objects & Connectors tab, select Objects > Predefined > URL Reputations. Predefined services Versa Director has a set of predefined services. Steps 1. Under the Director Context, go to Config Templates and select a template. In the Objects & Connectors tab, select Objects > Predefined > Services. Configuring custom-defined objects This section explains configuring custom objects and has the following topics: Configuring applications Configuring application filters Configuring application groups Configuring URL categories Configuring services Configuring applications page 37 of 103

38 You can add new applications. An application has the following characteristics: Family Sub-Family Risk Productivity Tags (type of application: SD-WAN, General, Security) Application Timeout Steps 1. Under the Director Context, go to Config Templates and select a template. In the Objects & Connectors tab ( ), select Objects > Custom Objects > Applications. From the Organization list, select an entity. 2. Click to add an application. This displays the Add Application screen. a. In Name, enter the name of the application. b. In Description, enter the description of the application. c. In Precedence, enter the precedence. d. In Application Timeout, enter the application timeout in seconds. e. Select the family, sub-family, risk, productivity, and application tag. 3. Click OK. This creates an application. page 38 of 103

39 Configuring application filters Versa FlexVNF provides the flexibility to configure filters to select applications on specific criteria. Filters can be based on any of the application attributes (family, sub-family, risk, productivity, and application tags). For example, you can filter applications on the basis of the assigned tag such as SD-WAN, Security, or General. Steps 1. Under the Director Context, go to Config Templates and select a template. In the Objects & Connectors tab, select Objects > Custom Objects > Application Filters. From the Organization list, select an entity. 2. Click to add an application filter. a. In Name, enter the name for the filter. b. In Description, enter the description for the filter. c. In the left panel, select the required application attributes to create a filter. 3. Click OK. This configures an application filter. page 39 of 103

40 Configuring application groups Versa FlexVNF provides the flexibility to group applications on the basis of attributes such as application family, sub-family, risk level, productivity level, and tags. Instead of applying rules to each application separately, rules can be applied on application groups. Steps 1. Under the Director Context, go to Config Templates and select a template. In the Objects & Connectors tab ), select Objects > Custom Objects > Application Groups. From the Organization list, select an entity. 2. Click to add an application group. a. In Name, enter the application group name. b. In Description, enter the description for the application group. c. In Tags, enter the tags for the application group. d. To add an application to the group, click and select the application from the drop-down list. page 40 of 103

41 3. Click OK. This configures an application group. Configuring URL categories You can configure URL categories. For example, you can create a category of all the news URLs. Steps 1. Under the Director Context, go to Config Templates and select a template. In the Objects & Connectors tab, select Objects > Custom Objects > URL Categories. From the Organization list, select an entity. 2. Click to add a new URL category. a. In Name, enter the category name. b. In Description, enter the description for the URL category. c. In Tags, enter the tags for the URL category. page 41 of 103

42 d. In Confidence, enter the confidence. e. Under the URL Patterns section: i. In Pattern, enter the pattern to be used to match and group the URLs. ii. From the Reputation list, select the reputation to be assigned to the URL the match pattern. iii. Click. Repeat the steps to add multiple patterns. f. Under the URL Strings section: i. In String, add the URL string to be grouped. ii. In Reputation, select the reputation to be assigned to the URL string. iii. Click. Repeat the above steps to add multiple strings. g. Click OK. This configures a URL category. page 42 of 103

43 Configuring services Versa FlexVNF provides the flexibility of defining a service using a protocol and ports (if applicable). For example, you can create a service for ICMP protocol. Steps 1. Under the Director Context, go to Config Templates and select a template. In the Objects & Connectors tab, select Objects > Custom Objects > Services. From the Organization list, select an entity. 2. Click to add a service. a. In Name, enter the name of the service. b. In Description, enter the description for the service. c. In Tags, enter the tags for the service. d. To specify the service protocol, select Protocol or Protocol Value. e. If you select Protocol, select the protocol type from the list. Or If you select Protocol Value, specify the protocol value. f. Enter the Port, Source Port and/or Destination Port. 3. Click OK. This configures a new service. page 43 of 103

44 The next task is to configure security policies. Configuring security policies After configuring custom objects such as applications, application groups, URLs, and other objects, you can configure policies to classify traffic via a security or access policy. Rules are defined to identify the type of traffic to be classified, describing the various actions to be taken. An access policy must be created to include the stateful firewall rule, which collates the defined objects and assigns an action to be taken, based on the match conditions. Versa FlexVNF stateful firewall provides the following three actionable options: Accept. Allows the sessions matching the configured rule to pass. Deny. Drops the sessions matching the rule. Reject. Drops the sessions thereby sending a RST packet for a TCP session and an ICMP port unreachable packet for a UDP session. This section has the following topics: Configuring access policies Configuring access rules Configuring access policies Steps 1. Under the Director Context, go to Config Templates and select a template. In the Services tab, select Next Gen Firewall > Security > Policies. From the Organization list, select an entity. page 44 of 103

45 2. Click to define a policy. a. In Name, enter the policy name. b. In Description, enter the description for the policy. c. In Tags, entre the tags for the policy. 3. Click OK. This creates an access policy. The next step is to configure rules for the access policy. Configuring access rules Steps 1. Under the Director Context, go to Config Templates and select a template. In the Services tab, select Next Gen Firewall > Security > Policies > Rules. From the Organization list, select an entity. 2. Click to define rules for the policy. This displays the Add Rule screen. page 45 of 103

46 a. In Name, enter a name for the rule. b. In Description, enter a description for the rule. c. In Tags, enter the tags for the rule. 3. To select traffic based on specific applications and URL categories, click the Applications/URL tab. a. To define applications, click. b. Select the application name from the drop-down list. The list shows predefined and userdefined applications and application groups. You can create an application, application group, and an application filter. i. To create an application, click +New Application. Refer to C onfiguring applications. ii. To create an application group, click +New Group. Refer to Configuring application groups. iii. To create an application filter, click +New Filter. Refer to Configuring application filters. c. To define URL categories, click. d. Select the URL category from the drop-down list. The list shows predefined and userdefined categories. i. To define a new category, click +New URL Category. 4. To associate users/groups with the rule, click the Users/Groups tab. page 46 of 103

47 a. In Match Users, select one of the following options: Any Known Unknown Selected b. In User Group Profile, select a profile for the user group. c. Add users/groups, if required. These options are enabled only if Match Users is Selected. 5. To apply conditions on the traffic from the selected associated applications and URLs, click the Enforce page 47 of 103

48 tab. a. In the Actions section, select Allow, Deny, Reject, or Apply Security Profile. b. In the Profiles section, select the profiles, if any, to be applied. This section appears only if you select Actions as Apply Security Profile. c. In the Log section, select the type of events to be recorded. d. From the Profile list, select the type of logging to be done. e. To capture information on data packets, select Packet Capture. i. Select one of the following options: All Application List. If you select this option, you must select a pre-defined application. User Defined Application List. If you select this option, you must select a userdefined application. Unknown Application ii. In Per session, specify the number of data packets that can be captured per session. 6. Click OK. This configures a security policy and the rules to be applied on the traffic. The next task is to configure CGNAT pools and address translation rules. Configuring CGNAT CGNAT is a NAT employed on a large scale. It translates multiple private IPv4 addresses to a limited number public IPv4 addresses using Network Address and Port Translation (NAPT) methods. In CGNAT, only port translation of source address is required for packets communicating from the network to outside. Port translation of destination address is not implemented. CGNAT can replace NAT devices in enterprise networks. Using CGNAT, you can deliver seamless IPv4 connectivity even while using limited public addresses. You can define private IPv4 address in your network and use Versa CGNAT to manage address translation to the public IPv4 addresses. To configure CGNAT, define the address pool that must be translated followed by the translation criteria for address translation. This is done by defining a pool and the rules to be applied on the pool. Address translation is of two types: NAT (network address translation) and NAPT (network address port translation). This section has the following topics: Configuring pools Configuring rules Configuring pools Steps 1. Under the Director Context, go to Config Templates and select a template. In the Services tab, select CGNAT. From the Organization list, select an entity. 2. Click to add a pool. page 48 of 103

49 a. In Name, enter a name for the pool. b. In Description, enter the description for the CGNAT pool. c. In Tags, enter the tags for the CGNAT pool. d. In ICMP, Specify the ICMP mapping timeout in seconds. e. In TCP, specify the TCP mapping timeout in seconds. f. In UDP, specify the UDP mapping timeout in seconds. page 49 of 103

50 3. To define the IP addresses for NAT, click the IP Address tab. Add the IP addresses or IP address range. a. In the IP Address section, enter the IP addresses to be pooled. Click to add the IP address. Or b. Click to parameterize this field. In case of parameterization, the field gets its value from bind data. c. In the IP Address Range section, enter the IP address range, if required. Enter the upper and lower range of addresses. Click to add it. d. In Address Allocation Scheme, select the scheme that allocates one port from each address in a range. e. In Routing Instance, select a routing instance. f. In Provider Org, select a provider organization. After NATing, traffic is directed to a given routing instance and provider org. page 50 of 103

51 4. Click the Port tab for NAPT. a. To enter the destination port, select the Destination port check box and enter the value. b. To enter the source port, select the Source Port check box. c. In Allocation Scheme, select the allocation scheme. d. In Low Port, enter the low port number. e. In High Port, enter the high port number. f. To allocate IP/port randomly, select the Allocate IP/port randomly check box. g. To preserve source port range, select the Preserve source port range check box. h. To preserve source port parity, select the Preserve source port parity check box. i. To block port allocation, select the Port block allocation check box. i. In Block Timeout, enter the timeout for block. ii. In Block Size, enter the size of the block. iii. In Max Block per user, enter the maximum block for a user. 5. Click OK. This configures a CGNAT pool. page 51 of 103

52 The next step is to define the network address match criteria and the actions to be taken when the criteria is met. Configuring rules Steps 1. Under the Director Context, go to Config Templates and select a template. In the Services tab, select CGNAT > Rules. From the Organization list, select an entity. 2. Click to configure a rule. a. In Name, enter a name. b. In Description, enter a description for the CGNAT rule. c. In Tags, enter the tags for the CGNAT rule. d. In Precedence, assign a priority to the rule. You can configure multiple rules and assign each a priority. The increasing order of priority is 1 > 2 > 3. Rules with a higher priority take precedence over the ones with a lower priority. 3. To configure the criteria to select traffic for translation, click the Match tab. page 52 of 103

53 Define the match criteria based on one or a combination of the following elements: Source Zones. Matches packets from these zones only. Source Routing Instance. Routing instance of incoming packet. Source IP Address/Mask Source IP Address Range Destination Zones. Matches packets to these zones only. Destination Port Destination IP Address/Mask Destination IP Address Range Source a. In the Source Zones section, click to add the source zones from the list. b. In the IP Address/Mask section, click to add the source IP address. c. In Routing Instance, select the routing instance. d. In the IP Address Range section, enter the IP address range. Enter the lower range and higher range values. Click. e. In Protocol, enter the protocol to be used as a match criterion. Destination a. In the Destination Zones section, click to add the destination zones from the list. b. In the IP Address/Mask section, click to add the IP address/port. c. In Low Port, enter the low port. d. In High Port, enter the high port. page 53 of 103

54 e. In the IP Address Range section, enter the IP address range. Enter the lower range and higher range. Click. 4. Click the Action tab. Define the action to be taken on the traffic that meets the matching criteria. a. To disable translation, select the Disable Translation check box. b. In NAT Mode, select the mode of NAT. This is predefined. c. Associate the Source Pool and/or Destination Pool with the translation mode (NAT mode). d. In LEF Profile, select the LEF (Logging and Export Function) profile to be applied for logging. e. To enable endpoint independent mapping, select the Endpoint Independent Mapping check box. f. To enable endpoint independent filter, select the Endpoint Independent Filter check box. g. To enable Address Pooling Paired, enable the Address Pooling Paired check box. 5. Click OK. This configures a CGNAT pool and the rules for translation. The next step is to configure a class of service. Configuring Class of Service Versa s Quality of Service (QoS) that can be configured in Versa Director s Class of Service comprises network performance management technologies that ensure its capability to run traffic and high-priority applications in a limited network capacity. It also guarantees a predetermined level of performance with limited network resources. QoS is the ability to provide differentiated priority for different applications and network traffic. They utilize separate handling and capacity allocation for specific network traffic flows. This enables the network administrator to prioritize the traffic handling and determine the bandwidth for the traffic. QoS can help predict network performance and ensure effective bandwidth utilization. page 54 of 103

55 You can use Versa QoS solutions for prioritizing and adjusting network traffic. You can define the order for packet handling and allocate bandwidth per your requirements. This allows you to ensure quality performance for the selected traffic, applications, and users. The service quality factors related to QoS implementation are: Bandwidth (indicates the maximum rate of transfer) Throughput (indicates the actual rate of transfer) Latency (indicates delay) Jitters (indicates the variance in latency) Versa QoS can define and control the above service quality factors for real-time and high bandwidth traffic, such as VoIP, video on demand, and voice conferencing, which are prone to jitter and latency. Using Versa QoS allows you to: Prioritize network and application traffic. You can thus limit traffic for non-essential activities or ensure high priority for essential traffic. Provide equal sharing of bandwidth for different classes, subnets, users, or classes in a network. Allocate bandwidth to internal or external traffic, apply QoS for upload or download traffic (both included) or only to upload traffic or only to download traffic. Ensure low latency for network traffic involved in revenue generation within enterprise environments. Implement application traffic profiling for ensuring bandwidth usage. Versa QoS implementation is based on QoS profiles, policies, and the physical interface to provide enhanced QoS solutions. These components of QoS configuration provides you the ability to optimize and prioritize network traffic flow. They also help in ensuring bandwidth per the configured parameters. The QoS configuration parameter options enable you to control the traffic flow at different points in the path. You can individually configure QoS policies or QoS profiles. Configuring RW (Rewrite) Tools Versa QoS supports rewrite rules. Rewrite rules set the appropriate class of service bits in the outgoing packet/stream. You can use a classifier to mark packets/stream that arrive on the input interface and then use rewrite rules to mark packets/stream again while leaving the interface. Rewrite rules apply the packet loss priority and forwarding class information to determine the Differentiated Services Code Point (DSCP) on outbound packets/stream. Versa QoS supports rewriting of DSCP and IEEE 802.1p bits based on the forwarding class and packet loss priority. You can specify a separate rewrite table for DSCP and IEEE 802.1p for each tenant (organization). You can configure rewrite rules to specify the new DSCPs on packets/streams received from the host. The new DSCPs contain the values as required by other devices. The following steps explain the Rewrite Rules configuration workflow. Steps 1. Under the Director Context, go to Config Templates tab and select a template. In the Networking 2. Click to add the required RW Rule. tab, select Class of Service > RW Rules. Select the organization. page 55 of 103

56 a. In Rewrite Table Name, enter the rewrite table name. b. In Type, select either DSCP or IEEE 802.1p. c. In Configuration, select the applicable Forwarding Class check boxes from the following system options: Best-effort Expedited-forwarding Assured-forwarding network-control To delete a forwarding class, select its check box and click (-). d. To define the Forwarding Class, select to open the Add Configuration screen. i. In Forwarding Class, select the forwarding class. ii. In Loss Priority, set the priority of dropping a packet during traffic congestion: page 56 of 103

57 low. Data packets are less likely to drop vs. high loss priority. high. Data packets are more likely to drop vs. low loss priority. iii. In Code Point, Select the matching code point from the multiple system-defined options. e. Click OK twice to complete adding the configuration and RW rule, respectively. This completes configuring the RW rules for the selected organization. Configuring App QoS App QoS under Class of Service lets you define profiles and policies for the network traffic. Configuring QoS Profiles Use QoS profiles to configure QoS classes. For individual interface, you can configure profiles that determine the treatment of QoS traffic classes. You can set bandwidth limits irrespective of class. You can also define limits for separate classes and assign priorities to different classes. The low and high priorities determine the treatment of traffic in presence of contention. You can enable the profiles on physical interfaces to define traffic according to the QoS configuration while it travels through networks. The following steps explain the QoS Profiles configuration workflow. Steps 1. In the Networking tab, go to Class of Service > QoS Profiles. 2. Click to open the Add QoS Profile screen. page 57 of 103

58 a. In Name, enter the profile name. b. In Peak Rate, enter the required peak rate for packets per second (pps), kilobytes per second (kbps), and bursts per second (bps). c. In Peak Burst Size, select the packet burst size allowed in Bps. d. In Forwarding Class, select the applicable forwarding class, such as Best Effort, Expedited Forwarding, Assured Forwarding, or Network Control. e. In Loss Priority, set the priority of dropping a packet during traffic congestion: low. Data packets are less likely to drop vs. high loss priority. high. Data packets are more likely to drop vs. low loss priority. f. To enable rewriting DSCP, enable the DSCP Rewrite check box. This check box indicates whether the DSCP (Differentiated Services Code Point) value in the header of incoming IP packets can be changed. The value can be changed to predefined values. DSCP can be used to indicate any particular QoS needs from the network. In addition, DSCP defines the way routers should queue packets while they are waiting to be forwarded. g. Click OK. This displays the profile in the configuration screen. page 58 of 103

59 Similarly, you can add multiple QoS Profiles as required. Configuring App QoS Policies Use App QoS Policies for associating QoS classes with the selected traffic. The policies determine the classification of traffic for treatment when it passes through a QoS enabled interface. For individual rule, you specify one of the eight classes. You can also assign a schedule to specify the active rule. The traffic that is unclassified is automatically assigned to class 4. You can define a policy to apply policing/traffic-shaping metrics on traffic that matches certain applications, URL categories, and user/user Groups. The following steps explain the App Qos Policies configuration workflow. Steps 1. In the Networking tab, go to Class of Service > App QoS > Policies. 2. Click to open the Add App QoS Policy screen. a. In Name, enter the policy name. b. In Description, enter the description for the policy. c. In Tags, enter the tags for the policy. d. Click OK. This adds the name to the policies configuration screen. page 59 of 103

60 3. Click to open the Add App QoS Rule screen for the newly added Policy name. a. In Name, enter the name for the QoS rule. b. In Description, enter the description for the rule. c. In Tags, enter the tags for the rule. d. Click the Source/Destination tab and enter the source and destination zones/addresses. In Source Zone, select the traffic source as trust, untrust, etc. as you define via the + New Zone screen. In Destination Zone, select the traffic destination as host, trust, etc. as you define via the + New Zone screen. Similarly, define the source and destination addresses from a user-defined list. You can define page 60 of 103

61 them via the + New Address Group and + New Address screens. You can choose to exclude specific addresses from the source/destination by selecting the respective negate check boxes. e. Click the Headers/Schedule tab and specify the rule in relation to the IP and user-defined service list, which you can define via the + New Service screen. f. Click the Applications/URL tab to define the applications and URL categories for which the this rule is applicable. You can either define them via the various + New options or choose to map them through the bind data. g. Click the Enforce tab and select the applicable QoS Profile name, which you defined in App QoS > Profiles per the previous topic. page 61 of 103

62 h. Click OK. This adds the rule for the App QoS policy. Similarly, you can define multiple rules for the App QoS Policies. The next step is to configure an associate interface. Configuring Associate Interface You can do traffic shaping on an interface. For example, if the default bandwidth available is 10 Mbps and you need to reduce this to 5 Mbps, then it is possible with interface shaping. The interface speed is also important for any rules(such as QoS) that have a percentage of traffic defined in the policies. The interface should be set by default to the maximum upload speed of the WAN interface selected. The following steps explain the traffic shaping configuration workflow on an interface. Steps 1. In the Networking tab, go to Class of Service > Associate Interface. page 62 of 103

63 2. Click to open the Associate Interface screen. a. In Name, enter the interface name. b. In Description, enter the description for the interface. c. In Tags, enter the tags for the description. d. In Burst Size, enter the burst size of data packets bytes. e. In Rate, enter the maximum number of data packets rate in Kbps. f. In DSCP Rewrite Rule, enter the DSCP rewrite rule. g. In DSCP6 Rewrite Rule, enter the DSCP6 rewrite rule. h. In 8021p Rewrite Rule, enter the 8021p rewrite rule. i. In Scheduler Map, select the name of the scheduler map. j. In Logging Interval, enter the logging interval in seconds. This is the periodic interval after which the log information will be sent to Versa Analytics for further analysis and data visualization. k. Click OK. This adds the interface information in the Associate Interface Configurations screen. page 63 of 103

64 Similarly, you can configure traffic shaping for multiple interfaces. Configuring direct breakout to Internet Non-business traffic such as the traffic from gaming, facebook, and other such applications can be made to go to the Internet directly and not through the SD-WAN hub. This saves SD-WAN hub bandwidth and prevents it from getting overloaded. Moreover, this helps in prioritizing traffic flow. Configuring direct breakout to Internet involves the following tasks: Configuring Ethernet interfaces to route traffic from the LAN to WAN Configuring transport virtual router Configuring customer virtual router Configuring CGNAT pool and rules to identify traffic Configuring Ethernet interfaces Steps 1. Configure Ethernet interfaces to route traffic from the customer LAN to the WAN. Go to Config Templates. Select Interfaces in the Networking tab ). 2. Click to configure an interface. page 64 of 103

65 a. Enter the slot and port number. b. In Description, enter the description for the ethernet interface.. c. In Tags, enter the tags. d. In MTU, enter the MTU. e. To enable Virtual Wire, select the Virtual Wire check box. f. To enable promiscuous, enable the Promiscuous check box. g. In Uplink, enter the uplink bandwidth in Kbps. h. In Downlink, enter the downlink bandwidth in Kbps. i. To enable auto configuration, select the Auto Configuration check box. j. In Uplink Threshold, enter the uplink threshold in Kbps. k. In Downlink Threshold, enter the downlink threshold in Kbps. l. In URI, enter the URI. m. Select the Sub-Interfaces button. Click to add a sub-interface. page 65 of 103

66 i. In Unit, enter the unit. ii. In Description, enter a description for the sub-interface. iii. To give a DHCP IP address and default route, select the DHCP check box.. iv. Click OK. This configures an Ethernet interface. Repeat the above steps to configure another WAN interface, if required. 3. Next, configure an interface for the traffic that is routed from the customer s LAN. Repeat the same steps as listed above to open the Ethernet Interfaces Configurations screen. 4. Click to configure a new interface. page 66 of 103

67 a. Enter the port and slot numbers. b. To disable the ethernet interface, select the Disable check box. c. In Description, enter the description for the ethernet interface. d. In Tags, enter the tags. e. In MTU, enter the MTU. f. To enable Virtual Wire, select the Virtual Wire check box. g. To enable promiscuous, enable the Promiscuous check box. h. In Uplink, enter the uplink bandwidth in Kbps. i. In Downlink, enter the downlink bandwidth in Kbps. j. To enable auto configuration, select the Auto Configuration check box. k. In Uplink Threshold, enter the uplink threshold in Kbps. l. In Downlink Threshold, enter the downlink threshold in Kbps. m. In URI, enter the URI. n. To add sub-interfaces with a static address, click the Sub-interfaces button. Click to add a sub-interface. page 67 of 103

68 i. In Unit, enter the unit. ii. In VLAN ID, enter the VLAN ID. iii. To disable the sub-interface, select the Disable check box. iv. In Description, enter the description for the sub-interface. v. In MTU, enter the MTU for the sub-interface. vi. Select Static Address and click to add the IP address or click DHCP to allocate the IP address dynamically from the DHCP server. vii. In the Static ARP section, select the subnet address, enter the host IP address and MAC address. viii. ix. Click to complete adding the row. In the VRRP section, enter the VRRP details. Click OK. This configures an Ethernet interface. Next, configure the customer virtual router and transport virtual router. Traffic from the customer LAN is sent to the WAN through virtual routers. The customer virtual router connects to a transport virtual router for direct to Internet traffic. Configuring customer virtual router Steps 1. Select Virtual Routers in the Networking tab. 2. Click to add a virtual router. page 68 of 103

69 3. In the Virtual Router Details section: a. In Instance Name. enter the name of the instance. b. In Description, enter the description for the router. c. In Instance Type, select Virtual routing forwarding instance. d. In Usage Type, select the usage type. e. To enable MPLS VPN core, select the MPLS VPN Core check box. f. In MPLS local router address, enter the MPLS transport routing instance. g. To create dynamic tunnels, select the Create dynamic GRE tunnels check box. h. In Global VRF ID, enter the global VRF ID. i. In the Interfaces/Networks section, add the interfaces. Click to add an interface from the list of configured interfaces. page 69 of 103

70 4. In the Configure Virtual Router screen, click BGP and. 5. In the General tab, enter the required information. 6. Click the Peer Group tab. Click to configure two peer groups: a. One peer is configured for traffic from the customer router. page 70 of 103

71 b. The other peer is configured for traffic towards the transport virtual router. a. In Name, enter the name of the peer group. b. In Description, enter the description for the peer group. c. In Type, select EBGP. d. In Peer AS, enter the peer autonomous system number. e. In Local Address, enter the local address. f. In Hold Time, enter the hold time to negotiate with a peer. g. In TTL, enter the time to live condition. This is the number of hops that a packet can travel before being discarded by a router. It indicates the lifespan of a data packet. h. In Password, enter the password to authenticate the BGP instance. i. In Local Network Name, select the name of the local network to which the BGP instance belongs. This field lists the names of user-defined networks. j. In the General tab, select IPv4 Unicast as the Family. k. In the Neighbors tab, click to add the Neighbor IP, Peer AS, and Local Address. Enter the paired TVI to send traffic direct to the Internet. page 71 of 103

72 7. Click OK. This configures the peer group towards the transport virtual router. Repeat the above steps to configure another peer group for traffic towards the customer s router. Configuring transport virtual router Steps 1. Configure a transport virtual router to route traffic towards the Internet. Select Virtual Routers in the Networking tab. Click to add a virtual router. page 72 of 103

73 a. In Instance Name, enter the instance name. b. In Description, enter the description for the instance. c. In Instance type, select Virtual routing instance. d. In Usage Type, enter the usage type. e. To enable MPLS VPN Core, enable the MPLS VPN Core check box. f. In Global VRF ID, enter the global VRF ID. g. Add the interfaces. 2. Click BGP. a. Enter the required information in the General tab. b. Click the Peer Group tab. Click to configure a peer group. page 73 of 103

74 i. In Name, enter the name of the peer. ii. In Description, enter the description for the peer. iii. In Type, select EBGP. iv. In Peer AS, enter the peer autonomous system number. v. In Local Address, enter the local address. vi. In Hold Time, enter the hold time to negotiate with a peer. vii. In TTL, enter the time to live condition. This is the number of hops that a packet can travel before being discarded by a router. It indicates the lifespan of a data packet. viii. In Password, enter the password to authenticate the BGP instance. ix. In Local Network Name, select the name of the local network to which the BGP instance belongs. This field lists the names of user-defined networks. x. In Local AS, enter the local AS.. xi. In the Neighbors tab, click to add the Neighbor IP, Peer AS, and Local Address. 3. Click Redistribution Policies. Click to add a policy. page 74 of 103

75 a. In Name, enter the policy name. b. Click to configure a term. i. In Term Name, enter the policy term name. Term entities are executed in the order they are listed in the Term Name table. ii. In Family, select the protocol family of the route to be matched: IPV4 Family IPV4-VPN Family IPV6 Family IPV6-VPN Family Versa-Private Family iii. In AS Path, enter the AS (Autonomous System) path action. iv. In Metric, enter the metric. v. In NLRI, select the network layer reachability information of the prefix list to be matched. It displays the user-defined prefix lists. vi. In Source Address, select the source address of the prefix list to be matched. It displays the user-defined prefix lists. vii. In Next Hop, select the IP address of the prefix list to be used as the next hop. It displays the user-defined prefix lists. page 75 of 103

76 viii. In Community, enter the parameter that helps to identify and segregate BGP routes, enabling a smooth traffic flow. A BGP community is a group of destinations with a common property. This is a path attribute in BGP update messages. The attribute identifies community members and performs actions at a group level, instead of an individual level. ix. In Extended Community, enter the parameter that acts as an identification label for BGP routes. A larger number of destinations can be grouped as an extended community than in a community. x. In Origin, select the source of the route: Remote IGP Local EGP Unknown Heritage xi. Click the Action tab. i. In Accept/Reject, select either Accept or Reject to accept or reject the route. ii. In Origin, select the source of the route (Local EGP). iii. In Next Hop, enter the IP address of the next hop. iv. In Local Preference, enter the BGP attribute used to choose the outbound external BGP path. v. In AS Path, enter the regular expression to match the AS-path for a route: No AS path action Prepend the local as path the number of times specified by local as prepend count Remove All AS numbers matched by match as-path Remove All AS numbers matched by match-as path and prepend the local AS the number of times specified by local-as-prepend-count vi. In Local AS Prepend Count, enter the number of times a local AS number is prepended to the AS path. vii. In AS Path Prepend, enter the specified AS number that must be prepended to an AS path. viii. In Damping, enter damping. page 76 of 103

77 ix. In Community Action, select the regular expression to use when matching the community list for a route: Remove all communities from the route Remove all communities with the value of set community Remove all communities with the value of set extended community Append the value of set community into the communities list x. In Community, enter the value that helps identify and segregate BGP routes, enabling a smooth traffic flow. A BGP community is a group of destinations with a common property. This is a path attribute in BGP update messages. The attribute identifies community members and performs actions at a group level, instead of an individual level. xi. xii. xiii. xiv. xv. In Extended Community Action, select the regular expression to use when matching the extended community list for a route: Community field is ignored Remove all communities from the route Remove all communities with the value of set community Remove all communities with the value of set extended community Append the value of set community into the communities list In Extended Community, enter the parameter that acts as an identification label for BGP routes. A larger number of destinations can be grouped as an extended community than in a community. In Metric Action, select the action on the metric value: Set Value IGP Add Subtract In Metric, select the metric value. Click OK. 4. Repeat the above steps to configure a term with a Static and DHCP protocols. The next task is to configure a CGNAT pool and define rules for the translation of network addresses of the direct to Internet traffic. page 77 of 103

78 Configuring CGNAT pool and rules Steps 1. Select CGNAT in the Services tab. Click to add a CGNAT pool. a. In Name, enter the name for the CGNAT pool. b. In Description, enter the description for the CGNAT pool. c. In Tags, enter the tags for the CGNAT pool. d. In ICMP, specify the ICMP mapping timeout in seconds. e. In TCP, specify the TCP mapping timeout in seconds. f. In UDP, specify the UDP mapping timeout in seconds. g. In Traps, select one or more of the options and specify the threshold: Address Exhausted Pool Threshold Status Ports Exhausted 2. Click the Port tab. page 78 of 103

79 a. To enter the destination port, select the Destination port check box and enter the value. b. To enter the source port, select the Source Port check box. c. In Allocation Scheme, select the allocation scheme. d. In Low Port, enter the low port number. e. In High Port, enter the high port number. f. To allocate IP/port randomly, select the Allocate IP/port randomly check box. g. To preserve source port range, select the Preserve source port range check box. h. To preserve source port parity, select the Preserve source port parity check box. i. To block port allocation, select the Port block allocation check box. i. In Block Timeout, enter the timeout for block. ii. In Block Size, enter the size of the block. iii. In Max Block per user, enter the maximum block for a user. j. Click OK. This configures a pool. 3. Next, define the translation rules. Click the Rules tab. Click to add a rule. page 79 of 103

80 a. In Name, enter a name. b. In Description, enter a description for the CGNAT rule. c. In Tags, enter the tags for the CGNAT rule. d. In Precedence, assign a priority to the rule. You can configure multiple rules and assign each a priority. The increasing order of priority is 1 > 2 > 3. Rules with a higher priority take precedence over the ones with a lower priority. 4. Click the Match tab. 5. Click the Action tab. page 80 of 103

81 a. To disable translation, select the Disable Translation check box. b. In NAT Mode, select napt-44. This is predefined. c. Associate the Source Pool and/or Destination Pool with the translation mode (NAT mode). Select Cust1_NAPT_POOL as the Source Pool. This is a user-defined value. d. In LEF Profile, select the LEF (Logging and Export Function) profile to be applied for logging. e. To enable endpoint independent mapping, select the Endpoint Independent Mapping check box. f. To enable endpoint independent filter, select the Endpoint Independent Filter check box. g. To enable Address Pooling Paired, enable the Address Pooling Paired check box. 6. Click OK. This configures a CGNAT rule. This configures a CGNAT pool and rules for direct to Internet traffic. This completes the configuration of direct breakout to Internet. Updating or Viewing Device Bind Data Bind data variable values is entered for each branch. This refers to data that is specific to each branch. Steps 1. Under the Director Context, go to Administration > SDWAN > Device Bind Data. page 81 of 103

82 2. From the Template list, select the post-staging template. From Device Group, select the branch name. 3. Click the to add or edit data. a. Select the device serial number and appliance for which you want to define bind data. b. Parameters get values from the bind data that is defined here. c. Add the bind values. d. Click OK. This binds the parameterized data with the post-staging template. The system validates the bind data variables per the specified variable type. In case they do not match, an error message is generated. page 82 of 103

83 This completes the system configuration for the branch. Final branch configuration view on Versa Director View the appliances configured for a branch or branches. Steps 1. Under the Director Context, go to Appliances to display its configuration screen in the tabular view. page 83 of 103

84 2. Click the Card icon to display the appliances in the card view. Appendix 1: Configuring hardware devices in inventory The first step is to add hardware devices to be used by the branches. Steps 1. Under the Director Context, go to Administration. Select Inventory > Hardware. Select an organization name from the Organization list. 2. Click (on the top right corner) to add a device. a. Under Basic, perform the following steps: i. In Device Name, enter a name for the device. ii. In Serial Number, enter a serial number for the device. iii. In Model Number, enter the model number of the device. page 84 of 103

85 iv. In Tags, enter the tags for the device. v. In Description, enter the description for the device. vi. In Site Name, enter the site name for the device. vii. In Site ID, enter the site ID for the device. viii. From the Status list, select the status mode of the device. A device can have one of the following status modes: 1. Shipped. When a device is manufactured and ready for use, the state of the device is Shipped. 2. Claimed. When a branch administrator makes an attempt to claim a device, an IPsec tunnel is setup between the branch and controller. The controller communicates the status of the branch to Versa Director after which Versa Director initiates a two-factor authentication process. 3. Unclaimed. If a device cannot be claimed, its status is set to Unclaimed. ix. In Organization, select a specific organization. b. Under Location Information, enter the location, latitude, and longitude. c. Under URL Based ZTP, perform the following steps: i. Select the URL Based ZTP check box. ii. In Auth Id, enter the authorization Id. iii. In Auth Key, enter the authorization key. iv. Specify the DNS server and MTU. v. Select either IPv4 or IPv6 and specify the corresponding address and gateway. vi. Select DHCP to enable Dynamic Host Configuration Protocol. 3. Click OK. This configures a device for a branch. To delete an existing hardware device, select the check box corresponding to the hardware device and click on the top right corner. To filter the config screen table information, click on the top right corner. The next task is to configure branch device groups. Configuring branch device groups Now, create branch device group(s), in which devices to be used are grouped together. This is useful to associate a service template with an entire group of devices in a single step. page 85 of 103

86 Steps 1. Under the Director Context, go to Administration. Go to SDWAN > Device Groups and select an organization. 2. Click to add a device group. a. In Name, enter a name for the group. b. In Description, enter information about the device group. c. In Tags, enter search tags for the device group. d. From the Organizations list, select the organization name. e. To enable two factor authentication, select the Enable Two Factor Auth check box. f. In Staging Template, select a staging template. g. In Post Staging Template, select a post staging template. h. In General, select a general device. i. In , enter an ID for the device group. j. Specify a phone number. k. In the Devices tab, add the serial numbers of the devices to be grouped. To add a serial number, click page 86 of 103

87 . i. Select a location and a site to select a set of devices to be added. ii. Click OK. This configures a device group. Appendix 2: Managing staging and post-staging templates To perform various operations on staging/post-staging templates, in the Director Context, navigate to Administration > SDWAN > Templates. Here, you can view, delete, clone, import, and export both staging and post-staging templates. However, you cannot create templates, for which, you must use the Workflows tab. Refer to Adding Staging Templates and Adding Post-Staging Templates topics. You can perform the following operations on templates: C loning templates page 87 of 103

88 Exporting templates Importing templates Locking unlocking templates Cloning templates Cloning templates enable you to reuse existing templates and associate them to other parent and child organizations. Steps 1. Under the Director Context, go to Administration and select SDWAN > Templates. Select the check box of the template to be cloned. 2. Click the Clone icon. 3. In New Template Name, enter the cloned template name. 4. From the New Organizations list, select the organization(s) to be associated with the template. 5. Click OK. page 88 of 103

89 This clones the template and associates it with the selected organization(s). Exporting templates Export an existing template to your local machine with an intent to import it later, in order to reuse the template. Steps 1. Under the Director Context, go to Administration and select SDWAN > Templates. Select the check box of the template to be exported. 2. Click the Export icon. The template is exported as a.cfg file on your local server. Exported files can be imported and associated with organizations. Importing templates Templates can be imported to existing templates to copy the configuration of the imported template. The imported template and the template to which it is imported must have the same name. Steps page 89 of 103

90 1. Under the Director Context, go to Administration and select SDWAN > Templates. Select the check box of the template to which you want to import an existing template. 2. Rename the template to be imported. It should have the same name as the template to which it is imported. 3. Click the Import icon. 4. Click Browse to select the template file to be imported. The template must have the same name as the template to which it is imported. 5. Click OK. This copies the configuration of the imported template and associates it with the same organizations. Locking and unlocking templates Users can be blocked from making configuration changes to templates by locking them. However, a locked template can be unlocked. Steps page 90 of 103

91 1. Under the Director Context, go to Administration and select SDWAN > Templates. Select the check box of the template to be locked. 2. Click the Lock icon. 3. Select Lock for all users or Lock for other users. In Lock for other users, the template is locked for all users, except the user who is logged into the system. 4. Click OK. The template is locked. To unlock a template, click the Unlock icon. Lock and unlock feature is also available in service templates, configuring which is explained in the next topic. page 91 of 103

92 page 92 of 103

93 Chapter 5. Versa Analytics Overview Overview Versa Analytics is a data analysis and reporting and monitoring tool. It is integrated with Versa Director and provides data visualization of the various reports, which can be used to monitor and troubleshoot the various nodes, features, and services in the network. SD-WAN analytics UI components Logs are generated by branches and controllers, and sent to Versa Analytics. The logs capture different types of data such as branch availability, usage, and SLA metrics. The logs are used to display data graphically. The SD-WAN dashboard displays top level data for sites and a site map. Data can be drilled down to display specific site data for a given period. This chapter covers the following topics: Dashboard SDWAN sites SDWAN site map SDWAN path Dashboard Steps 1. In the Director Context, go to Analytics and select Dashboards > SD-WAN. page 93 of 103

94 2. Select the tenant, appliance, and period from the drop-down lists for which you want to view data. The dashboard displays the top sites and top access circuits graphs. Below it is the site map. SD-WAN sites Steps 1. In the Director Context, go to Analytics > Dashboards > SD-WAN > Sites. 2. Select the tenant, appliance, site, and period from the drop-down lists. The top site usage over time is page 94 of 103

95 displayed. You can drill down to a single site and view specific data. The site data is shown graphically in different tabs: Usage Availability Connections Heatmap Usage page 95 of 103

96 Availability page 96 of 103

97 Connections HeatMap SD-WAN site map You can get a consolidated view of a site for a given period. System identification parameters (longitude, latitude) must be set for branches to reliably display on the Versa Analytics map. Steps 1. In the Director Context, go to Analytics > Dashboards > SD-WAN > Site Map. The site map displays. page 97 of 103

98 SD-WAN paths The SLA monitoring and logging intervals are defined for a site when configuring a site. To configure a site, go to the Director Context and select SDWAN > Sites in the Configurations menu. The WAN Interfaces screen has the SLA Monitoring section where the SLA parameters are defined. Steps 1. In the Director Context, go to Analytics > Dashboards > SD-WAN > Paths. page 98 of 103

99 2. Select the tenant, appliance, period, from site and to site from the drop-down lists. Graphical data is shown in the following tabs: Usage. Usage of the selected path. Usage SLA Metrics. SLA metrics of the selected path. Rules. Rules of the selected path. SLA Metrics page 99 of 103

100 Rules page 100 of 103

101 Logs Steps 1. In the Director Context, go to Analytics and select Logs > SDWAN. 2. Select the tenant, appliance, site, and period from the drop-down lists for which you want to view data. The dashboard displays the top sites and top access circuits graphs. Below it is the site page 101 of 103

102 map. Reporting Build Builder Manage Completed Reports page 102 of 103

103 Scheduled Reports Saved Reports page 103 of 103