Versa SD-WAN Training

Lab Guide
Software version 16.1R2
Oct 2018
Version 1.0
About this Lab Guide
This lab guide presents instructions and associated information related to the lab
activities for this course.

Lab activities included in this guide

o Lab1 – Gaining access to SD-WAN Lab
o Lab2 – Workflows and Template
o Lab3 - Branch preparation and script-based provisioning
o Lab4 - Operations and Maintenance
o Lab5 – Hub and Spoke Topology deployment
o Lab6 – SD-WAN traffic steering and QoS configuration
o Lab7 – Enabling and configuring Next Generation Firewall
o Lab8 – Branch High availability configuration

Versa SD-WAN Training LG v1.0

Prerequisites for lab access
The following list outlines the general prerequisites for lab access
• Participants should have computer system with Internet access
• Computer systems should have SSH software applications such as Putty, SecureCRT,
MAC terminal or equivalent
• Google chrome or Mozilla web browser for IP and/or FQDN based web access

Lab Topology
Trainer would be sharing Lab topology according to the lab used.

Lab Access details

Your instructor will provide IP and credential for Versa Director web access and SSH jump
node along with respective ports and credentials. Note the details in the table below.
Versa Director web access IP: Username: Password:
https://____. ____.____.____. ________________ _________________

SSH Jump server Username: Password:

IP: ____. ____.____.____. ________________ _________________
Port: ________________

Note: Your group may have a different access IP from other participating groups.

Lab CPEs IP addressing schema

Instructor would share you the IP addressing schema.

Versa SD-WAN Training LG v1.0

Lab1: Gaining access to SD-WAN Lab
The objective of this lab is to enable participants to access the SD-WAN lab environment and
impart understanding basics of versa cli operations.
Task1: Gain access to Versa Director

Step1: Open Google Chrome browser and access Versa Director using the given IP address.
You should be seeing Versa Director default login screen as shown below.

Figure:1.1.1

Step2: Using provided user credentials you should be able to login into Versa Director.

Figure:1.1.2

Versa SD-WAN Training LG v1.0

Task2: Test SSH access to jump node and Lab CPEs
Step1: Open ssh client [ Such as SecureCRT, Putty or Terminal application on MAC] on your
computer system.
Step2: ssh to jump server [details provided by instructor]
Last login: Mon Oct 15 00:32:27 on ttys000
Salus-MacBook-Pro:~ salu$ ssh [email protected] -p 5000
The authenticity of host '[103.231.208.52]:5000 ([103.231.208.52]:5000)' can't be established.
ECDSA key fingerprint is SHA256:CWl7EaTkc/T/mdBdsHq8ZZJAnnEl3+12Ro0GCl69pnU.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[103.231.208.52]:5000' (ECDSA) to the list of known hosts.
[email protected]'s password:
Last login: Wed Oct 17 13:04:08 2018 from 202.124.157.250
[labuser@lab-jumpbox: ~] #

Step2: Ping various CPEs OOB IPs from jump server to ensure out of band management
connectivity. Refer Lab topology for OOB IP addressing for your lab devices
[labuser@lab-jumpbox: ~] # ping 172.16.113.31
PING 172.16.113.31 (172.16.113.31) 56(84) bytes of data.
64 bytes from 172.16.113.31: icmp_seq=1 ttl=64 time=0.414 ms
64 bytes from 172.16.113.31: icmp_seq=2 ttl=64 time=0.250 ms
64 bytes from 172.16.113.31: icmp_seq=3 ttl=64 time=0.265 ms
64 bytes from 172.16.113.31: icmp_seq=4 ttl=64 time=0.292 ms
64 bytes from 172.16.113.31: icmp_seq=5 ttl=64 time=0.270 ms
64 bytes from 172.16.113.31: icmp_seq=6 ttl=64 time=0.358 ms
^C
--- 172.16.113.31 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 4998ms
rtt min/avg/max/mdev = 0.250/0.308/0.414/0.059 ms
[labuser@lab-jumpbox: ~] #

Step3: SSH to your first branch from Jump node

[labuser@lab-jumpbox: ~] # ssh [email protected]
[email protected]'s password:
.---.,
( ``.
_ \ ) __ ________ _____ _____
( `. \ / \ \ / / ____| __ \ / ____| /\
\ `. ) / \ \ / /| |__ | |__) | (___ / \
\ | / \ \/ / | __| | _ / \___ \ / /\ \
\ | / \ / | |____| | \ \ ____) / ____ \
\ | / \/ |______|_| \_\_____/_/ \_\
\ | /
\_|/ ___ _ _____ ___ ___ _ ___
| __| | | __\ \/ | \ / / \| | __|
| _|| |__| _| > < \ V /| .` | _|
|_| |____|___/_/\_\ \_/ |_|\_|_|

Versa FlexVNF software

Release : 16.1R2 (S6)
Release date: 20181012
Package ID : 1369358

Last login: Fri Dec 7 01:14:33 2018 from 192.168.99.1

[admin@Branch-31: ~] #

Versa SD-WAN Training LG v1.0

Step4 : gain access to Versa cli by issuing command cli at Linux shell
[admin@Branch-31: ~] # cli

.---.,
( ``.
_ \ ) __ ________ _____ _____
( `. \ / \ \ / / ____| __ \ / ____| /\
\ `. ) / \ \ / /| |__ | |__) | (___ / \
\ | / \ \/ / | __| | _ / \___ \ / /\ \
\ | / \ / | |____| | \ \ ____) / ____ \
\ | / \/ |______|_| \_\_____/_/ \_\
\ | /
\_|/ _ _ ___ _______ _____ ___ _ _____
| \| | __|_ _\ \ / / _ \| _ \ |/ / __|
| .` | _| | | \ \/\/ / (_) | / ' <\__ \
|_|\_|___| |_| \_/\_/ \___/|_|_\_|\_\___/

admin connected from 192.168.99.1 using ssh on Branch190

admin@Branch-31-cli>

Step5: Issue cli command show interface brief to see interface related configuration information

admin@Branc-h31-cli> show interfaces brief

NAME MAC OPER ADMIN TENANT VRF IP
---------------------------------------------------------------------------
eth-0/0 52:54:00:c0:02:37 up up 0 global 172.16.113.31/24
vni-0/0 52:54:00:0c:4e:2a down down - -
vni-0/1 52:54:00:ad:92:84 down down - -
vni-0/2 52:54:00:5e:2a:fd down down - -

[ok][2018-10-17 20:53:34]
admin@Branch-31-cli>

Note: No interfaces are configured except eth0/0 [ OOB management interface]. Show
configuration command can be used to see complete configuration of the FlexVNF device.

Step6: Use cli to set the system identification name of the branch to your branch name
[Branchxxx]
admin@Branch-31-cli> configure
Entering configuration mode private
[ok][2018-10-17 21:16:53]

[edit]
admin@Branch-151-cli(config)% set system identification name Branch31
[ok][2018-10-17 21:17:02]

[edit]
admin@Branch-151-cli(config)% commit
Commit complete.
[ok][2018-10-17 21:17:05]

[edit]
admin@Branch31-cli(config)%

Versa SD-WAN Training LG v1.0

Step7: repeat the above process to change the name to your first name
admin@Branch31-cli(config)% set system identification name labUser1
[ok][2018-10-17 21:18:46]

[edit]
admin@Branch31-cli(config)% commit
Commit complete.
[ok][2018-10-17 21:18:49]

[edit]
admin@labUser1-cli(config)%

Step8: Revert the change using rollback command

admin@User-cli> configure
Entering configuration mode private
[ok][2018-10-17 21:19:38]

[edit]
admin@labUser1-cli(config)% rollback 0
[ok][2018-10-17 21:19:41]

[edit]
admin@User-cli(config)% commit
Commit complete.
[ok][2018-10-17 21:19:43]

[edit]
admin@Branch31-cli(config)%

Note: explore show commit list and show commit changes ? command to see various options

Versa SD-WAN Training LG v1.0

Lab2: Work Flows and Templates
Objectives of this lab exercise are to create
1) CPE template for Tenant1 organization and
2) soft onboard the branch by providing device specific parameters.
Task1: Create a Tenant Organization using workflow
Tenant or customer organization [ Tenant1] is kept pre-created. This task shows how to create
a Tenant in Versa Director GUI.
The objective of this task to create an organization in Versa Director using workflow. Do note
that Parent organization is already existing, and Versa Controllers are kept onboarded. You
may familiarize on the process of a Tenant or Customer creation in VD GUI.
Note the name of parent organization: ____________________________________________
Step1: access Versa Director GUI and navigate to workflow and then select organization on
the left pane.

1
2

Figure 2.1.1
Step2: Creating an organisation [tenant]
• Click on add (+) button to add new organization
• Name the tenant organization as Tenant1
• Global Organization id would be system generated
• Select parent organization as Provider
• Move all the available controllers from available pane to selected pane by clicking on
it under Controllers tab. (Refer Figure 2.1.2)

Versa SD-WAN Training LG v1.0

 3
1
2

4 5

Figure:2.1.2
• Navigate to Analytics Cluster tab and click add (+) button to add analytics. Click on drop
down button to select an Analytics from list. (Refer Figure 2.1.3)
• Hit deploy

Figure:2.1.3

Versa SD-WAN Training LG v1.0

Step3: Observe organization deployment progress
• Click Task icon in the upper right corner of Director GUI
• Use manual or auto refresh to update the task progress
• Wait for task to get completed and exit the task screen

Refresh options

Figure: 2.1.4

Step4: Refresh the Director screen to see organization as deployed state

Refresh page

Figure: 2.1.5

Versa SD-WAN Training LG v1.0

Task2: Create device template in workflow
The objective of this task is to create post staging template using the below mentioned steps.
Each participants group should create one post-staging template for each branch.
Make a note of various post-staging template values given below:
Type Org Controllers Solution Service Analytics cluster
Tier Bandwidth
Post- Tenant1 Use Controllers from your lab Advanced 100 Mbps One assigned to your
staging group. E.g. for group 1 use SDWAN group
Controller301 & Controller302 And UTM

Post-Staging Template Values: Interfaces Tab

Use appropriate interfaces for your branch. Either MPLS or Internet or some branches have
both MPLS and internet. Refer to lab diagram for Interface names and connectivity
Interface VLAN ID Network Name Organization
Vni-0/.. <Refer Topology> MPLS
Vni-0/.. <Refer Topology> Internet
Vni-0/.. <Refer Topology> LAN Tenant1

Steps involved to complete the Post staging Template has explained below.
Step1: Select Workflows and then select Templates under the option Template. Click on add
(+) button to create new template. Refer figure: 2.2.1
Now a new window will populate with the heading of create template.

Figure: 2.2.1
Step2: Mandatory fields to be configured under Basic tab has explained in step by step below.
Refer Figure 2.2.2.
a. Configure a Name for the template.
• Use template name format as: T-BranchXXX
• [ XXX being branch number as per your lab topology].
• E.g. template name for Brach 31 would be T-Branch31.
b. Select the Type as SDWAN Post-Staging.

Versa SD-WAN Training LG v1.0

 c. Select Tenant1 as Organization from dropdown list.
d. Click add (+) button in controller section to add correct controller using dropdown
menu; Select the controller as defined in sheet.
e. Select solution tier from drop down list under subscription; (Eg: Advanced SDWAN and
UTM)
f. Select bandwidth as per Branch requirement
g. Select an analytic using dropdown under analytics cluster.
h. Now click on continue button to proceed to interface tab.

Click to add Controllers

Click Continue to move to next

tab

Figure:2.2.2
Step3: Mandatory fields to be configured under Interface tab has explained in step by step
below. Refer Figure 2.2.3.
1. Under the Device Port Configuration option, define the interface role by clicking on
each interface number and selecting WAN/LAN.
When you select an interface as WAN, automatically a row will be created under WAN
Interfaces option.
Similarly, when you select an Interface as LAN, automatically a new row will be created
under LAN Interfaces option.
If your branch connected to 2 WAN in Lab topology, choose 2 No. of WAN ports & 1
No. of LAN port.
Note the interface naming. Interface 0 is always management and not configurable. For this
lab choose IPv4 Static addressing.
2. Once ports role is defined, you must complete the port specific information under
WAN Interfaces / LAN Interfaces option.
3. Under WAN Interfaces option, below details are mandatory per interface.

Versa SD-WAN Training LG v1.0

 • VLAN – If you know the VLAN id enter the value or else select the gear icon to fill it
in later stage.
• Network Name – As per your lab topology, Choose the WAN Network name as
MPLS/Internet from drop down menu. (MPLS/Internet name is predefined)
• IPv4 address Type – First Deselect the DHCP then select Static.
4. Under LAN Interfaces option, below details are mandatory per interface.
• Network Name – Enter a name for identify LAN Interface (Mention as LAN)
• Organizations – Choose the organization from drop down menu.
• Routing Instances – Choose the Routing Instances from drop down menu.
• IPv4 address Type – By default, Static is enabled. Leave as it is.
5. Click on Continue button to navigate to next tab

2
4
5
Assign a name for the LAN interface Choose correct organization mapping

Figure:2.2.3
Step4: No changes required on Routing tab hence click on Continue button to navigate to Split
Tunnels tab.
Step5: Mandatory fields to be configured under Split Tunnels Tab to enable Direct Internet
Access (DIA) for Local Internet breakout through internet link has explained in step by step
below. Refer Figure 2.2.4.
• VRF Names – Choose the LAN VRF Name from drop down menu
• WAN Interfaces – Choose the Internet interface from drop down menu
• DIA – Click on checkbox to enable DIA
• Now click on + button to add this entry
• Now click on continue to navigate to Inbound NAT Tab

1 2 3 4

Select the LAN VRF Select WAN Select DIA check

in which Internet interface through and click + to add
to be enabled which Internet to
be enabled be

Figure:2.2.4

Versa SD-WAN Training LG v1.0

Step6: No changes required on Inbound NAT tab hence click on Continue button to navigate
to Split Tunnels tab.
Step7: In Services tab, only NGFW feature must be selected and click on Continue button to
navigate to Management Servers tab. Refer Figure 2.2.5

Click Continue to move to next

tab

Figure:2.2.5
Step8: As of now, no configuration required in Management Servers, Hence Hit on Create
button to complete the template creation.
Step9: Once the template is created, verify if the status of the template is in deployed state.
Refer Figure 2.2.6

Your template name

Figure:2.2.6

Versa SD-WAN Training LG v1.0

Task3: Deploying device
Template configured in the previous task does not contain any device specific configuration
rather its generic hence can be considered as a blank configuration. The step after configuring
template is to deploy a device with device specific parameter.
Step1: Select Workflows and then select Devices under the option Devices. Select add button
(+) to create new Device. Now a new window will Pop-up with the heading of Add Device

Click Continue to move to next

tab

Figure:2.3.1
Step2: Mandatory fields to be configured under Basic tab has explained in step by step below.
Refer Figure 2.3.1
a. Name - Configure a unique name per device as defined in Lab Topology (E.g. Brach31,
Branch32 etc...)
b. Global Device ID - System will take it automatically, however this can be adjusted
manually between 101-16383. As of now, leave it to system assigned.
c. Organization - Select the organization of the Device belong to…in this case it would be
Tenant1
d. Deployment Type – By default, CPE-Baremetal Device. It must be changed to CPE-Public
Cloud in case of CPE deployment on Cloud. As of now, no change requires, keep it to
default.
e. Serial Number – Serial number of the CPE must be entered here. Since it is Lab, you
should use SRbbb where bbb is your branch number (e.g. SR31 for Branch31).

a b c
d e
f

Figure: 2.3.2
f. Device Group – Every device must be associated with a Device Group. Click on the
+Device Group option to create a new device group. Now a new window will pop up
with the heading of create Device Group. Refer figure 2.3.3.

Versa SD-WAN Training LG v1.0

 Figure: 2.3.3
g. To complete the Device Group creation, do the below steps.
• Name: Enter a Name for the Device Group as DG-XX where XX is Branch name (E.g.
DG-Branch31)
• Choose the Organization from drop down menu. Here it must be Tenent1.
• Now choose the Post-staging template which created by you on Task4 from drop
down menu. Leave other options empty and click on OK button to complete the
Device Group creation.

Figure: 2.3.4

h. Now select the device group create by you at previous steps from the drop-down
menu.
i. Click on Continue to navigate to next Tab.

Versa SD-WAN Training LG v1.0

Step3: Mandatory fields to be configured under Location Information tab has explained in step
by step below. Refer Figure 2.3.5
• Configure a location for your branch (at least city and country should be filled)
• Click on Continue button to proceed to next tab.

Figure: 2.3.5
Step4: Under Bind data tab, you need to fill the device specific details such as WAN interface
IP with prefix, Next hop IP address, VLAN id etc. based on the variables you have chosen
during template creation. Refer Figure 2.3.6.
Refer the Excel sheet shared with you for IP details. Lab Topology uses /24 IP subnet.

Figure: 2.3.6
Step5: Post enter the values, hit the deploy button to complete the device creation. Refer
Figure 2.3.7

Click Deploy button to

complete Device creation

Figure: 2.3.7

Versa SD-WAN Training LG v1.0

Step6. Once the device deployed, verify it by clicking workflows tab under Device, it must be
in Deployed status. Refer Figure 2.3.8

Figure: 2.3.8

Step7. Click on the Tasks icon that is located at the upper right corner of the Director and
identify the steps taken by the Director to deploy your branch. Refer Figure 2.3.9

Figure: 2.3.9

Step8. Also go to Administration tab and then click on Inventory and hardware. Verify if your
branch is showing up as Shipped (Now the Device is ready to ship to the site and branch is
ready to bring up). Refer Figure 2.3.10

Figure: 2.3.10

Versa SD-WAN Training LG v1.0

Lab3: Branch Preparation and Script based provisioning
This is the next step after template configuration and device deployment has done
successfully. The objective of this lab is to finally connect the Versa FlexVNF CPE device to
network and perform Script based provisioning.

Task1: Access your CPE device from Jump node

Step1: SSH to your assigned jump server.

Step2: SSH to your assigned CPE management IP from jump node

[admin@SSH-JumpServer-LabGroup01: ~] # ssh 172.16.113.31
The authenticity of host '172.16.113.31 (172.16.113.31)' can't be established.
ECDSA key fingerprint is b1:5d:71:80:88:d5:4f:88:a3:46:95:1e:d5:00:fe:84.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.113.31' (ECDSA) to the list of known hosts.
[email protected]'s password:
.---.,
( ``.
_ \ ) __ ________ _____ _____
( `. \ / \ \ / / ____| __ \ / ____| /\
\ `. ) / \ \ / /| |__ | |__) | (___ / \
\ | / \ \/ / | __| | _ / \___ \ / /\ \
\ | / \ / | |____| | \ \ ____) / ____ \
\ | / \/ |______|_| \_\_____/_/ \_\
\ | /
\_|/ ___ _ _____ ___ ___ _ ___
| __| | | __\ \/ | \ / / \| | __|
| _|| |__| _| > < \ V /| .` | _|
|_| |____|___/_/\_\ \_/ |_|\_|_|

Versa FlexVNF software

Release : 16.1R2 (S6)
Release date: 20181116
Package ID : 67da9db

You have new mail.

Last login: Tue Feb 26 09:53:58 2019 from 103.231.208.36
[admin@RDBranch31: ~] $cli

Step3: invoke cli mode by using cli command. Issue show interface brief command to
ensure the device do not have any configuration except management interface configuration.

admin@RDBranch31-cli> show interfaces brief

NAME MAC OPER ADMIN TENANT VRF IP
---------------------------------------------------------------------------
eth-0/0 52:54:00:d6:2a:26 up up 0 global 172.16.113.31/24
vni-0/0 52:54:00:e1:70:14 down down - -
vni-0/1 52:54:00:ff:02:03 down down - -
vni-0/2 52:54:00:6e:b7:6b down down - -
vni-0/3 52:54:00:14:4f:2d down down - -

[ok][2019-02-26 11:30:59]
admin@RDBranch31-cli>

Note: To erase any configuration present, use request erase running-configuration

command which will erase all the configuration and do service restart.

Step3: Enter Shell mode and navigate to script directory using cd command as “cd
/opt/versa/scripts”

Versa SD-WAN Training LG v1.0

Step4: execute sudo./staging.py -h to see various options available for the script

Step5: Refer below for sample staging script format. Variables are highlighted BOLD.

sudo./staging.py -l [email protected] -r [email protected] -n SR150

-c 192.168.17.142 -w 0 -s 192.168.19.150/24 -g 192.168.19.3

You should see this message after successful run of the script

Table below explains the various parameters used in the script.

Parameter Explanation Values

Local identifier in email format.
Domain part is always uses Default value always -
-l SDWAN-Branch@<name of the parent
format @ <name of the parent organization>.com
organization>.com
Remote identifier in email format. <staging controller name>-
-r Always as <staging controller staging@<name of the parent
name>-staging@<name of the
parent organization>.com organization>.com
Use vsh show-seriulnum at linux shell
prompt or versa CLI command show
-n Serial number of the branch
system details to see your branch
serial number
Controller WAN interface IP
Controller WAN interface IP that corresponding to network interface
-c will be contact by branch for being used for onboarding. E.g. if used
onboarding process MPLS interface please using MPLS
interface IP of controller
If the WAN interface uses dot1.q VLAN
VLAN identifier for the CPE WAN
-v ID then the same can be supplied using
interface
the parameter -v
WAN interface identifier that will 0 identifies first interface [vni-0/0]
-w be used for contacting the staging 1 identifies second interface [vni-0/1]
controller Provide correct WAN interface identifier

IP address will be statically Intended WAN IP address. IP address /

-s
assigned to the chosen interface. address mask format

WAN Gateway IP address. This is

-g essentially the next hop address IP address of the next hop
from the FlexVNF CPE

Versa SD-WAN Training LG v1.0

Refer below the procedure to identify local-id (-l option) and the remote id (-r option) to use
in the staging script:

Under the Configuration tab select Devices and then select the first controller in your group.
Then navigate to Services and select IPSec. Then select the Organization as Provider [the
parent organization] in the drop-down list and click on the VPN profile of the WAN link. A pop
will show up as seen below. Select the IKE option.

Remote ID

Local ID

Figure: 3.1.1
Step5: Go to CLI prompt and verify the IKE is established and Versa FlexVNF CPE can able to
obtain temporary IP from Staging Controller

admin@RDBranch31-cli> show interfaces brief

NAME MAC OPER ADMIN TENANT VRF IP
-----------------------------------------------------------------------------
eth-0/0 52:54:00:d6:2a:26 up up 0 global 172.16.113.31/24
tvi-0/1 n/a up up - -
tvi-0/1.0 n/a up up 1 mgmt 10.0.2.8/24
vni-0/0 52:54:00:e1:70:14 up up - -
vni-0/0.0 52:54:00:e1:70:14 up up 1 grt 192.168.19.31/24
vni-0/1 52:54:00:ff:02:03 down down - -
vni-0/2 52:54:00:6e:b7:6b down down - -
vni-0/3 52:54:00:14:4f:2d down down - -

[ok][2019-02-26 11:37:51]
admin@RDBranch31-cli>
System message at 2019-02-26 11:38:03...
Commit performed by admin via ssh using netconf.
admin@RDBranch31-cli>
System message at 2019-02-26 11:38:14...
Commit performed by admin via ssh using netconf.
admin@RDBranch31-cli>
Broadcast message from root@RDBranch31
(unknown) at 11:38 ...

The system is going down for reboot NOW!

Versa SD-WAN Training LG v1.0

Step6: After this the branch should get full configuration from Director then would reboot and
come up with full configuration. The branch on-boarding progress can be observed by clicking
on task button in Versa Director.

Figure: 3.1.2
After reboot, execute show interface brief command to validate that device boot up with
the configuration pushed from director.

admin@RDBranch31-cli> show interfaces brief

NAME MAC OPER ADMIN TENANT VRF IP
----------------------------------------------------------------------------------------------
eth-0/0 52:54:00:d6:2a:26 up up 0 global 172.16.113.31/24
ptvi4 n/a up up 2 Tenant1-Control-VR 10.1.64.2/32
ptvi5 n/a up up 2 Tenant1-Control-VR 10.1.64.3/32
tvi-0/4 n/a up up - -
tvi-0/4.0 n/a up up 2 Tenant1-Control-VR 10.1.0.101/32
tvi-0/5 n/a up up - -
tvi-0/5.0 n/a up up 2 Tenant1-Control-VR 10.1.64.101/32
tvi-0/602 n/a up up - -
tvi-0/602.0 n/a up up 2 Internet-Transport-VR 169.254.0.2/31
tvi-0/603 n/a up up - -
tvi-0/603.0 n/a up up 2 Tenant1-LAN-VR 169.254.0.3/31
vni-0/0 52:54:00:e1:70:14 up up - -
vni-0/0.0 52:54:00:e1:70:14 up up 2 MPLS-Transport-VR 192.168.19.3/24
vni-0/1 52:54:00:ff:02:03 up up - -
vni-0/1.0 52:54:00:ff:02:03 up up 2 Internet-Transport-VR 192.168.20.31/24
vni-0/2 52:54:00:6e:b7:6b up up - -
vni-0/2.0 52:54:00:6e:b7:6b up up 2 Tenant1-LAN-VR 172.16.31.31/24
vni-0/3 52:54:00:14:4f:2d down down - -

[ok][2019-02-26 11:41:10]
admin@RDBranch31-cli>

Step6: Validate branch on-boarding

Once the Branch has successfully on-boarded in director, it must be listed under
Administration > Appliances tab. Configuration Synchronized tab and the Reachability should
show the green tick box and the Service should show as UP.

Versa SD-WAN Training LG v1.0

 Figure: 3.1.3

Step7: Validate BGP neighborship with controller

Execute the command “show bgp neighbour brief” to check the BGP neighbour status with
versa SD-WAN controllers from Branch CLI.

The below output shows the BGP session with controller tvi IPs.
admin@RDBranch31-cli> show bgp neighbor brief Tenant1-Control-VR
routing-instance: Tenant1-Control-VR

Neighbor V MsgRcvd MsgSent Uptime State/PfxRcd PfxSent AS

10.1.64.2 4 149 115 00:45:07 28 5 64512
10.1.64.3 4 153 115 00:45:08 28 5 64512

[ok][2019-02-26 12:25:41]
admin@RDBranch31-cli>

Versa SD-WAN Training LG v1.0

Lab4: Operations and Maintenances
The objective of this lab is to familiarize you with various day to day operational tasks

Task1: Routing changes via appliance configuration mode

The first lab assignment is to configure static route on LAN and redistribute to MP-BGP so that
branch LAN addresses are advertised to another branch.

Step1: Click on the CPE you want to configure from Administrations > appliance

Click the CPE you

want configure

Figure: 4.1.1

Step2: Navigate to Configuration > Networking > Virtual-Routers > Tenant1-LAN-VR.

1
2

Figure: 4.1.2

Step3: Once you clicked on Tenant1-LAN-VR a new window will pop-up as Edit Tenant1-LAN-
VR.

Figure: 4.1.3

Versa SD-WAN Training LG v1.0

Step4: Select Static Routing and hit add (+) button to add a new static route.
New window will pop-up as Add Static Route. Configure Destination subnet, Next Hop
Interface & Next hop IP address as per your topology and hit ok to add the route entry.

Figure: 4.1.4

Step5: After added the static route, you need to redistribute static route into BGP by adding a
rule in the redistribution policy in routing-instance “tenant1-LAN-VR”. Add a new rule in the
policy “Default-Policy-To-BGP”. To do so follow the steps from 6 to 8 as below.

Step6: Navigate to redistribution policy and click on the existing policy “Default-Policy-To-BGP”
created by workflow.

Figure: 4.1.5

Versa SD-WAN Training LG v1.0

Step7: A New window will pop-up, Hit add (+) button which will pop-up a new window to add
a new term in the existing policy.

Figure: 4.1.6

Step8: Create the term for redistribute static routes

• Give the term a Name (Eg: Static…)
• Select protocol as static from the dropdown list under protocol.
• Hit ok to add the term then Hit ok to close the Edit Redistribution Policy Tab and again
Hit ok to close the Edit Tenant1-LAN-VR Tab.

Figure: 4.1.7

Step8: Verify the configuration changes in your device through CLI.

show commit changes <commit change number> would show the corresponding configuration
commit done in the device

Versa SD-WAN Training LG v1.0

Setp9: Verify neighbour FlexVNF CPE’s routing table to confirm the route advertised from your
CPE present in its routing table.
Use command show route routing-instance <name of the LAN VR> to check LAN VR routing
table

Versa SD-WAN Training LG v1.0

To verify which routes are sent or received by BGP protocol, use any of the following
commands (Use ? at the end of the command to see all possible options with the command)
1. show route receive-protocol bgp
2. show route advertising-protocol bgp
3. show route table (useful to see routes in the l3vpn.ipv4 address family)

Refer below image for output taken with show route receive-protocol bgp

Versa SD-WAN Training LG v1.0

Refer below image for output taken with show route advertising-protocol bgp

Versa SD-WAN Training LG v1.0

Task2: Configuration changes via Template
The assignment of this lab is to perform a configuration change using configuration template
to add a VLAN interface part of the LAN VR. Use details below for adding the new interface.

VLAN Number IP address

Your branch number 172.16.bbb.bbb/24 [bbb: branch number]

Step1: Navigate to Director Configuration tab and then select the Device Template under
Templates for the right tenant.

3
2

Figure: 4.2.1
Step2:
• Select the correct Post-Staging template
• Click on Interfaces under Networking
• Make sure you are clicking on the correct vni interface from right-pane under ethernet
tab [ LAN interface in your template] to add a VLAN sub interface

1
2

Figure: 4.2.2

Versa SD-WAN Training LG v1.0

Step3: In the interrace pop up hit the + button to add VLAN sub interface

Hit + to add a new

sub interface

Figure: 4.2.3
Step4: Parameterize Unit number, VLAN ID and IP address values by clicking the gear icon. Hit
OK once all required values are parameterized.
Note: Grey Gear means absolute value whereas green gear signifies parameterized value.

Figure: 4.2.4
Step5: Before committing the newly modified template the bind data for the new variables
are to be entered. Go to Devices > Device Bind Data to enter required bind data.

Versa SD-WAN Training LG v1.0

 Figure: 4.2.5

Step6: Select your Device Group and Template and hit edit

Hit edit to
enter values

Figure: 4.2.6

Step7: Enter the values corresponding to your branch. Once done hit OK

Select your branch and enter the values

Figure: 4.2.7

Versa SD-WAN Training LG v1.0

Task3: Perform RMA from Versa Director for Hardware replacement at Branch
What is RMA?
if the device shipped to the location is faulty, to replacing that is called RMA. In this
Administrator do not have to do any modification in Template and Device under workflow.

Step1: To RMA a Faulty Device, Go to Director Administration tab. Go to Inventory and select
Hardware. Select the branch by clicking the tick box. And click on the right-hand side
highlighted option (Replace Serial Number)

Figure: 4.3.1
Step2: On Pop-up window, enter the new serial number as SERbbb (bbb-branch Number)
and hit ok.

Figure: 4.3.2
Step 3:- Log into the Cli of corresponding branch and check the Existing Serial number by
executing the below command: “Show system details”

Figure: 4.3.3

Versa SD-WAN Training LG v1.0

Then run “request erase running-config” command and it will ask your confirmation to
proceed. Type “yes” and hit enter button.

Figure: 4.3.4

Branch will erase configuration and restart all the needed versa processes. During this phase
you will be dropped out of the CLI terminal.

Figure: 4.3.5

Versa SD-WAN Training LG v1.0

If your ssh session to the appliance timed out, do SSH again. On the Linux shell terminal, verify
all Versa processes are running by executing the command “vsh status” and make sure all
the processes are in running state.

Figure: 4.3.6

Go to /opt/versa/scripts and execute the script you entered while bringing up the branch
earlier to connect the branch to the staging controller and Change the serial number (-n
option) for your device to SERbbb instead or SRbbb, where bbb is your branch number.

Figure: 4.3.7

Verify branch comes up and is reachable and synchronized. It may take up to 5 minutes to go
to synch state on the Versa Director User Interface.

Figure: 4.3.8

Versa SD-WAN Training LG v1.0

Once the Branch comes up. Go to the cli and run “show system details.” Can be seen the new
serial number…

Figure: 4.3.9

Step 4: - To verify the RMA. Go to the Director Administration > Inventory > hardware from
the list of devices can be seen the new and old serial number in the branch as highlighted…

Figure: 4.3.10

Versa SD-WAN Training LG v1.0

Task4: Upload software image to Director and upgrade the Software version on the
Versa FlexVNF branches

Step 1:
• Upgrading of an appliance can be done via Versa Director or device CLI
• We will use director to upgrade your branch to a more current 16.2R2S6 image
• The software file must be first uploaded to the Versa Director. Select Administration
> Inventory > Image. Then click on the + icon on the right-hand top side to upload the
new image.

Figure: 4.4.1

• A new pop up will open where you must do below configuration.

• Package Name: Enter the name of the image in short format (Eg: 16.1R2.S6)
• Product Type: Select FlexVNF from drop down menu.
• Package Location: Select upload option and click on browse to define the path
where image file stored on your machine.
• Hit Ok.

Figure: 4.4.2

Versa SD-WAN Training LG v1.0

 • Now you will see the image uploading status at bottom of Right-hand side.

Figure: 4.4.3

Note: - Please note that a copy of the FlexVNF image file (.bin) has been uploaded to each of
the lab directors so this step can be skipped.

Step 2: Upgrade the Image into the branch…

• Now go to Administration à Appliances and select your branch by checking the tick
box next to the name and then select “Upgrade Selected Appliance” from the right
hand top.

Figure: 4.4.4
After clicking on the upgrade option on selected appliances, It will pop up new window where
you must select the package name from the drop down list to be upgraded.

Figure: 4.4.5

Versa SD-WAN Training LG v1.0

Don’t tick the Upload only option. This option is if you want to only upload the file to appliance
but not upgrade.

Figure: 4.4.6

Upgrade can be Monitored/Seen or status of the upgrade from the Task list.

Figure: 4.4.6

Versa SD-WAN Training LG v1.0

Lab5 - Hub and Spoke Deployment
Objective of this lab is to know the various Hub & Spoke topology deployment configuration
such as Spoke to Spoke direct, Hub & Spoke only, Spoke to Spoke via Hub.

Note: For Hub & spoke topology, HUB must be created & on boarded in director then only
we can deploy the spokes.

Task1: Spoke to Spoke Direct:

Step1: For Hub and spoke topology, 2 things must be done before creating a workflow
template for spoke.

1. HUB device must be on boarded in director

2. Spoke group must be created.

This Spoke group will get attached to the workflow template of spokes.

Step2: To create Spoke group, go to the director workflow tab and navigate to Template >
Spoke groups.

Figure: 5.1.1

• click on the right-hand side (+) sign button, it will open new Pop-up window.

Figure: 5.1.2

• Define the parameters as below.

• Name: Define a name for spoke group (Eg: SPKTOSPK-DIRECT)
• Organization: Choose your organization from drop-down menu. (Eg: Tenant1)
• Spoke group type: Choose the Spoke Group type as Spoke to Spoke Direct
• Hubs: By Default, the Hub associated with your organizations are listed. Choose the
priority as 1.
• Hit save button to complete the spoke group creation.

Versa SD-WAN Training LG v1.0

 Figure: 5.1.3

Step 2: Now go and create Spoke Template under Workflow>Template>templates and click
on the +sign. it will open new Pop up window…

Figure: 5.1.4

• Select the Device Type as Spoke and choose the Spoke Group which you created on
previous step from drop-down menu and Fill the rest of the details as you did on Lab-
2/Task2. Similarly create for other spoke too. Make sure both spokes under the same
spoke group.

Figure: 5.1.5

Versa SD-WAN Training LG v1.0

 • After template creation, complete the device creation & on boarding with the same
step as you did in Lab2/Task3.
• Post successful on boarding of spoke devices, ssh to the appliances and run below
commands.
• “show interface brief”
• “show route routing-instance Tenant1-LAN-VR”
Note: In Spoke to Spoke Direct a direct connection between two spokes (within a spoke-
group), bypassing a hub. Spoke will have LAN routes of other spoke as direct next hop. You
can also have backup route via hub if required.

Branch31 output:

Route learn from another spoke direct

Backup route from HUB

Figure: 5.1.6

LAN Subnet

Figure: 5.1.7

Versa SD-WAN Training LG v1.0

Branch 32 Output:

Route learn from another spoke direct

Backup route from HUB

Figure: 5.1.8

LAN Subnet

Figure: 5.1.9

Versa SD-WAN Training LG v1.0

HUB Output:

Figure: 5.1.10

Result: Make sure you are getting the branch routes directly.

Versa SD-WAN Training LG v1.0

Task2: Spoke to Spoke via HUB
This type of configuration is preferred when hub is used as a gateway to go out from spoke
site.

Step1: Create a Spoke group under workflow>template> Spoke Group as same as Task1.
• Define the parameters as below.
• Name: Define a name for spoke group (Eg: HUB-SPOKE)
• Organization: Choose your organization from drop-down menu. (Eg: Tenant1)
• Spoke group type: Choose the Spoke Group type as Spoke to Spoke via Hub
• Hubs: By Default, the Hub associated with your organizations are listed. Choose the
priority as 1.
• Hit save button to complete the spoke group creation.

Figure: 5.2.1

Step 2: Create a new template with the spoke group created on above step and follow the
same step mention in Lab2/Task2 to complete the template creation.

Figure: 5.2.2

Step3: After template creation, complete the device creation & on boarding with the same
step as you did in Lab2/Task3.
Step4: Post successful on boarding of spoke devices, ssh to the appliances and run below
commands.
• “show interface brief”
• “show route routing-instance Tenant1-LAN-VR”

Versa SD-WAN Training LG v1.0

Note: In Spoke to Spoke via Hub no direct connection between two spokes (within a spoke-
group). Spoke will have LAN routes of another spoke via Hub with next hop of Hub ESP tvi IP.

HUB Output:

Figure: 5.2.3

Spoke-1 Routing Table:

Route learn from HUB

Figure: 5.2.4

Versa SD-WAN Training LG v1.0

Spoke-1 Interface status:

Figure: 5.2.5

Spoke2 Routing-Table:

Route learn from HUB

Figure: 5.2.6
Spoke-2 Interface status:

Figure: 5.2.7

Versa SD-WAN Training LG v1.0

Lab6: SD-WAN Traffic steering and QoS configuration
Objective of this lab is to explain the steps to enable traffic steering policy in a Branch

Task1: Traffic Steering by using SDWAN Policy in an Appliance:

Step1: Click on the CPE you want to configure from Director Administrations > appliance
Step2: Click on the configuration Tab of the appliance and select the Service option in Left
Pane.

Figure: 6.1.1

Step3: Expand the SDWAN option and click on SLA Profiles. Create a new SLA profile by click
on the (+) button on the right-pane. Now a new window will pop-up with various metrics
option. Do refer the table below and create the sla profiles as per the data given.

Name Match Traffic SLA WAN Link priority

Priority 1 - MPLS,
Voice SIP, Skype Latency 100 ms
Priority 2 - Internet
Priority 1 – MPLS,
TCP TCP Jitter 30 ms
Priority2 - Internet
Latency 100ms; Jitter 30 ms; Priority 1 - MPLS,
Salesforce
Salesforce PDU Packet loss 10% Priority 2 - Internet
Priority1 - Internet,
Default Default
Avoid - MPLS

For example, create an SLA profile for Real-Time-Traffic as below.

• Name: Define the name for SLA Profile (Ex: voice)
• Latency: define the Latency as 100 ms (Leave rest of the box as empty)
• Hit OK to complete.

Figure: 6.1.2

Versa SD-WAN Training LG v1.0

Follow the same step to create rest of the SLA Profiles with corresponding metric values.

Figure: 6.1.3

Step4 – Next step is to create Forwarding Profiles as defined in the table above.
• The Forwarding profile should reference the SLA profile created in Step 3.
• Mandatory fields to be configured under General tab as below.
• Name: Define the name for Forwarding Profile (FP). (Refer the Table)
• SLA Profile: Choose the corresponding SLA Profile to be associated with this FP
from drop-down menu. (Refer the Table)
• Recompute Timer: Default value is 300. Change the value to 30.
• Evaluate Continuously: Enable the checkbox.
• Leave other options as Default and select Circuit Priorities Tab.

Figure: 6.1.4

• In Circuit Priorities tab, we can Prioritize one WAN link over others. For example,
setting priority to MPLS link than Internet link.
• Refer the Table and set the priority of the WAN Links as defined. Circuit Priority
configuration steps are as below.
• Click on (+) button to create a New priority Link. New window will pop-up.
§ Priority: By Default, It is 1. You can change it by click on drop-down menu.
Leave it to Default 1.
§ Circuit Names: Click (+) button on Local tab under Circuit Names and choose
the WAN circuit from Drop-down menu. (Ex: MPLS)
§ Click ok to close the circuit Priority window.
• Now click again on (+) button to create second priority Link.

Versa SD-WAN Training LG v1.0

 § Priority: By Default, it is 1. You must change it to 2 by click on drop-down
menu.
§ Circuit Names: Click (+) button on Local tab under Circuit Names and choose
the WAN circuit from Drop-down menu. (Ex: Internet)
§ Click ok to close the circuit Priority window.
• Hit OK to complete.
• Repeat the same steps to create rest of the Forwarding profiles as defined in Table
above.

Figure: 6.1.5

Step5: Click on the Policies under SDWAN. On the right pane, click on Rules and Hit (+) sign.
one new window will pop up as below.

Figure: 6.1.6
Mandatary configurations to de done under each tab has explained below. (For example,
creating the policy for SAP&SKYPE)
• General:
• Name: Define a name for this rule (Ex: voice)

Versa SD-WAN Training LG v1.0

 Figure: 6.1.7

• Applications/URL:
• Click on the (+) sign under applications and choose SAP application from drop-
down menu.
• Similarly repeat the step for adding other applications (SKYPE) from the drop-
down menu as defined in Table.

Figure: 6.1.8

• Enforce:
• Forwarding Profile: Choose the corresponding forwarding profile from drop
down menu. (Ex: voice)
• Click OK to complete the rule.

Figure: 6.1.9

Versa SD-WAN Training LG v1.0

Note: - Once the traffic matches a rule, further rules down the list won’t be checked. Hence
align the rule for better match.
Repeat the Step5 to create rest of FP for TCP & Salesforce traffic with relevant data.

Versa SD-WAN Training LG v1.0

Task 2: QoS Configuration

Refer table below for the parameters to be used for QoS configuration.

Match QOS Forwarding Remark Traffic Associate

Name Traffic class to Traffic class Configuration Class Network Configuration objective
Use Q0 of traffic class 0 for control
3% Transmit Rate;
Control FC0; MPLS & traffic. By default, control traffic falls
3% Guaranteed Rate; 0
Traffic Loss priority low internet under this class so no explicit match
Queue 0 - weight 4
needed
FC4; 10% Transmit Rate; Use Q0 of traffic class 1 for control
MPLS &
Voice SIP, Skype Loss priority low EF 7% Guaranteed Rate; 1 traffic. Use App-QoS to match traffic
internet
Police 1Mbps; Queue 0 - weight 4 and put in this que
30% Transmit Rate;
FC8; MPLS & Use Q0 of traffic class 2 for TCP traffic.
TCP TCP 20% Guaranteed Rate; 2
Loss priority low internet Use App-QoS for matching traffic
Queue 0 - weight 4
FC12; Use Q0 of traffic class 3 for salesforce
Salesforce salesforce
loss priority low Queue 0 - weight 2 MPLS & and all other traffic should fall under q1
3
Queue 1 - weight 1 internet of the same traffic class.
FC13, loss priority
Default Default Use App-QoS for matching traffic
high
Step1: Select the appliance from Director Administration > Appliance and click on the
appliance where QoS to be configured. Go the Networking tab under configuration and
expand Class of Service and click on QoS Profile.

Figure: 6.2.1

Step2: Create a QOS profile by clicking on the (+) sign on the right-pane. Configure the below
steps as defined in Table above.

• Name: Define the name of the QoS Profile. (Ex: voice)

• Peak Rate: Define the policing rate as defined on table
• Forwarding class: Choose the forwarding profile from drop down menu. Refer table
• DSCP Rewrite: Enable the check box for voice profile only. Rest of the profile leave it
to blank.
• Hit OK to complete the profile creation.

Figure: 6.2.2

Repeat the same step for creating QoS Profile for other traffic.
 Figure: 6.2.3

Step3: Post created the QoS profile, create a rewrite rule for making voice traffic. Select RW
Rules and click on (+) sign on the right pane to create new rule.

Figure: 6.2.4

New window will pop-up and do the configuration as mentioned below.

Figure: 6.2.5

Versa SD-WAN Training LG v1.0

On pop-up window, choose the forwarding class 4 from drop-down menu and set the loss
priority and code point as mentioned below and hit ok to close the pop-up.

Figure: 6.2.6

Step 3: Matching application and assignment to corresponding QoS profile

In this step we will use app-QoS to match traffic and then assign them to corresponding QoS
profile
• App-QoS rule named Voice to match skype/Sip and map it to Voice QoS profile
• App-QoS rule name SalesForce to match salesforce application and map it to
SalesForce QoS profile
• App-QoS rule name TCP to match TCP application and map it to TCP QoS profile
• APP-Qos rule name Default to match all traffic and map it to Default QoS Profile
Navigate to App-QoS > Policies and hit + to create new App-QoS policy. New Pop-up will
open.

Figure: 6.2.7

Versa SD-WAN Training LG v1.0

Note: The QoS policy does L3/L4 classification and App Qos policy does L3-L7 classification.
If the traffic matches both policies, then the L3/L4 policy is applied first followed by the App
QoS policy.

Configuration for each App QoS rule has explained on below images.

Rule for voice traffic

• General: Define a Name (Eg: voice) and move to Application/URL Tab.

Figure: 6.2.8

• Click on the + sign on Application list and add the application from the list.

Figure: 6.2.8

Versa SD-WAN Training LG v1.0

 • After chosen the application, move to enforce tab and select the relevant QoS profile
against this policy from drop-down.

Figure: 6.2.10

Rule for salesforce traffic:

• General: Define a Name as salesforce and move to Application/URL Tab.
• Click on the + sign on Application list and add the application from the list.
• After chosen the Salesforce application, move to enforce tab and select the relevant
QoS profile against this policy.

Figure: 6.2.11

Versa SD-WAN Training LG v1.0

Rule for TCP traffic:
• General: Define a Name as TCP and move to Headers/schedule Tab.

Figure: 6.2.13

• Click on the + sign on Service List options and add choose TCP from drop-down list.

Figure: 6.2.14

Versa SD-WAN Training LG v1.0

 • After chosen the TCP as Service, move to enforce tab and select the relevant QoS
profile against this policy.

Figure: 6.2.15

Rule for Default traffic:

• Create the last profile as Default without any Header or Application match and under
Enforce tab select Default QoS profile

Figure: 6.2.16

Step 4 – Create a Scheduler to set the shaping rate for the traffic class and to set the weight
of each of the queues within the traffic class.
Create five schedulers
• Scheduler named Network Control with parameters as 3% Transmit Rate, 3%
Guaranteed Rate, Queue 0 - weight 4
• Scheduler named Voice with parameters 10% Transmit Rate, 7% Guaranteed Rate,
Queue 0 - weight 4
• Scheduler named TCP with parameters 30% Transmit Rate, 20% Guaranteed Rate,
Queue 0 - weight 4

Versa SD-WAN Training LG v1.0

 • Scheduler names SF-Default with parameters Q0 weight 2 and Q1 weight 1

Select Scheduler and click on the (+) sign at right pane to create Schedulers. It will pop-up new
window.

Figure: 6.2.17

Give the name and give the transmit rate Guaranteed rate, queue, and weight. As per above
list and hit ok. To complete the scheduler…

Figure: 6.2.18

Versa SD-WAN Training LG v1.0

Find below to verify the configuration of each schedulers.

Figure: 6.2.19

Step 5 – Create a Scheduler map to assign the Schedulers to the traffic class.
To Create the Schedule map, click on the same +sign in the right-hand side …it will pop up new
window…

Figure: 6.2.20

Give the name and select the schedule based on the traffic class as per the above list…and
hit ok to complete Schedule map.

Versa SD-WAN Training LG v1.0

 Figure: 6.2.21

Step 6 – The last step to create interface associate for the scheduler map. Rewire policy also
to be associated in this step.
• Select Associate Interface/Network and hit + to create the association. New window
will popup.
•

Figure: 6.2.22

• Select network option and choose the name as MPLS from drop-down option.
• Select the DSCP Rewrite rule from drop-down option.
• Select the Scheduler map from drop-down option.
• Set the Rate of the interface to 5 mbps.
• Hit OK to complete.
• Repeat the same steps for Internet.

Versa SD-WAN Training LG v1.0

 Figure: 6.2.23

Step7: Same can be verified under monitor. Monitor > Services > COS > App qos policies…

Figure: 6.2.24

Versa SD-WAN Training LG v1.0

Lab7: Next Generation Firewall
Task1: Enabling and configuring Next Generation Firewalls

Step 1: In order to enable the Stateful/NextGen Firewall features on Flex-VNF, ‘Subscription-

Profile’ should have an appropriate plan selected under the parent organization and same
would get inherited by the Tenant (Default-All-Services-Plan).

Figure: 7.1.1

• Navigate to Director Administration > Organization > Select the Provider

Organization. A new window will popup.
• Left Pane, all the services offered by Versa are listed under Available Service.
• Right Pane, Services Available to this organization are listed.
• You must click on Nextgen Firewall from left pane and move it right pane by clicking
on > button.
• This can be done per template or from Appliance context

Click to move desired

service from Available
Services to Selected
Services

Figure: 7.1.2

• Add the new service(s) under the Organization tab select Limits. Select the tenant.
And then move to services. It will confirm and can be selected the security service for
the tenant.

Versa SD-WAN Training LG v1.0

 Figure: 7.1.3

Step 2: To configured DOS Profile, go to Services tab, Now the selected service DoS profile
would be available to configure

Figure: 7.1.4

• Give the name and define the Protocol and enable the same. Hit ok.

Figure: 7.1.5

Versa SD-WAN Training LG v1.0

 • Add the Dos policy by Clicking + sign, It will pop up new window…

Figure: 7.1.6

• Click on the rule, and then click on right hand side +sing to create Policy rule, it will
open new pop up window. Give the name and move….

Figure: 7.1.7
Move to the next tab (Source/destination) select zone…

Figure: 7.1.8

Versa SD-WAN Training LG v1.0

Move to Enforce tab…select the action setting. And select the Dos Profile created above…and
hit OK to complete DoS policy creation…

Figure: 7.1.9

Step3: Firewall Access policies can be defined with or without applying security profiles
Security profiles include, IP Filtering, Anti-Virus, IPS/IDS [Vulnerability], URL Filtering these
features can be created through profiles. Under security option under services. …to create
profile, select url filtering. click on +sign right hand side. it will pop up with new window.
Give the name of the profile…. hit ok…

Figure: 7.1.10

Step 4: - Firewall Access policies can be defined by Match criteria, and the match criteria can
be selected based on various parameters such as Zones, IP address, DSCP, IP Flags,
Application, URL Categories and even users.

To create policies, we must select the policy option under security tree. Under services.
To create policies, click on the +sign on right-pane. It will pop up with new window…

Versa SD-WAN Training LG v1.0

 Figure: 7.1.11

Give the name as per the security rule.

Figure: 7.1.12

• The rules can be scheduled to enable only at certain time [ time of day, Daily or
Weekly , etc..] by selecting header/scheduler… plan the schedule as per the
requirement…

Figure: 7.1.13

Versa SD-WAN Training LG v1.0

 Figure: 7.1.14

Move to another tab to select source/destination. Application/URL click on the (+) sign and
select the application from the application drop down list.

Figure: 7.1.15

We can select the user if need to assign from the drop-down list.

Versa SD-WAN Training LG v1.0

 Figure: 7.1.16

Then move to the enforce tab. And select the action need to be taken…apply the security
profile…

Figure: 7.1.17

Check the box to enable the profile with…and select the profile been created above. And hit
ok to complete the rule.…and click on the build right hand side top corner…

Versa SD-WAN Training LG v1.0

 Figure: 7.1.18

And then commit the change. It will popup new window. Where select the branch to push the
change…hit ok…

Figure: 7.1.19

Step 5: Use Monitor tab to verify security rule and policy.

Figure: 7.1.20

Versa SD-WAN Training LG v1.0

Lab8: Branch High Availability
Task1: Branch High availability configuration

Step 1: Create a new post-staging template for your paired branches. Navigate to Director
Workflow > Template > Templates and click on the +sign on right-pane.

Figure: 8.1.1

Step2: Provide the name of the Primary device template under name option.

Select the Enable and VRRP check boxes under redundant pair to create the template for
redundant CPE and run VRRP between Primary & Secondary CPE.

Define the name of secondary device template in Template Name box.

Rest of the options in General tab are same as your Lab2/Task2.

Figure: 8.1.2

Step 3: Move to Interface tab and define the interfaces for both devices.
Primary device use MPLS and Secondary use Internet. Now the important thing we must do
under interface is, define the cross connect port which connects between primary and
secondary CPE. Identify the common port which is free at both primary and secondary device
and make that port as cross connect port.
Then complete the rest of the configuration as you did it on Lab2/Task2.

Versa SD-WAN Training LG v1.0

 Figure: 8.1.3

Under configuration tab. We could see the template created

Figure: 8.1.4

Step 4: Now create the device by clicking +sing in right hand side corner. Fill the name and tag
the template to the group. location as advised previously and fill the bind data accordingly.

Figure: 8.1.5

After creating both devices, run the staging script to bring up branch devices…

Figure: 8.1.6

Versa SD-WAN Training LG v1.0

Run the script on both devices…to on board with HA….

Figure: 8.1.7

Primary Snippet:

Cross connect IPss

Figure: 8.1.8

VRRP Master

Figure: 8.1.9

Versa SD-WAN Training LG v1.0

Backup snippet:

Cross connect IPss

VRRP Backup

VVRP VIP

Versa SD-WAN Training LG v1.0

Versa SD-WAN Training LG v1.0