Lab V SDCA 20 Versa Workflows and Templates Aeadza
Lab V SDCA 20 Versa Workflows and Templates Aeadza
In this lab, you will be assigned a single CPE device (Branch device) for configuration and
monitoring.
The lab environment is accessed through a remote desktop connection. The remote desktop
connection opens a remote workstation, where you will use various tools to navigate and
configure the lab environment. The main tool you will use in this lab is Versa Director. Versa
Director can be accessed by opening the Google Chrome browser on the Remote Desktop.
There is a bookmark to the Versa Director device in the Google Chrome bookmark bar.
This lab environment is a shared environment. There may be up to 5 other students in the
environment. Each student has their own remote desktop, but the Versa Director is shared.
Because of the shared environment, you may see configuration templates, device groups,
workflows, and devices that other students have created, or that have been pre-provisioned
within Versa Director. It is important that you only modify the configuration components that
are assigned to you by your instructor.
During certain lab parts, the lab guide will present sample output from the GUI or the CLI. The
sample outputs are SAMPLES and represent the information as it appeared during the lab guide
creation. Your output may vary in some ways (some devices may or may not be present, some
routes may or may not be the same, etc.) Do not be alarmed if your results vary slightly from the
results shown in the lab guide. The important thing is that the lab functions in the desired
manner.
This lab guide will step you through some common tasks that are performed on Versa Director.
After an introductory set of exercises, you will be asked to perform some basic tasks that will
Look for these allow you to become more familiar with the environment. At the end of the lab guide you can
hints to help you
in the labs
find additional help on to how to complete the tasks, so if you have trouble with a task, please
refer to the help section. If you still cannot accomplish the task, ask your instructor for
assistance. In addition, you will see hints placed throughout the lab guide to help you along.
The goal of this and all lab exercises is to help you gain additional skills and knowledge. Because
of this, the lab guide contains additional instruction to supplement the student guides.
Lab Topology
Internal Web
Server MPLS INET
HUB
Hub105
• MPLS: vni-0/0
• INET: vni-0/1
• vni-0/2
vni-0/2 • vni-0/3
Interface Addresses
CPE vni-0/0 vni-0/1 vni-0/2
Branch110 192.168.19.110/24 192.168.20.110/24 172.16.110.1/24
Branch111 192.168.19.111/24 192.168.20.111/24 172.16.111.1/24
Branch112 192.168.19.112/24 192.168.20.112/24 172.16.112.1/24
Branch113 192.168.19.113/24 192.168.20.113/24 172.16.113.1/24
Branch114 192.168.19.114/24 192.168.20.114/24 172.16.114.1/24
Branch115 192.168.19.115/24 192.168.20.115/24 172.16.115.1/24
MPLS Gateway 192.168.19.3
INET Gateway 192.168.20.3
Controller Addresses
MPLS MPLS Gateway INET INET Gateway
192.168.17.3/24 192.168.17.1 192.168.18.3/24 192.168.18.1
The first lab exercise is to become familiar with how to connect to the remote lab environment. Your instructor
should have reviewed the following information with you prior to starting:
• Branch/Node/CPE Assignment
• Remote Lab Access
If you have not yet been assigned a branch device, please contact the instructor as this is a shared
environment, and each student will configure and monitor a specific branch node.
Follow the instructions provided by your instructor to connect to the remote lab environment.
Once you have started your remote desktop session, you will be presented with the remote desktop:
Multi-Tabbed Putty
Multi-Tabbed Putty
On the remote desktop, open the Google Chrome browser window. The Google Chrome browser window
contains a bookmark to the Versa Director. Log into the Versa Director with the username associated with your
assigned branch device:
Open the Workflows dashboard. On the left-side menu there are 3 main categories of workflows.
Expand all 3 categories so that the sub-components are visible. Fill in the sub-components in the
diagram below.
Each of these categories of objects or components is related to a type of object within Versa Director:
There are already a few workflows saved in Versa Director that were used to create components in
the lab environment. These include:
• A Controller workflow
• A Template workflow for each of the preconfigured templates
• A Spoke Group workflow for each of the preconfigured spoke groups that are used in the hub-and-
spoke labs
• A Device workflow for each of the preconfigured devices in the lab environment.
Again, it is important to remember that these are saved processes, not the templates, controllers, or
devices that the processes create. We will examine this concept as you complete the lab.
In the Infrastructure menu, click on Controllers. All of the controller workflows are listed in the
table. Click on Controller1 (which is the only saved workflow) to open the workflow.
Note that the dialog title is “Deploy Controller – Controller01”. This is because the end result of
completing the workflow is the creation and deployment of a controller.
Question: To what analytics cluster will this controller forward log and statistics information?
_____________________________________________________________________________________
Question: What are the 2 roles that this controller will perform in the SD-WAN?
_____________________________________________________________________________________
This controller is managed by the SP organization. We’ll see later in the lab that sub-organizations that
fall under the SP organization can use this controller. When multiple sub-organizations use a parent
controller, the controller acts as a multi-tenant controller and maintains separate control plane
functionality for each tenant.
The IP address listed is the out-of-band management interface that is used for initial communication
between the Versa Director and the Versa Controller. It is only used for the creation and onboarding
process. Once the controller is provisioned, a separate interface associates with the Control Network is
used for further communication between the head-end components.
©Copyright 2021 Versa Networks
8
This controller will be configured as a Staging controller and as a Post Staging controller. The Staging
Controller function allows devices to be onboarded through this controller. The Post Staging Controller
function allows this controller to act as a BGP route reflector, and SD-WAN CPEs will be able to establish
BGP sessions with the controller for control plane information.
Continue to the Location Information tab. The Location Information tab can be used to indicate where
the controller is physically located.
The Control Network tab is where you define the North-Bound interface that is normally used to
communicate with Versa Director and Versa Analytics. If the Versa Controller or Versa Analytics nodes
are not on the same broadcast domain as the north-bound interface, routing can be configured on the
north-bound interface to enable reachability.
The WAN interfaces are the south-bound interfaces that connect to the SD-WAN environment. It is over
these interfaces that CPEs will communicate with the controller.
If you were creating a new controller, a Deploy button would be present in this dialog box, which would
begin the process of building the controller, including all of the Virtual Routers, VRF tables, routing
protocols, encryption profiles, and all other configuration components required to build a fully functional
controller. Because the controller is created before most other SD-WAN components, and other SD-WAN
components rely on configuration parameters of the controller when they are created, a provisioned
controller cannot be modified using the workflow as changes to the controller would impact all other
devices connected to the controller.
In the Infrastructure menu, select Organizations. The primary organization (SP in this example) is created
during the initial Versa Director configuration process. Subsequent organizations (sub-organizations) are
created using the Organizations workflow.
The Organization workflow allows you to define a sub-organization and its associated
Controllers and
Organizations are
parameters. Note that the controller Controller1 is listed in the Controllers tab. This
usually only configuration allows the Tenant1 sub-organization to use the Controller1. If another sub-
created at the organization under the SP domain is created, it could also be allowed to use the Controller1
initial SD-WAN
deployment phase
controller. Other tenant-specific configuration parameters can be configured as well, including
tenant-specific Analytics connectors, the default routing instances that will be created for
devices within the sub-organization, and the supported user roles available to users within the
sub-organization, which allows the parent organization to manage and control what type of
access users within the sub-organization are allowed to be assigned.
Take a few minutes to explore the configuration parameters included in the organization workflow, then
click Cancel to exit out of the workflow.
It’s common for the Controllers and Organizations workflows to be used only once or twice in an entire
deployment, as those components are normally defined and deployed in the initial stages of the SD-WAN
deployment. The workflows that are used frequently are the Template and Devices workflows.
In the Template workflow menu, select Templates. This opens the Device Template workflow table.
Device Template workflows are used to build the base configuration template that a group of devices will
inherit when a device is created in a later step. There are multiple workflows saved that were created
during the initial lab setup. Device Templates that are created using the Device Template workflow are
placed in the Configuration > Templates > Device Templates table in Versa Director, and are stored in the
local Versa Director database.
The template that is created by a workflow inherits the name of the workflow. Continue to the next page
in the lab guide to answer some questions and fill in some details related to this example workflow.
Fill in the following information based on the workflow in your lab, or the image above:
What organization will have access to this workflow and the template that this workflow
creates? ____________________________________________________________________
To what controller(s) will devices that use this template connect? ______________________
The Interfaces tab allows you to define the common interface layout of the devices that will share the
template configuration created by the workflow. Note that the device Port Configuration diagram is a
logical diagram and does not represent the actual physical device – it is only used for port mapping
purposes and basic port parameters.
The LAN interfaces are the customer site facing interfaces at the local site. The Network Name is a user-
defined name, the Organization determines which sub-organization owns the port, the Zones allows the
user to define a specific security zone associated with the interface, and the Routing Instance is auto-
populated based on the routing instance name configured for the organization. The method that devices
will acquire address is specified in the template. However, the actual addressing is configured during the
device creation process, as addressing is device specific.
To assign a port to a role, click on the port and select the role from the popup window. You can also
change the assignment of a port by clicking on a port that already has an assignment.
The Routing template allows you to define base routing protocol parameters if desired. When routing
protocol information is configured in the workflow, the workflow process automatically creates the route
redistribution policies required to advertise the local routing information – and routes learned through
the workflow-created routing processes – to remote sites in the SD-WAN.
The Tunnels tab allows you to specify direct internet access or SD-WAN gateway functions on devices
that use the template created by the workflow. You can also configure site-to-site tunnels for non-SD-
WAN tunnels between devices.
_______________________
Question: According to the preconfigured tunneling configuration, which local VRF will be able
to use the INET transport to reach non-SD-WAN destinations (split tunneling and DIA)?
____________________________________________________________________________
The Inbound NAT tab allows you to create static destination-NAT to allow outside resources to reach
internal NATed devices.
The Services tab allows you to define what services will be active on the device. The services
Enabling the services
in the template
themselves are not created in the Workflow. The services are activated in the workflow,
workflow allows you which instructs the workflow to create the configuration hierarchy necessary to add the
to configure the services later by defining the services within the template that will be created. If you do not
services in the
resulting template.
enable the services in the workflow, the corresponding configuration hierarchy will not be
created in the template.
The Management Servers tab allows you to define parameters such as NTP servers, Syslog Servers, and
other management server connectivity that will be common among all devices that use the resulting
template.
This workflow is used to reset the Base-Template device template throughout the lab! You will have the
opportunity to create your own template workflow next!
Click Cancel to close the workflow dialog, then select Yes from the popup.
©Copyright 2021 Versa Networks
15
Next you will explore the Devices device template. The Device workflow is used to create the individual
devices in the network. Devices created by the Device workflows are added to the Administration >
Inventory > Hardware table in Versa Director.
Select Devices from the Devices workflow section. You will see several device workflows in the table.
These device workflows were used to create the devices in the pre-configured lab environment. In this
part of the lab you will examine the properties of one of the pre-configured device workflows.
Select the Hub105 device workflow in the table. This will open the workflow that was used to create the
Hub-105 device.
The Basic tab of the device workflows is used for the base parameters. The device that is created in the
Hardware Inventory will inherit the name of the device workflow.
In most situations, the Global Device ID chosen by Versa Director is used to avoid overlapping device IDs
within other organizations, as the Global Device ID must be unique on Versa Director. The Serial Number
is the software or hardware serial number of the device. The Subscription properties can be left at the
default values, in which case the subscription values in the template to which the device is linked will be
used. If you wish to assign different subscription values to the individual device, you may do so here.
The Device Groups parameter is used to link the device to a template. If a device group needed to link the
device to a template does not exist, the +Device Group shortcut will open the Device Group creation
dialog, where you can create the desired device group without leaving the Device workflow.
You must enter a The Location Information tab allows you to enter device location information. The final location
Country value. is based on Latitude and Longitude values that are calculated from the address information. The
Other values are
optional, but the
more detailed the address information, the more accurate the latitude and longitude values will
more specific you be. This information is used to display the device on maps in the Monitor and Analytics
are, the better. dashboards.
The Device Service Template tab allows you to assign service templates to the device directly. In many
instances, the service templates are assigned through the device group. Allowing the administrator to
assign a service template directly to a device allows more flexibility for service assignment.
The Bind Data tab is where you enter device-specific information. When the Bind Data tab is opened, the
template associated with the Device Group (in the Basic tab) is scanned for any variables or values that
the user needs to enter. If the Bind Data tab is empty when you open it, this is usually because the Device
Group configured in the Basic tab is not properly configured, and does not have a corresponding device
template configured. When there is a problem with the device group template assignment, the Bind Data
tab tries to look for template information, but can’t find a related template.
There are 2 ways to enter user-defined information in the Bind Data fields. The first is to enter them
directly in the fields listed in the Device Name field. The scroll bar at the bottom of the Post Staging
Template window allows you to scroll for additional values.
Another common method of entering the bind data is to click on the device name in the table. This will
open a new dialog window that displays all of the required fields.
Click the Hub105 device name in the table to examine the pre-configured bind data for the device.
IMPORTANT: Do NOT change the bind data information for the Hub105 device!
Click Cancel to close the bind data dialog when you are finished examining the data, then click Cancel
again to close the Device Workflow dialog.
Exercise 5: Practice
In the next lab exercises you will perform the following tasks:
• Create a Template workflow that is named after your user-id and branch-id (e.g. Template-
labuser110-branch110, Template-labuser111-branch111, etc.)
• Create a new device group that links to your newly created template
• Re-assign your existing device to the new device group
• Commit the template in order to re-configure the existing device in the network (using the new
template configuration)
Because this course does not cover deployment of devices, you will not deploy the new device that you
create. However, you will examine the objects created in Versa Director, and you will re-assign your
existing device to the new device group that references the template that you create. You will then
commit the template so that you are familiar with the process of creating a template using Workflows
and applying the template to a device.
5.1
Create a new Device Template
In this exercise you will create a new Device Template using a Template workflow. Use a template
workflow to create the template with the following parameters:
Basic Tab:
Organization: Tenant1
Controllers: Controller01
Bandwidth: 25 Mbps
Example: Template-labuser110-branch110
Example Output
Interfaces Tab
Routing Tab
Do not configure any Routing parameters.
Tunnels Tab
Configure Split Tunnels. In the Split Tunnels, link the VRF Tenant1-LAN-VR with the WAN interface INET.
Make the Split Tunnels a DIA type, which allows traffic sourced from the Tenant1-LAN-VR and destined to
a non-SD-WAN destination to use the INET routing instance to forward traffic (Direct Internet Access).
Services Tab
Enable the SFW services under the Services tab.
5.2
Click the Create button to create the workflow and the corresponding device template.
Click on the template that you created with your workflow to open the template and use the values in
the lab to fill in the information below.
vni-0/1
vni-0/2
Question: Why do you think that there are variable names in the interface IP Address field of the
interfaces instead of actual IP addresses?
__________________________________________________________________________________________
INET
LAN-Network
INET-Transport-VR
Tenant1-Control-VR
Tenatn1-LAN-VR
Open the Services tab of the template and fill in the following information:
Using the information in the Services tab of the template, fill in the following information:
Location Values
Stateful Firewall > Security > Policies What 2 policies are automatically created?
__________________________________________________
__________________________________________________
Stateful Firewall > IPsec What 2 VPN profiles are automatically created?
__________________________________________________
__________________________________________________
__________________________________________________
• Compare the newly created Device Template to the running configuration on your device
Steps:
• Open your device in Appliance Context mode (by using the Monitor tab, the Configuration > Devices
table, or through the Administration > Appliances table.)
• Identify the security features configured on your device and compare them with the security features
configured in the device template you just created.
Navigate to the Administration > Appliances dashboard. Locate your device in the Appliances table. Click
on your device to open the Appliance Context mode of your device.
From Appliance Context mode, navigate to the Configuration > Services dashboard and fill in the
configured service below:
Question: What type of security services are currently configured (and configurable) on the
device? ________________________________________________
Question: Are these services the same services that are available under the template that you
created? _______________________________________________
Steps:
• Create a new device group with the name DG-[branch-name] (e.g. DG-branch110, DG-branch111,
etc.).
• Assign the template that you created to the device group.
• Reassign your device to the new device group (either through the Devices > Device Group dashboard
or through the Device Workflow for your device)
• Commit the changes
• Verify that the services changed on your device from Next Gen Firewall to Stateful Firewall services.
From the main Versa Director dashboard, navigate to Configuration > Devices > Device Groups.
In the Device Groups dashboard, click the + button to create a new device group.
Assign the template you created earlier to the Post Staging Template field, then click OK to create the
device group.
Question: Does your new device group appear in the Device Group table?_________________________
Question: Does your branch device appear in your device group Members list? ______________________
In the next steps, you will use the Device workflow to assign your branch device to the new device group.
Navigate to the Workflows > Devices > Devices dashboard and locate your device in the Device Workflow
list. Click your device to open the workflow.
Locate your new device group in the Device Groups drop-down menu, and assign your new device group
to the device.
Click the Redeploy button to apply the changes to the Device workflow.
You have successfully update the device information in Versa Director. The next step is to apply the
changes made in Versa Director to your appliance by committing the template.
Click the Commit Template link in the top-right corner of Versa Director.
4
2
Verify the Changes on the Device and Revert back to NGFW Services
In the next lab steps you will:
• Verify that the changes have been applied to your device (security services changed from Next Gen
Firewall to Stateful Firewall)
• Change your template services from SFW to NGFW services using the Template Workflow
• Re-deploy your template with the new services definition
• Apply the template changes to your device
• Verify that the security services changed from SFW to Next Gen Firewall services.
In the Versa Director dashboard, navigate to Administration > Appliances and locate your device in the
appliances table.
Click your appliance in the Appliance table to open the Appliance Context mode of your device.
In the Appliance Context mode of your device, navigate to the Configuration > Services dashboard and fill
in the diagram below:
Question: Were the changes you made applied to the device? _________________________
Next you will change the services available on your device back to Next Gen Firewall services by changing
your template using the Template workflow.
Click the Home button next to your device name to exit Appliance Context mode. This returns you to the
main Versa Director user interface.
In the main Versa Director user interface, navigate to Workflows Template > Templates to display the
saved Device Template workflows.
Locate your Template workflow in the table and click the workflow to open it for modification.
In your Template workflow, navigate to the Services tab.
When an existing template is changed by updating the Template workflow, Versa Director will prompt
you to confirm/validate the changes by doing a Difference (diff and merge) validation. The changes to the
template will be displayed, and the administrator is required to verify and deploy the changes:
Click Deploy to apply the workflow changes to the template, and to re-write the template data.
Verify the Template Changes, and Apply the Update to your Device
Navigate to Configuration > Templates > Device Templates. Ensure that the Tenant1 organization is
selected in the left-side menu.
Locate and open the device template that you just updated through the Device Template workflow.
In the Services tab of the template configuration, verify that the Next Gen Firewall services are present in
the template.
Navigate to the Monitor > Devices dashboard. Ensure that the Tenant1 organization is selected in the
left-side menu.
Locate your device in the Devices table, and open your device. This places you in Appliance Context mode
for your device (in the same way that clicking your device in the Administration > Appliances table places
you in Appliance Context mode).
From Appliance Context mode, navigate to the Configuration > Services dashboard.
Question: What security services do you think will be available on the device (answer is on the next
page): _______________________________________________________________________________
The Stateful Firewall services are still present on the device. Although you modified the template and
verified the changes, the template changes haven’t been committed to the devices that reference the
template.
Click the Home button next to your appliance name to exit Appliance Context mode.
From the main Versa Director user interface, click Commit Template.
From the Commit dialog:
1. Select the Tenant1 organization
2. Select your template from the Select Template drop-down menu
3. Select your device from the device list
4. Ensure that Overwrite is selected
5. Click OK to commit the changes to the device.
1
4
2
Now that you have committed the template changes to your device, you will verify the changes one
more time.
From the Versa Director user interface, navigate to Administration > Appliances and locate you device
in the appliance list. Click your appliance to open the Appliance Context dashboard.
In the Appliance Context dashboard, navigate to Configuration > Services.
Question: Did the available services change from Stateful Firewall to Next Gen Firewall? _____
1. Navigate to the Workflows > Devices > Device hierarchy to display the saved Device workflows.
2. Locate your device workflow in the Device Workflow table and click the workflow to open it.
3. In the Device workflow, set the Device Group to DG-NGFW.
4. Click Redeploy to update your device workflow and save the changes.
STOP STOP! Notify your instructor that you have completed this lab.