Versa Software Types
This article describes how to select the appropriate type of Versa Operating SystemTM (VOSTM) software image and CPU for various cloud services gateway (CSG) and cloud services switch (CSX) hardware platforms. Also, this article addresses the Federal Information Processing Standards (FIPS) security compliance for Versa headend and VOS software, with guidance on how to properly select or modify software to ensure compliance. Versa Networks recommends how to select the CPU type based on environmental and performance requirements, and how to select VOS software for selected hardware models.
CPU Types
CPU type is one of the key components in selecting the appropriate hardware platform. VOS software supports various CSG and CSX hardware platforms that use different CPU types. The following CPU types are used across Versa-certified hardware platforms:
- Intel Atom processors
- Intel Xeon processors
- AMD processors
Versa-certified devices based on Atom CPU types are ideal for network hardware that requires low power consumption and is used in less demanding environments. Intel Xeon-based or AMD-based CPU devices are suitable for high performance network demands which require higher throughput and higher number of advanced SD-WAN and security features.
The major differentiators between Intel Atom, Xeon, and AMD processors are:
- Intel Atom-based CPUs:
- Low power consumption, energy-efficient processing
- Low core counts (up to 16 cores)
- Lower clock speeds, optimized for power efficiency
- Limited memory support (up to 16 GB on Versa-certified hardware platforms)
- Suitable for lightweight tasks requiring fewer VOS features and lower throughput requirements
- Intel Xeon-based CPUs:
- High performance, suitable for enterprise campus-level or data center-level processing
- High core counts
- Higher clock speeds, optimized for high performance
- Large amount of memory support
- Suitable for demanding tasks and multi-threaded parallel processing that require higher throughput and performance
- Higher power consumption, but offers advanced power management features
- AMD CPU:
- High performance, suitable for data center-level processing
- High core counts
- Higher clock speeds, optimized for high performance
- Large amount of memory support
- High performance, suitable for demanding tasks that require high throughput with advanced SD-WAN and advanced security features. Additionally, Versa Networks uses built-in hardware acceleration in platforms with AMD CPUs.
- Higher power consumption
VOS Software for CSG and CSX Hardware Platforms
The VOS software is installed on CSG and CSX hardware platforms that use Intel Atom, Intel Xeon, and AMD processors. For the maximum performance of different CPU instruction sets, Versa Networks provides the following types of VOS software images:
- WSM—Used for Atom-based CPU (Westmere Versa image). This software image includes the term WSM in its image name. For example:
versa-flexvnf-20250208-081252-d0c8db0-22.1.4-B-wsm.bin. - Non-WSM—Used for Xeon-based and AMD-based CPU (Sandybridge Versa image). This software image name does not have the term WSM in its image name. For example:
versa-flexvnf-20250208-081252-d0c8db0-22.1.4-B.bin.
The VOS software runs on an Ubuntu base operating system (OS). The Ubuntu 18.04 Bionic version starts with software release version 21.x. Versa Networks provides regular OS security package (SPack) updates to ensure security compliance in the underlying OS.
Initial releases of the VOS software are based on the Ubuntu 14.04 (Trusty) OS, which reached its end of life (EOL) and was replaced with Ubuntu 18.04 (Bionic). It is recommended that you upgrade the entire SD-WAN environment, including headend components, to the Ubuntu 18.04 Bionic version. You can use the Versa Upgrade Orchestrator tool to streamline and automate the upgrade process for the base OS.
The Bionic software image can be identified with a “B” character in the image name, for example: versa-flexvnf-20250208-081252-d0c8db0-22.1.4-B.bin.
If a Bionic software name does not contain the "B" character, it indicates that the underlay OS is based on Ubuntu 14.04 Trusty. To confirm the Ubuntu software version, issue the vsh details command on the shell.
The following table lists the CSG and CSX device models with their respective CPU types and software image types.
| CSG Model | CPU Type | Software Image Type |
|---|---|---|
| CSG150 | Atom | WSM |
| CSG350 (4GB RAM) | Atom | LITE-WSM |
| CSG350-8G (8GB RAM) | Atom | WSM |
| CSG355 | Atom | WSM |
| CSG365 | Atom | WSM |
| CSG730 (4GB RAM) | Atom | LITE-WSM |
| CSG750 | Atom | WSM |
| CSG770 | Atom | WSM |
| CSG780R | Atom | WSM |
| CSG1300 | Atom | WSM |
| CSG1500 | XEON | NON-WSM |
| CSG2500 | XEON | NON-WSM |
| CSG3300 | Atom | WSM |
| CSG3500 | XEON | NON-WSM |
| CSG5000 | AMD | NON-WSM |
| CSX4300 | Atom | WSM |
| CSX4500 | Atom | WSM |
| CSX8300 | XEON | NON-WSM |
| CSX8500 | XEON | NON-WSM |
VOS Lite Software Images
The VOS Lite software is a version of VOS software that has been optimized for use on small form-factor devices. Specifically, you can use the VOS Lite software on Intel Atom-based two-core and four-core CPU-based CSG350 and CSG730 series appliances that have 4 GB of RAM and that are running Ubuntu 18.04 (Bionic) as their base OS.
To achieve the optimization, the following advanced security features are deactivated in the VOS Lite software:
- Application delivery controller (ADC)
- Data loss prevention (DLP)
- Kernel crash dump (kdump)
- Universal CPE (uCPE)
The VOS Lite software is provided as a WSM image. The VOS Lite .bin software image has the suffix "–lite" in the package name, for example: versa-flexvnf-20250208-081252-d0c8db0-22.1.4-B-lite-wsm.bin.
For more information about the VOS Lite image, see Deploy the VOS Lite Software.
Analytics Lite Software Images
Versa Analytics supports lightweight software with the VAN Lite image type, which has been optimized for use on small form-factor devices with four-cores CPU and 4 GB of RAM. The devices that run lightweight Analytics software do not have full Analytics capabilities. These Analytics nodes can accept incoming connections containing logs from VOS devices and stream those logs to third-party collectors, but cannot perform database operations and are not a part of the general Analytics cluster.
Each lightweight Analytics node configuration consists of the following two parts and needs to be done through the CLI:
- Local collector to receive logs from the controller
- Remote collector to stream logs to third-party devices
For lightweight Analytics nodes, the log retention must be on a third-party server. This is because there is no database running, so log visibility is not provided. It is possible to export alarms to Director.
You can use the lightweight Analytics node for the following use cases:
- If you deploy a third-party centralized monitoring platform and do not deploy full-scale Analytics infrastructure.
- As an add-on to relay all or selected VOS logs to an existing monitoring server or SIEM which is present in the environment for centralized correlation among multiple vendors.
To configure Lightweight Analytics, an administrator must set northbound and southbound IP addresses on eth0 and eth1. Routing for the controller control and overlay networks must be set up through the southbound interface.
The following example shows the configuration on the local collector to receive logs from the controller:
set log-collector-exporter local collectors collector1 address <VAN-Lite-SB-IP> set log-collector-exporter local collectors collector1 port <LEF-PORT> set log-collector-exporter local collectors collector1 max-connections 512 set log-collector-exporter local collectors collector1 connection-eviction true set log-collector-exporter local collectors collector1 transport tcp set log-collector-exporter local collectors collector1 storage directory /var/tmp/log set log-collector-exporter local collectors collector1 storage format syslog set log-collector-exporter local collectors collector1 storage file-generation-interval 10 set log-collector-exporter local collectors collector1 storage max-logs-per-file 100 set log-collector-exporter local collectors collector1 clients address [ <controller-ctrl-ip> ]
The following example shows the configuration on the remote collector to stream logs to third-party devices:
set log-collector-exporter remote templates syslog-template type syslog set log-collector-exporter remote collectors Remote-SIEM description Third-Party-SIEM set log-collector-exporter remote collectors Remote-SIEM destination-address <Remote-SIEM-IP> set log-collector-exporter remote collectors Remote-SIEM destination-port <Remote-SIEM-PORT> set log-collector-exporter remote collectors Remote-SIEM transmit-rate 1000 set log-collector-exporter remote collectors Remote-SIEM pending-queue-limit 2048 set log-collector-exporter remote collectors Remote-SIEM transport tcp set log-collector-exporter remote collectors Remote-SIEM template syslog-template set log-collector-exporter remote collectors Remote-SIEM kafka message-max-retries 3 set log-collector-exporter remote collectors Remote-SIEM kafka health-monitoring eval-interval 60 set log-collector-exporter remote collectors Remote-SIEM kafka health-monitoring clear-interval 300 set log-collector-exporter remote collectors Remote-SIEM kafka health-monitoring error-threshold 10 set log-collector-exporter remote collector-groups Remote-SIEM-Group collectors [ Remote-SIEM ] set log-collector-exporter remote profiles Remote-SIEM-profile collector-group Remote-SIEM-Group set log-collector-exporter exporter rules alarms match local-collector collector1 set log-collector-exporter exporter rules alarms match tenants [ <Tenant-Name> ] set log-collector-exporter exporter rules alarms match log-types [ <Select Required Logs Type> ] set log-collector-exporter exporter rules alarms set remote-collector-profile Remote-SIEM-profile
FIPS Security Compliance
Federal Information Processing Standards (FIPS) is a set of security guidelines developed by the National Institute of Standards and Technology (NIST) to ensure the security and interoperability of federal computer systems. FIPS is applicable to federal agencies and private organizations who work with the government. Compliance with FIPS ensures that data encryption and other security measures meet stringent federal requirements.
Versa Director and Analytics software require dedicated FIPS-compliant images because they handle control and management plane data processing, acting as a centralized SD-WAN orchestration component consolidating all essential data about the SD-WAN environment. Ensuring FIPS compliance at this level involves comprehensive validation and certification of the entire software image.
The FIPS-compliant .bin software image has the suffix "–fips" in the package name. For example, versa-director-20241220-093648-7e70f98-22.1.4-B-fips.bin and versa-analytics-20241220-093648-f32dd1e-22.1.4-B-fips.bin.
To verify that FIPS mode is enabled in Director or Analytics, use the cat /proc/sys/crypto/fips_enabled command from the shell and ensure that the value is set to 1.
For VOS devices, there is no specific FIPS image required. To enable or disable FIPS mode on VOS devices, see FIPS Compliance.
For zero touch provisioning (ZTP) to be FIPS compliant, load the FIPS-specified default configuration file. For more information, see FIPS Compliant ZTP.