Skip to main content
Versa Networks

Configure SD-LAN Using Workflow Templates

  1. Last updated
  2. Save as PDF

Versa-logo-release-icon.png For supported software information, click here.

To configure SD-LAN on a Versa Operating SystemTM (VOSTM) device, you use a configuration wizard on the Director node. The configuration wizard guides you through the creation of a workflows template, which defines the SD-LAN options that you want to use. For some options, the template refers to profiles and policies, which you can also configure using the wizard. After you complete the SD-LAN workflows template, you deploy the configuration to the switch, which activates the switch in the network.

You can use the SD-LAN configuration wizard to do the following:

  • Create the SD-LAN template—Configure basic information about the switch.
  • Configure switch ports—Set up physical and virtual interfaces.
  • Configure global switching profiles—Configure global profiles for VXLAN, routing, management servers, and 802.1X authentication.
  • Configure SD-LAN profiles—Create profiles for ports, 802.1X authentication, and multihoming.
  • Configure SD-LAN policies—Configure access control list (ACL) policies.

This article describes how to perform the initial configuration of SD-LAN using the configuration wizard on a Director node.

Before You Begin

Before you start the SD-LAN configuration wizard, ensure that you have the following information:

  • Your global organization ID
  • Versa CSX switch device type and model
  • Versa licensing solution tier that has been purchased for your switch hardware
  • Versa licensing add-on tier that has been purchased for your switch hardware
  • License period that has been purchased for your software

Access the Configuration Wizard

To access the wizard to configure SD-LAN:

  1. Log in to the Director node.
  2. Click Director View in the top menu bar.
  3. Select the Workflows tab.
  4. Select Template > Templates in the horizontal menu bar. The Template screen displays.
  5. Select the SD-LAN tab, and then select the Templates tab. The screen displays the templates that are already configured.

    SD-LAN-tempates-1.png
  6. From here, you can do the following:

Create SD-LAN Templates

To begin configuring SD-LAN features, you create an SD-LAN template, and then you configure the switch model, licensing information, and other basic information.

To create an SD-LAN template:

  1. If you are continuing from the previous section, skip to Step 3.
  2. In Director view:
    1. Select the Workflows tab in the top menu bar.
    2. Select Template > Templates in the horizontal menu bar. The Template screen displays.
    3. Select the SD-LAN tab, and then select the Templates tab. The screen displays the templates that are already configured.
  3. In the Templates tab, click + Add. The Configure Initial screen displays. For Release 22.1.3, this is called the Configure Basic screen.

    Configure-initial.png
  4. Enter information for the following fields.
     
    Field Description
    Name

    Enter a name for the template.
    Choose Access Switch Device Model

    Select the switch model:

    • CSX4300
    • CSX4500
    • CSX8300
    Organization

    Select the name of the organization to which the template applies.
    Analytics Cluster Select the Analytics cluster to which to send logs to Versa Analytics.
    Controllers

    Select the name of the Controller node to manage the switch device, and then click the add.png Add icon. You can add more than one Controller node to the list.
    Subscription (Group of Fields) Configure information about the software license subscription that has been purchased for the switch hardware.
    • Solution Tier

    Select the solution tier that corresponds to the license that the device is using:

    • Elite
    • Essential
    • Professional

    For more information, see Licensing Overview.
    • License Period

    Select how long the license is valid:

    • 1 year
    • 2 years
    • 5 years
    Solution Add-On Tier

    Select the add-on licensing tier to add additional services to a licensing tier:

    • On-prem ZTNA
  5. Click Save to save the template, or click Next to advance to Step 2, Configure Interfaces.

Configure Physical Switch Ports

Physical switch ports can be categorized into Layer 2 and Layer 3 ports. Layer 2 ports forward Ethernet frames within the same LAN, and Layer 3 ports can communicate across IP networks.

You can set up a Layer 2 or Layer 2 port in the workflow template and configure interface-level options for that port. For some options, you can configure a profile using a separate workflow, and then associate the port with that profile. For information on configuring profiles, see Create SD-LAN Profiles.

To configure physical switch ports:

  1. If you are continuing from the previous section, skip to Step 3.
  2. In Director view:
    1. Select the Workflows tab in the top menu bar.
    2. Select Template > Templates in the horizontal menu bar. The Template screen displays.
    3. Select the SD-LAN tab, and then select the Templates tab. The screen displays the templates that are already configured.
    4. Select a template. The Initial Configuration screen displays. For Release 22.1.3, this is called the Configure Basic screen.
  3. Click Step 2, Configure Interfaces, or click Next at the bottom of the screen. The Configure Interfaces screen displays.
      Step-2-interface.png
  4. Select the Physical tab in the horizontal menu bar to configure the physical ports on the switch. A graphic displays a representation of the physical ports available in the switch's hardware. Each port icon is labeled with the port number.
    • For Releases 22.1.4 and later:
      • Blue—Layer 2 port
      • Orange—Layer 3 port
      • Yellow—Switch management port (replaces inband management port)
    • For Release 22.1.3:
      • Blue—Access port
      • Orange—Layer 3 port
      • Yellow—Inband management port
  5. Click Configure to the right of the Device Name field. The Create Port Configuration popup window displays.

    Port-selection.png
    From here, you can configure the following types of ports:
    • Layer 2—Configure a port as a switching interface.
    • Layer 3—Configure a port as a routing interface.

Configure a Layer 2 Port

Layer 2 ports include access ports, which connect end users to the switch, and trunk ports, which connect the switch to other switches or routers.

  • Access port—Sends and receives Ethernet frames in untagged form. An access port can belong to only one VLAN, known as the access VLAN, and it associates untagged packets with that VLAN. An access port discards tagged frames that do not have a VLAN ID that matches the access VLAN ID.
  • Trunk port—Accepts tagged packets. The VLAN ID of the packets must match one of the VLAN IDs that you specify in the VLAN ID List field.

To configure a Layer 2 port on a switch:

  1. In the Create Port Configuration popup window, click the numbered port icon on the graphic for the port that you want to configure. The following screenshot shows that Port 12 is selected.

    L2-port.png
  2. In the Selected Port Number field, verify that the selected port number displays.
  3. Click Next. The Step 2, Profiles popup window displays.

    L2-port-2.png
  4. Enter information for the following fields.
     
    Field Description
    Port Type

    For Releases 22.1.4 and later, select Layer 2. This is the default.

    For Release 22.1.3, select Access.
    AE (Group of Fields) Click the slider to associate the physical port with a logical aggregated Ethernet interface.
    • AE Number
    		 Enter the number of the aggregated Ethernet interface.
    • Chassis ID

    Enter the chassis ID number, which is used in calculating the port ID that is sent in link aggregation control protocol data units (LACPDUs).

    Range: 1 through 7
    • Administrative Key

    Enter a numerical administrative key, which is an operational key used in LACPDUs.

    Range: 1 through 65535
    • LACP (Group of Fields)
    		 Click the slider to enable the link aggregation control protocol (LACP).
    • LACP Mode

    Select the LACP mode:

    • Active—Enable LACP unconditionally.
    • Passive—Enable LACP only when an LACP device is detected.
    • Periodic

    Select the periodicity:

    • Fast—1 second
    • Slow—30 seconds
    VXLAN

    Click the slider to enable or disable virtual extensible LAN (VXLAN) on the port. VXLAN is a data plane encapsulation protocol that allows you to run Layer 2 Ethernet VPN (EVPN) over a Layer 3 IP network using standard VXLAN encapsulation over UDP.
    Multihomed If you enable VXLAN, click the slider to enable or disable multihoming on the port. Multihoming allows the access port to connect to more than one network, generally to increase reliability or performance.
    Port Profile

    Select the port profile to associate with the port, or select + Create New to create a Port Profile. For information on creating a port profile, see Configure Port Profiles.
    Multihomed Profile Select the multihomed profile to associate with the port, ;or select + Create New to create a Port Profile. For information on creating a multihomed profile see Configure Multihomed Profiles.
    Switching Profile Select the switching profile to associate with the port, or select + Create New to create a Port Profile. For information on creating a switching profile, see Configure a Switching Profile.
  5. Click Done to return to the Configure Interfaces screen. The configured Layer 2 port displays as a blue port icon in the physical port graphic. The following screenshot shows that Port 12 is configured as a Layer 2 port.

    L2-port-3.png
  6. Click Save.

Configure a Layer 3 Port

A Layer 3 port is a physical port that behaves like a router interface instead of like a switch interface. It has an IP address and supports routing protocols.

To configure a Layer 3 port on the switch:

  1. In the Create Port Configuration popup window, click the numbered port icon on the graphic for the port you want to configure. The following screenshot shows that Port 20 is selected.

    L3-port.png
  2. In the Selected Port Number field, verify that the selected port number appears.
  3. Click Next. The Step 2, Profiles popup window displays.

    L3-port-2.png
  4. Enter information for the following fields.
     
    Field Description
    Port Type

    Select Layer 3.
    Description Enter a text description for the port.
    Speed

    Select the data transfer speed, in megabits per second (Mbps):

    • 10
    • 100
    • 1000
    • 2500
    • 5000
    • 10000
    Duplex

    Select how to negotiate between the device interface and switch interface:

    • Auto—Have the switch automatically determine the negotiation type.
    • Full—Transmit data in both directions on a signal carrier at the same time.
    • Half—Transmit data in one direction at a time.
    Port

    Select the port for VLAN and address configuration.
    VLAN ID Enter the VLAN ID. Click the Tool icon to parameterize the VLAN ID.
    IPv4 Address Prefix Enter the IPv4 address or prefix. Click the Tool icon to parameterize the address.
  5. Click Done to return to the Configure Interfaces screen. The configured Layer 3 port now displays as an orange port icon in the physical port graphic. The following screenshot shows Port 20 configured as a Layer 3 port.

    L3-port-3.png
  6. Click Save.

Configure Virtual Switch Ports

A virtual port on a switch is similar to a physical switch port except that a virtual switch port exists only as a software entity on the switch. Versa SD-LAN supports the following types of virtual ports:

  • Aggregated Ethernet—Link aggregation combines multiple Ethernet ports on the switch using LACP. Link aggregation increases total throughput beyond what a single port can sustain and provides redundancy for connectivity in case all but one of the physical links fails. You create aggregated Ethernet interfaces when you configure physical ports using the configuration wizard. For more information, see Configure a Layer 2 Port, above.
  • Switch management—You can configure a management interface to manage the switch remotely using protocols such as Telnet or SSH. You can use a switch management interface for both management and network traffic.
  • IRB—Associates a Layer 3 interface with a Layer 2 bridge domain so that packets can be routed to and from the bridge domain. On IRB interfaces, you can configure all standard Layer 3 interface settings, such as Dynamic Host Configuration Protocol (DHCP) and Virtual Router Redundancy Protocol (VRRP).

To configure virtual switch ports:

  1. If you are continuing from the previous section, skip to Step 3.
  2. In Director view:
    1. Select the Workflows tab in the top menu bar.
    2. Select Template > Templates in the horizontal menu bar. The Template screen displays.
    3. Select the SD-LAN tab, and then select the Templates tab. The screen displays the templates that are already configured.
    4. Select a template. The Initial Configuration screen displays. For Release 22.1.3, this is called the Configure Basic screen.
  3. Click Step 2, Configure Interfaces, or click Next at the bottom of the screen. The Configure Interfaces screen displays.
  4. Select the Virtual tab in the horizontal menu bar. The Virtual Port Configuration screen displays.

    Virtual-ports.png
  5. From here, you can configure the following types of ports:
    • Inband management (for Release 22.1.3)
    • IRB
    • Switch management (for Releases 22.1.4 and later; replaces inband management)

Configure IRB Ports

IRB associates a Layer 3 interface with a Layer 2 bridge domain so that packets can be routed to and from the bridge domain. On IRB virtual ports, you can configure some standard Layer 3 interface settings, such as DHCP.

To configure an IRB port on a switch:

  1. On the Virtual tab, click Add in the IRB pane. The Virtual Port Configuration—IRB popup window displays.

    Virtual-port-IRB.png
  2. Enter information for the following fields.
     
    Field Description
    Description Enter a text description for the IRB virtual port.
    IRB Interface Number

    Enter the IRB interface number.

    Range: 1 through 128
    Network Name Enter the logical network name for the interface.
    VLAN Enter the VLAN ID for the IRB virtual port. Click the Tool icon to parameterize the VLAN ID.
    Range: 1 through 4094
    Organization Select the organization with which the IRB virtual port is associated.
    IPv4 Address Prefix

    Enter the IPv4 address or prefix for the interface. Click the Tool icon to parameterize the address.
    IPv6 Address Prefix

    Enter the IPv6 address or prefix for the interface. Click the Tool icon to parameterize the address.
    Virtual Router Select a virtual router to associate with the port.
    Enable DHCP Server (Group of Fields) Click to have the IRB virtual port act as a DHCP server.
    • DHCP Options Profile

    Select the DHCP options profile to associate with the server. To create a new profile, select + Add New. Then, in the Add DHCP Option Profile popup window, enter information for the following fields, and then click OK.

    • Organization
    • Name
    • Domain Name
    • DHCP Relay Forwarding Addresses

    Enter the IP address of the DHCP server to which messages are forwarded. A DHCP relay server forwards DHCP messages from clients to the DHCP server. It is positioned between the DHCP server and its clients. Click the Tool icon to parameterize the addresses.
  3. Click Add.

Configure a Switch Management Interface

  1. In the Virtual Port Configuration screen, click Add in the Switch Management pane. (For Release 22.1.3, this is called the Inband Management pane.) The Virtual Port Configuration—Switch Management popup window displays.

    Virtual-port-IM.png
  2. Enter information for the following fields.
     
    Field Description
    VLAN Enter the VLAN ID for the port. Click the Tool icon to parameterize the VLAN ID.
    Range: 1 through 4094
    Port

    Select the port number.
    IPv4 Address

    Select an address type:

    • DHCP—Use DHCP to dynamically assign an IPv4 address for the interface.
    • Static—Use a static IPv4 address for the interface.
    IPv6 Address

    Select an address type:

    • DHCP—Use DHCPv6 to dynamically assign an IPv6 address for the interface.
    • Static—Use a static IPv6 address for the interface.
    Transport Domain

    Select the transport domain:

    • Internet
    add.png Click to add the interface.
  3. Click Add.

Configure Global Configuration Profiles

You can configure global configuration profiles to define the following switch-level parameters on the VOS device:

  • 802.1X authentication
  • Routing
  • Switching
  • Virtual extensible LAN (VXLAN)

To configure global configuration profiles for Releases 22.1.4 and later:

  1. If you are continuing from the previous section, skip to Step 3.
  2. In Director view:
    1. Select the Workflows tab in the top menu bar.
    2. Select Template > Templates in the horizontal menu bar. The Template screen displays.
    3. Select the SD-LAN tab, and then select the Templates tab. The screen displays the templates that are already configured.
    4. Select a template.
  3. In the Step 1, Initial screen, click Step 3, Switch, or click Next at the bottom of the screen. ;The Configure Switch screen displays.
     Switch-config.png
  4. From here, you can configure the following switch-level parameters:
    • 802.1X authentication profile
    • Global switching profile
    • Routing global configuration
    • VXLAN global configuration

To configure global configuration profiles for Release 22.1.3:

  1. If you are continuing from the previous section, skip to Step 3.
  2. In Director view:
    1. Select the Workflows tab in the top menu bar.
    2. Select Template > Templates in the horizontal menu bar. The Template screen displays.
    3. Select the SD-LAN tab, and then select the Templates tab. The screen displays the templates that are already configured.
    4. Select a template.
  3. In the Step 1, Basic screen, click Step 2, Interfaces, or click Next at the bottom of the screen. The Step 2, Interface screen displays.
  4. Select the Global tab in the horizontal menu bar. The Global Configuration screen displays.

    Global-config.png
  5. From here, you can configure the following global switch parameters:
    • 802.1X profile selection
    • Global management servers
    • Global switching profile
    • Routing profile
    • VXLAN profile

Configure a Global VXLAN Profile

VXLAN is a data plane encapsulation protocol that allows you to run Layer 2 Ethernet VPN (EVPN) over a Layer 3 IP network using standard VXLAN encapsulation over UDP. In multitenant and cloud environments, VXLAN allows a network to handle much larger traffic loads than traditional VLANs while providing the same traffic isolation and segmentation as traditional VLANs.

Before you can configure the global VXLAN profile, you must first configure at least one physical port on the switch as a Layer 3 interface. For more information, see Configure a Layer 3 Port, above.

To configure a global VXLAN profile:

  1. In the Global Configuration screen, click Configure in the VXLAN Global Configuration pane. The VXLAN Global Configuration popup window displays.

    VXLAN-global.png
  2. Enter information for the following fields:
     
    Field Description
    Description

    Enter a text description for the global VXLAN profile.
    Local AS

    Enter the local autonomous system (AS) number.

    Range: 0 through 4294967295
    VTEP IP Address Enter the IP address for the VXLAN tunnel endpoint (VTEP).
    VXLAN Bridge Domain List Enter a list of VLANs to use in the VXLAN Ethernet VPN (EVPN) tunnel.
    VNID Enter the VXLAN network identifier.
    Bridge Domain VLAN Select the bridge domain VLAN to map to the VNID.
    IP Address Enter the IP addresses for the VXLAN EVPN neighbors to which the VOS device establishes a BGP session so that it can establish the EVPN tunnel.
    IBGP Click to enable IBGP.
    Peer AS If you do not select IBGP, enter the peer AS number.
  3. Click Add.

Configure Global Routing

You create a global routing profile to configure parameters for static routing and the Open Shortest Path First (OSPF) routing protocol.

Before you can configure the global routing profile, you must first configure at least one physical port on the switch as a Layer 3 interface. For more information, see Configure a Layer 3 Port, above.

To configure a global routing profile:

  1. In the Global Configuration screen, click Configure in the Routing Global Configuration pane. The Routing Global Configuration popup window displays.

    Routing-global.png
  2. Enter information for the following fields:
     
    Field Description
    Static (Group of Fields)

    Click Static to configure static IP routes.
    • Prefix

    Enter the IP address prefix for the static route
    • Next-Hop Address
    		 Enter the next-hop IP address for the static route.
    OSPF (Group of Fields) Click to configure OSPF.
    • Description
    		 Enter a text description for the OSPF configuration.
    • Area Number
    		 Enter the OSPF area ID. A backbone area has an area ID of 0.0.0.0. Areas with non-zero IDs are non-backbone areas.
    • BFD
    		 Click to enable BFD for OSPF. When BFD is enabled, if OSPF goes down, the router is marked as being down.
  3. Click Add.

Modify the Global Switching Profile

The configuration wizard includes a global switching profile with predefined options for spanning-tree protocols that you can modify. You can also configure a profile for interface-level switching options and associate it with a port when you configure the port as a Layer 2 interface. For more information, see Configure a Switching Profile.

To modify the global switching profile:

  1. In the Global Configuration screen, click Edit in the Global Switching Profile pane. The Global Switching Profile popup window displays.

    Switching-global.png
  2. Enter information for the following fields:
     
    Field Description
    Global Spanning-Tree Profile

    Select a protocol for the profile:

    • MSTP—Multiple Spanning-Tree Protocol
    • RSTP—Rapid Spanning-Tree Protocol
    Spanning-Tree Bridge Priority Enter the spanning-tree bridge priority value to use to determine which device in the spanning tree is the root bridge. A lower bridge priority value configures a higher priority.
  3. Click Add.

Select the 802.1X Global Profile

You can associate the template with a profile to use for processing 802.1X authentication requests. If you are using an external RADIUS server for 802.1X authentication, the profile includes the information that the authenticator uses to communicate with the server.

You can pre-configure the 802.1X profile using a separate workflow. For more information, see Configure 802.1X Authentication Profiles.

To select the 802.1X Global Profile:

  1. In the Global Configuration screen, click Configure in the 802.1X Profile Selection pane. The 802.1X Profile Selection popup window displays.

    8021X-profile.png
  2. Enter information for the following fields:
     
    Field Description
    802.1X Profile

    Select a profile, or select + Create New to create a new profile. See Configure 802.1X Authentication Profiles.
    Source Network

    Select the source network:

    • Underlay
    • Management Interface
  3. Click Add.

Configure Global Management Servers

You can configure the following network management servers at the global level:

  • Domain Name System (DNS) servers—A DNS server maintains a directory of domain names and translates them to IP addresses.
  • Lightweight Directory Access Protocol (LDAP) servers—Performs a variety of operations, including storing and retrieving data such as user names, passwords, and email addresses; searching for data that match a set of criteria; and authenticating clients.
  • Network Time Protocol (NTP) servers—NTP synchronizes clock times on the computers in a network.
  • RADIUS servers—RADIUS is a distributed client-server system that secures networks against unauthorized access. It is recommended that you configure either a RADIUS server or a TACACS+ server, but not both.
  • Simple Network Management Protocol (SNMP) servers—SNMP is an open standard networking protocol that is used for managing, monitoring, and organizing data about networking devices on both LANs and WANs.
  • Syslog servers—Syslog servers consolidate logs from multiple sources into a single location.
  • TACACS+ servers—TACACS+ provides detailed accounting information and flexible administrative control over authentication and authorization processes. It is recommended that you configure either a RADIUS server or a TACACS+ server, but not both.

To configure global management servers for Releases 22.1.4 and later:

  1. If you are continuing from the previous section, skip to Step 3.
  2. In Director view:
    1. Select the Workflows tab in the top menu bar.
    2. Select Template > Templates in the horizontal menu bar. The Template screen displays.
    3. Select the SD-LAN tab, and then select the Templates tab. The screen displays the templates that are already configured.
    4. Select a template. The Step 1, Initial Configuration screen displays. In Release 22.1.3, this is the Step 1, Basic screen.
  3. Click Step 4, Management Servers. The Configure Management Servers screen displays.

    Global-mgmt-server.png
  4. Enter information for the following fields.
     
    Field Description
    NTP Servers (Tab)

    Select to configure one or more NTP servers.
    • Reachability Via
    		 Select the network to use to reach the NTP server:
    • Controllers—Go through the Controller node to reach the NTP server.
    • Management interface—Use the management interface to reach the NTP server.
    • IP Address/FQDN
    		 Enter the IP address or fully qualified domain name (FQDN) of the NTP server. Click the Tool icon to parameterize the address.
    • Add icon
    		 Click to add the NTP server.

    Syslog Servers (Tab)

    Select to configure a syslog server.
    • Reachability Via
    		 Select the network to use to reach the syslog server:
    • Controllers—Go through the Controller node to reach the syslog server.
    • Management interface—Use the management interface to reach the syslog server.
    • IP Address
    		 Enter the IP address of the syslog server. Click the Tool icon to parameterize the address.
    • Add icon
    		 Click to add the syslog server.
    TACACS+ Servers (Tab)

    Select to configure a TACACS+ server.
    • Reachability Via
    		 Select the network to use to reach the TACACS+ server:
    • Controllers—Go through the Controller node to reach the TACACS+ server.
    • Management interface—Use the management interface to reach the TACACS+ server.
    • IP Address
    		 Enter the IP address of the TACACS+ server. Click the Tool icon to parameterize the address.
    • Authentication Key
    		 Enter the authentication key for the TACACS+ server. Click the Tool icon to parameterize the key.
    • Actions
    		 Select one or more server actions:
    • Accounting
    • Authentication
    • Add icon
    		 Click to add the TACACS+ server.
    RADIUS Servers (Tab)

    Select to configure a RADIUS server.
    • Reachability Via
    		 Select the network to use to reach the RADIUS server:
    • Controllers—Go through the Controller node to reach the RADIUS server.
    • Management interface—Use the management interface to reach the RADIUS server.
    • IP Address
    		 Enter the IP address of the RADIUS server. Click the Tool icon to parameterize the address.
    • Authentication Key
    		 Enter the authentication key for the RADIUS server. Click the Tool icon to parameterize the key.
    • Actions
    		 Select one or more server actions:
    • Accounting
    • Authentication
    • WiFi Authentication
    • Add icon
    		 Click to add the RADIUS server.
    SNMP Servers (Tab)

    Select to configure a SNMP server.
    • Version
    		 Select one or more SNMP versions:
    • v1
    • v2c
    • v3
    • Community
    		 Community—Enter a community name. A community is a group of devices that SNMP monitors.
    • Username
    		 For SNMPv3 only, enter the username to use to access the SNMP server.
    • Password
    		 For SNMPv3 only, enter the password to use to access the SNMP server.
    • Reachability Via
    		 Select the network to use to reach the SNMP server:
    • Controllers—Go through the Controller node to reach the SNMP server.
    • Management interface—Use the management interface to reach the SNMP server.
    • IP Address
    		 Enter the IP address of the RADIUS server. Click the Tool icon to parameterize the address.
    • Add icon
    		 Click to add the SNMP server.
    LDAP Servers (Tab)

    Select to configure an LDAP server.
    • Reachability Via
    		 Select the network to use to reach the LDAP server:
    • Controllers—Go through the Controller node to reach the LDAP server.
    • Management interface—Use the management interface to reach the LDAP server.
    • IP Address
    		 Enter the IP address of the LDAP server. Click the Tool icon to parameterize the address.
    • Domain Name
    		 Enter the domain name (DN) in which the LDAP server resides. Click the Tool icon to parameterize the DN.
    • Base DN
    		 Enter the base DN of the LDAP directory location. Click the Tool icon to parameterize the base DN.
    • Bind DN
    		 Enter the bind distinguished name (DN) authentication credentials for binding to the LDAP tree. Click the Tool icon to parameterize the bind DN.
    • Bind Password
    		 Enter the bind password. Click the Tool icon to parameterize the bind password.
    • Add icon
    		 Click to add the LDAP server.
    DNS Servers (Tab)

    Select to configure a DNS server.
    • Reachability Via
    		 Select the network to use to reach the DNS server:
    • Controllers—Go through the Controller node to reach the DNS server.
    • Management interface—Use the management interface to reach the DNS server.
    • IP Address/FQDN
    		 Enter the IP address or fully qualified domain name (FQDN) of the DNS server. Click the Tool icon to parameterize the address.
    • Add icon
    		 Click to add the DNS server.
  5. Click Save or Next to proceed to the next step in the workflow.

To configure global management servers for Release 22.1.3:

  1. If you are continuing from the previous section, skip to Step 4.
  2. In Director view:
    1. Select the Workflows tab in the top menu bar.
    2. Select Template > Templates in the horizontal menu bar. The Template screen displays.
    3. Select the SD-LAN tab, and then select the Templates tab. The screen displays the templates that are already configured.
    4. Select a template. The Configure Basic screen displays.
  3. Click Step 2, Interfaces, or click Next at the bottom of the screen. The Configure Interface screen displays.
  4. Select the Global tab in the horizontal menu bar. The Global Configuration screen displays.
  5. Click Configure in the Global Management Servers box. The Global Management Server popup window displays.

    Mgmt-server-config.png
  6. Enter information for the fields. For field descriptions, see Step 4 of the procedure for Release 22.1.4, above.
  7. Click Add to add the global management servers.
  8. Click Save or Next to proceed to the next step in the workflow.

Create SD-LAN Profiles

The SD-LAN profiles workflow allows you to configure some SD-LAN components as a profile that you can reuse for different interfaces or devices. You can associate a pre-configured profile with a specific port, or as part of the global switch configuration.

You can configure profiles for the following SD-LAN components:

  • 802.1X authentication
  • Multihoming
  • Ports
  • Switching

Configure 802.1X Authentication Profiles

When you configure global switch parameters in the workflow template, you can associate the template with an 802.1X authentication profile. For more information, see Select the 802.1X Global Profile.

To configure the 802.1X profile for Releases 22.1.4 and later:

  1. In Director view:
    1. Select the Workflows tab in the top menu bar.
    2. Select Template > Templates in the horizontal menu bar. The Template screen displays.
    3. Select the SD-LAN tab, and then select the Profiles tab. The Profiles screen displays, showing the profile types in the left menu bar.
  2. Click 802.1X Profile in the left menu bar. The screen displays the 802.1X profiles that are already configured.
  3. Click the + 802.1X Profile icon. The Configure 802.1X Profile screen displays.

  4. Click the + 802.1X Profile icon. The Configure 802.1X Profile screen displays.

    8021x-profile-configure.png
  5. Enter information for the following fields:
     
    Field Description
    802.1X Profile Name Enter a name for the 802.1X profile.
    Description Enter a text description for the 802.1X profile.
    Organization Select the name of the organization to which the profile applies.
    Guest VLAN ID Enter the ID of the guest VLAN.
    Default Authentication VLAN ID Enter the ID of the default VLAN to use for authentication.
    Mode

    Select the 802.1X supplicant mode used to authenticate end devices.

    • Multiple—Allow multiple end devices to connect to the port. Each end device is authenticated individually.
    • Single—Authenticate only the first end device. All other end devices that connect to the port later are allowed access without any further authentication. The subsequent devices effectively piggyback on the first end device’s authentication.
    • Single Secure—Allow only one end device to connect to the port at a time. No other end device can connect until the first device logs out.
    802.1X RADIUS Server (Group of Fields)  
    • Name
    		 Enter a name for the RADIUS server.
    • Description
    		 Enter a text description for the RADIUS server.
    • IP Address of Hostname
    		 Enter the IP address of the RADIUS server.
    • Server Port
    		 Enter the number of the listening port on the RADIUS server. For UDP, port 1812 is commonly used.
    • Authentication Key
    		 Enter the authentication key for the RADIUS server.
    • Add icon
    		 Click to add the RADIUS server.
  6. Click Save.

To configure the 802.1X profile for Release 22.1.3:

  1. In Director view:
    1. Select the Workflows tab in the top menu bar.
    2. Select Template > Templates in the horizontal menu bar. The Template screen displays.
    3. Select the SD-LAN tab, and then select the Profiles tab. The Profiles screen displays, showing the profile types in the left menu bar.
  2. Click 802.1X Profile in the left menu bar. The screen displays the 802.1X profiles that are already configured.

  3. Click the + 802.1X Profile icon. The Configure 802.1X Profile screen displays.

  4. Select the 802.1X profile type:
    • Local—Perform 802.1X authentication on the local VOS device. VOS devices support certificate authentication based on EAP-TLS.
    • Remote—Perform 802.1X authentication using a RADIUS server.
  5. For a local 802.1X profile, enter information for the following fields.
     
    Field Description
    802.1X Profile Name Enter a name for the 802.1X profile.
    Description Enter a text description for the 802.1X profile.
    Organization

    Select the name of the organization to which the profile applies.
    MAC Address Bypass (Group of Fields)  
    • MAC Address
    		 Enter the MAC address of the device that is allowed to bypass the 802.1X authentication process.
    • Description

    Enter a text description for the MAC address.
    • Add icon
    		 Click to add the MAC address.
  6. For a remote 802.1X profile, enter information for the following fields.
     
    Field Description
    802.1X Profile Name Enter a name for the 802.1X profile.
    Description Enter a text description for the 802.1X profile.
    Guest VLAN ID Enter the ID of the guest VLAN.
    Default Authentication VLAN ID Enter the ID of the default VLAN to use for authentication.
    Mode

    Select the 802.1X supplicant mode used to authenticate end devices.

    • Multiple—Allow multiple end devices to connect to the port. Each end device is authenticated individually.
    • Single—Authenticate only the first end device. All other end devices that connect to the port later are allowed access without any further authentication. The subsequent devices effectively piggyback on the first end device’s authentication.
    • Single Secure—Allow only one end device to connect to the port at a time. No other end device can connect until the first device logs out.
    802.1X RADIUS Server (Group of Fields)  
    • Name
    		 Enter a name for the RADIUS server.
    • Description
    		 Enter a text description for the RADIUS server.
    • IP Address of Hostname
    		 Enter the IP address of the RADIUS server.
    • Server Port
    		 Enter the number of the listening port on the RADIUS server. For UDP, port 1812 is commonly used.
    • Routing Instance
    		 Select the routing instance to use to communicate with the RADIUS server.
    • Authentication Key
    		 Enter the authentication key for the RADIUS server.
    • Add icon
    		 Click to add the RADIUS server.
  7. Click Save to add the 802.1X profile.

Configure Multihomed Profiles

When you configure a physical port as a Layer 2 port, you can associate the port with a multihomed profile. For information on configuring a Layer 2 port, see Configure a Layer 2 Port.

To configure a multihomed profile:

  1. In Director view:
    1. Select the Workflows tab in the top menu bar.
    2. Select Template > Templates in the horizontal menu bar. The Template screen displays.
    3. Select the SD-LAN tab, and then select the Profiles tab. The Profiles screen displays, showing the profile types in the left menu bar.
  2. Click Multihomed Profile in the left menu bar. The screen displays the multihomed profiles that are already configured.

  3. Click the + Multihomed Profile icon. The Configure Multihomed Profile screen displays.

  4. Enter information for the following fields:
     

    Field

    		 Description
    Multihomed Profile Name Enter a name for the multihomed profile.
    Description Enter a text description for the multihomed profile.
    Ethernet Segment ID Enter the Ethernet segment identifier.
    Switch ID/System MAC Address Enter the switch identifier or system MAC address.
    Mode

    Select the active mode:

    • All–active—Use active–active mode. This is the default mode.
    • Single–active—Use active–standby mode.

    Default: All-active
    Organization Select the name of the organization to which the profile applies.
  5. Click Save.

Configure Port Profiles

When you configure a physical port as a Layer 2 port, you associate the port with a port profile. For information on configuring a Layer 2 port, see Configure a Layer 2 Port.

To configure the port profile:

  1. In Director view:
    1. Select the Workflows tab in the top menu bar.
    2. Select Template > Templates in the horizontal menu bar. The Template screen displays.
    3. Select the SD-LAN tab, and then select the Profiles tab. The Profiles screen displays, showing the profile types in the left menu bar.
  2. Click Port Profile in the left menu bar. The screen displays the port profiles that are already configured.
  3. Click + Port Profile. The Configure Port Profile screen displays.

  4. Enter information for the following fields.
     
    Field Description
    Profile Name Enter a name for the port profile.
    Description Enter a text description for the port profile.
    Speed

    Select the data transfer speed, in megabits per second (Mbps):

    • 10
    • 100
    • 1000
    • 2500
    • 5000
    • 10000
    • Auto—Have the switch automatically determine the data transfer speed. This is the default.

    Default: ;Auto
    Duplex

    Select how to negotiate between the device interface and switch interface:

    • Auto—Have the switch automatically determine the negotiation type. This is the default.
    • Full—Transmit data in both directions on a signal carrier at the same time.
    • Half—Transmit data in one direction at a time.

    Default: Auto
    Interface Mode

    Select the mode for the interface:

    • Access—Have the interface accept untagged packets. The packets are assigned to the VLAN that you specify in the VLAN field.
    • Trunk—Have the interface accept tagged packets. The VLAN ID of the packets must match one of the VLAN IDs that you specify in the VLAN ID List field.
    Organization Select the name of the organization to which the profile applies.
    PoE

    Select whether to use Power over Ethernet (PoE) on the port to provide power to a connected device:

    • Off—Disable PoE on the port.
    • On—Enable PoE on the port.
    LLDP

    Select whether to use Link Layer Discovery Protocol (LLDP) on the port:

    • Off—Disable LLDP on the port.
    • On—Enable LLDP on the port.
    802.1X Profile

    Click the slider to associate the port with a 802.1X profile.
    Virtual Switch

    Select a virtual switch to associate with the port.
    ACL In

    Select an incoming ACL policy to associate with the port. For information on configuring an ACL policy, see Configure SD-LAN ACL Policies.
    VLAN

    For an access mode interface, enter the identifier of the VLAN to which the interface belongs. Click the Tool icon to parameterize the VLAN ID.
    VLAN ID List

    For a trunk mode interface, identify the VLANs for which the interface can receive tagged packets. You can enter a range of VLANs (for example, 10-20), a list of VLAN IDs separated by spaces (for example, 1 25 27), or a combination of the two (for example, 1 15-20 25 27). Click the Tool icon to parameterize the VLAN IDs.
    Native VLAN ID

    For a trunk mode interface, identify the VLAN to associate with untagged packets received on the interface. Native VLAN IDs are used in conjunction with trunk Layer 2 ports to allow an untagged packet to be treated as a tagged packet. Click the Tool icon to parameterize the VLAN ID.
  5. Click Save.

Configure a Switching Profile

When you configure a physical port as a Layer 2 port, you associate the port with a switching profile. For information on configuring a Layer 2 port, see Configure a Layer 2 Port.

To configure the switching profile:

  1. In the Profiles tab, select Port Profile in the left menu bar. The screen displays the port profiles that are already configured.
  2. Click + Port Profile. The Configure Switching Profile screen displays.

    Switching-profile.png
  3. Enter information for the following fields:
     
    Field Description
    Switching Profile Name Enter a name for the profile.
    Organization Select the name of the organization to which the template applies.
    BPDU Guard

    Click to enable BPDU guard. BPDU guard disables an STP port if it receives a BPDU.
    Spanning-Tree Edge Click to configure ports that are connected to end nodes to be edge ports. Ports configured as spanning-tree edge ports directly transition to the forwarding state. Edge ports do not generate topology changes when the link state changes.
  4. Click Save.

Configure SD-LAN ACL Policies

An ACL policy consists of rules which define the conditions for matching packets and the actions to take when a match occurs. An ACL policy can have one or more rules, and the rules are evaluated in the order in which they are listed in the ACL policy until a match occurs. When a rule matches, the action associated with that rule is applied to the traffic, and no further rules in the ACL policy are evaluated.

When you configure a port profile, you can associate the profile with an ACL policy. For more information on configuring a port profile, see Configure Port Profiles.

To configure SD-LAN ACL policies:

  1. In Director view, select the Workflows tab in the top menu bar.
  2. Select Template > Templates in the horizontal menu bar. The Template screen displays.
  3. Select the SD-LAN tab, and then select the Policies tab.
  4. On Policies tab, click + Add. The Configure ACL Policy screen displays.

    Configure-ACL-policy.png
  5. In the General group of fields, enter information for the following fields.
     
    Field Description

    Policy Name

    		 Enter a name for the ACL policy. The name can be up to 127 characters.

    Description

    Enter a text description for the ACL policy. The description can be up to 127 characters.

    Organization

    		 Enter the organization to which the ACL policy belongs.
  6. In the ACL Rules menu, click + Add. The ACL Rule popup window displays.

    Configure-ACL-rule.png
  7. Enter information for the following fields.
     
    Field Description
    Name Enter a name for the ACL policy rule. The name can be up to 63 characters.
    Description Enter a text description for the ACL policy rule. The description can be up to 127 characters.
    Action

    Click to select the action to take when a packet matches the rule:

    • Allow—Allow the packet.
    • Block—Deny the packet.
    • Service—Use a service, such as antivirus filtering, firewalls, or traffic engineering, to process the packet.
    Insert at Top Click to place the rule at the beginning of all the policy's rules.
    Source MAC Address

    Enter the source MAC address to match.
    Destination MAC Address

    Enter the destination MAC address to match.

    Ether Type

    Click to select the Ether Type to match:

    • ARP
    • IPv4
    • IPv6
    Ether Type Value Enter a numeric value for the Ether Type to match.
    Source IPv4 Address/Prefix

    Enter the source IPv4 address or prefix to match.
    Destination IPv4 Address/Prefix Enter the destination IPv4 address or prefix to match.
    Source IPv6 Address/Prefix Enter the source IPv6 address or prefix to match.
    Destination IPv6 Address/Prefix Enter the source IPv6 address or prefix to match.
    Source Port Enter the source port number to match.
    Destination Port Enter the destination port number to match.
    IP Version

    Select the IP version to match:

    • IPv4
    • IPv6
    DSCP Enter the Differentiated Services Code Point value to match.
    Protocol Enter the protocol number to match.
    ICMP

    Select the type of ICMP message to match:

    • Address Mask Reply
    • Address Mask Request
    • Destination Unreachable
    • Echo Reply
    • Echo Request
    • Information Reply
    • Information Request
    • Parameter Problem
    • Redirect
    • Router Advertisement
    • Router Selection
    • Source Quench
    • Time Exceeded
    • Timestamp Reply
    • Timestamp Request
    • Traceroute
    ICMPv6

    Select the type of ICMPv6 message to match:

    • Destination Unreachable
    • Echo Reply
    • Echo Request
    • Information Reply
    • Information Response
    • Multicast Listener Done
    • Multicast Listener Query
    • Multicast Listener Report
    • Neighbor Advertisement
    • Neighbor Solicitation
    • Packet Too Big
    • Parameter Problem
    • Redirect
    • Router Advertisement
    • Router Renumbering
    • Router Solicitation
    • Time Exceeded

    Tunnel Type

    Click to select the tunnel type to match:

    • None
    • VXLAN

    Forwarding Type

    Click to select the forwarding type to match:

    • Any
    • Layer 2 Switched
    • Layer 3 Routed
    Source SGT ID Enter the source scalable group tag (SGT) identifier. You can use the source SGT to match the microsegment for a traffic flow.
  8. Click Add to add the rule to the ACL policy.

Software Release Information

Releases 22.1.3 and later support all content described in this article, except:

  • In Release 22.1.4, minor changes have been made to the workflow GUI.
  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Page type
    Topic
    Product
    Director
  2. Tags
    This page has no tags.