Skip to main content
Versa Networks

Versa Concerto for SD-WAN

  1. Last updated
  2. Save as PDF

Versa-logo-release-icon.pngFor supported software information, click here.

The Versa Concerto™ orchestrator provides a user interface to configure and monitor Versa OS™ (VOS™) devices in Secure SD-WAN and secure access service edge (SASE) deployments. Concerto has a microservices architecture that scales to manage tens of thousands of VOS devices. Concerto uses the services of Versa Director, Versa Controller, and Versa Analytics (collectively called the DCA complex) to manage VOS devices. It is an orchestration layer that sits above Versa DCA components. In the image below, VOS devices are the appliances, hubs, and hub controllers in your deployment.

Concerto-overview-v11.png (410×338)

To implement an SD-WAN deployment, you organize your topology into devices, sites, and regions. Concerto allows you to view and manage your topology in a honeycomb, map, or list format. To configure devices, Concerto has workflows you can use to create device configuration templates. 

Device configuration templates contain the information required to configure a device, but the information must be converted into a VOS device configuration before a device can use it. To convert the information, you publish it to Director, which creates VOS configurations for the devices and stores them in its local database. You then commit the VOS device configurations to devices, which can be done from either Concerto or Director.

This document provides an overview of SD-WAN topology and VOS device configuration and deployment.

SD-WAN Topology

To implement your SD-WAN deployment, you define a topology in Concerto. A topology consists of the following components:

You configure and view your topology from the Deploy lifecycle in Tenant view.

The following screen displays the Regions tab for the Deploy lifecycle. You can add, view, and perform actions on regions from this screen.

regions_screen.png

The following screen displays the Sites tab for the Deploy lifecycle. The left side displays a hexagon for each site in the topology. The right side displays a summary of all sites. You can add, view, and perform actions on sites from this screen.
 
Sites_honeycomb.png

To view details for a site, double-click the site hexagon. The following screen displays the site details screen for the Boston site. The left side displays a hexagon for each of the Boston site's devices. The right side displays a summary for the Boston site. You can add, view, and perform actions on VOS devices from this screen.

Boston_site_details.png

Main Templates

Typically, multiple devices use identical configuration information except for values such as the device's interface IP addresses. Main templates allow you to configure these configuration parameters once and push the configuration to multiple devices. To accommodate values that are unique to a device, you can create variables in the device configuration and then assign them values in the Deploy lifecycle. For more information, see Object Variables, below.

You configure main templates through a workflow in the Configure lifecycle in Tenant view, as shown in the image below. You associate the main template with one or more devices and then deploy the template. For more information about main templates, see Configure Main Templates.

Main_temp_workflow.png

Deploy a Device Configuration

You deploy a device configuration to an appliance, hub, or hub-controller using the following actions:

  • Set template—Associate a main template with the device.
  • Assign values to variables—Assign values to variables contained in the main template that are specific for the device.
  • Publish—Pass the main template specifications for the device to Director, which converts the information into a VOS device configuration and stores it in the Director database.
  • Commit—Copy the VOS device configuration from Director to the device.

You can perform these actions from the Deploy lifecycle in Tenant view.

The following screen displays details for the Boston site. The hover menu for the BstApp device includes the following options:

  • Set Template—Associate a main template with the device. 
  • View Variables —Assign values to template variables. 
  • Publish —Publish the main template and optionally commit the Director VOS configuration to the device.
  • Sync from Director to Appliance—Commit the configuration stored in the Director database to the device.

Appliance_hexagon_menu2.png

 

SD-WAN Configuration Hierarchy

Device configurations are a hierarchical set of configuration objects. Main templates are the highest level object of the hierarchy and reference the lower level objects. Taken together, a main template and its referenced objects define the configuration for a VOS device.

The following are the SD-WAN configuration objects:

  • Main templates—Define the deployment tier, device type, variable values, and the policies to be applied to the device. Main templates can reference policies.
  • Policies—Define the primary configuration information for features such as traffic monitoring and user authentication. Policies can reference profiles.  For example, an access control policy can reference a malware protection profile to determine which traffic the policy allows or denies.
  • Profiles—Provide information for policies.
  • Reusable objects—Policies and profiles can reference a type of object known as a reusable object. For example, an application group is a type of reusable object you can reference from an access control policy, a traffic steering policy, and other configuration objects. Reusable objects do not use versioning, so the propagation and auto delete features do not apply to them.

Versioning

Most SD-WAN configuration objects in Concerto use versioning. When you create a versioned object, it is assigned version 1. When you modify the object, a version number is applied using the following criteria:

  • When you edit an object that is not referenced, its version number remain unchanged. 
  • When you edit an object that is referenced:
    • The object is saved as the latest version number plus one. 
    • The original version is retained under its existing version number.

Note: The following object types do not use versioning, propagation, or auto delete:

  • Reusable objects
  • User authentication profiles

  • File filtering profiles

  • URL Filtering profiles

  • IP filtering profiles

  • DNS filtering profiles

  • Malware protection profiles

  • IPS profile profiles

Propagation

When you edit an object, you may update a version of the object that is referenced by devices or higher-level objects. If you update a referenced object, you must indicate whether referencing objects or devices should continue to reference the original version or should reference the updated version. If you choose to have the objects or devices reference the updated version, Concerto must adjust its internal data to point to the new version. This is referred to as propagation. 

You can also manually propagate a version of an object from its object table. For example, you can propagate a CGNAT policy from the table at Configure > Secure SD-WAN > Network Services > CGNAT Policies. 

Auto Delete

With the object versioning feature of Concerto, many versions of an object may be created. These versions can accumulate, and some versions may no longer be referenced by other objects. You can automatically delete SD-WAN object versions that are no longer referenced and are not the latest version. By default, auto delete is enabled for all configuration objects. When enabled, Concerto deletes any unreferenced versions of the object whose age is more than the configured age limit, excepting the latest version.

To enable or disable auto delete and set the age limit:

  1. In tenant view, select Settings > SD-WAN Profile.

    Settings_for_autodelete.png
  2. To disable auto delete for all objects, slide the toggle to the left. All fields are dimmed and become inactive.
  3. To enable auto delete for all objects and set the age limit:
    1. Slide the toggle to the right.
    2. In the first Age Limit field, enter a value for the age limit.
    3. In the second Age Limit field, select a time period, either Days or Hours, for the age limit.

      Note: This setting can be overridden for an individual object version by disabling auto delete for the version.

  4. Click Save. 

To disable auto delete for an object version:

  1. In tenant view, navigate to the object table for the object. For example, to display the object table for main templates, select Configure > SD-WAN > Main Templates.

    Object_table_with_multiple_versions.png
     
  2. Click the link in the Version column for the object. A table listing all versions of the object displays.

    Templates_versions_list.png
     
  3. Click the box to the left of a version.

    Action_menu.png
     
  4. Click the 3-dot icon and then select Disable Auto Delete.

Audit Logs

Concerto keeps audit logs for actions that users take on SD-WAN configuration objects. You can display the logs from the object table for an object.

For example, to view audit logs for a Topology and LAN Routing policy:

  1. In tenant view, select Configure > SD-WAN > Topologies & Routing Protocols > LAN.
  2. Click the box to the left of a policy name.
  3. From the 3-dot menu, select View Audit Log.

    Audit_log_for_LAN2.png

    The following screen displays the audit logs for the Top_and_LAN_example policy.

    Audit_log_for_LAN.png

Copy Versions to Subtenants

You can copy object versions to subtenants from an object table. For example, you can copy a topology and LAN routing policy to a subtenant from the table at Configure > SD-WAN > Topologies & Routing Protocols > LAN.

copy_to_subtenant.png

Object Variables 

You can parameterize most fields in a configuration object. For example, you can parameterize the IPv4 address when you configure a LAN interface policy. 

To parameterize a field, you create a variable by entering a dollar sign ($) character followed by a variable name. Variable names are user-defined, and are not preassigned by Concerto. When you save the object, Concerto creates an empty variable instance in all main templates that reference the object.

In the example below, the variable $nameServerVar is created for a name server address entry in a DHCPv4 server rule. In this case, the DHCPv4 server rule is part of a DHCPv4 Server reusable object that is referenced by main template MainT23.

create_variable_example.png

For main templates that reference objects with variables, the Eye icon displays in the main templates table. In the example below, the main template MainT23 has 13 variables in its referenced objects.

Main_template_table_view_variables.png

Click the Eye icon to display variables. The example below includes the nameServerVar variable for MainT23, 

Variables_popup.png

The variables defined in all objects included in, or referenced by, a main template automatically display in the Variables step of the main template workflow. You can assign values to the variables in this step. Values entered here apply to all devices that reference the template.

Assign_value_from_workflow.png

Click the Information icon to display the path to the object where the variable was created.

Locate_variable_source.png

You can assign values to variables from the device hexagon in the Deploy lifecycle. Values entered here apply to only the specific device and override values assigned in the Variables step of the main template workflow. To do this, select the View Variables option from the hover menu for the device.

View_variables_menu_option.png

Object Permissions

You can set permissions for individual SD-WAN configuration objects through the Permissions step for the object's workflow. You set permissions by Concerto role. For information about Concerto roles, see Manage Users.

SD-WAN configuration workflows have the following permission levels:

  • Create—Can add other configuration objects through the object's workflow. For example, if a role has Create permissions for a main template then users with the role can add an existing or new CGNAT policy through the workflow for the template.
  • Read—Can view object details. You view object details through the object's workflow.
  • Update—Can update the object.
  • Delete—Can delete the object.

The following screen displays the Permissions step for the Main Templates workflow. These permissions are specific to the main template named ktinline3.

Permissions_step.png

Supported Software Information

Releases 13.1.1 and later support all content described in this article.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Page type
    Topic
    Product
    Concerto
  2. Tags
    1. concerto variables
    2. variables