Configure Profiles

Configure the DHCP Service

1. To add a new DHCP service or update an existing DHCP service, click the DHCP box in the Edit Master Profile > Profile > Others screen. The DHCP screen displays.
   
   
2. To display or update information about the service, click an existing DHCP service, such as Enterprise-LAN-DHCP.v1 in the screenshot above. Make the changes, then click Save on the Permissions screen.
3. To add a new DHCP service, click Add Service. You can create a new service or choose an existing service.
   1. If you select Choose Services, the following screen displays. 
      
      
   2. Click the service to add and then click Add at the bottom of the screen.
   3. If you select Create New, the following screen displays. Enter information of the following fields.
      
      
       

      Field	Description
      Name (Required)	Enter a name for the DHCP service.
      Description	Enter a description of the DHCP service.
      Enabled	Click the slider bar to enable the DHCP service (default). Click Enabled again to disable the service.
      Interface (Required)	Click in the field and select an interface to use for the DHCP service.
      Tags	Enter one or more tags. A tag is an alphanumeric text descriptor with no spaces or special characters. You can specify multiple tags added for the same object. The tags are used for searching the objects.

4. Click Next. In the Pool tab, enter information for the following fields.
   
   
    

   Field	Description
   Scope (Group of Fields)
   Start Index	Enter the start index for the DHCP pool. The start index is the index of the first host address in the DHCP pool. The start index is automatically computed by the system based on the LAN interface IP address subnet. For example, for a LAN interface with the address 192.168.0.1/24 and a start index of 2, the DHCP server pool starting address would be 192.168.0.2.
   Pool Size	Enter the size of the DHCP address pool. The end address of the pool is measured using the LAN interface IP subnet, start index, and pool size. For example, for an interface with the address 192.168.0.1/24, start index 2, and pool size 250, the pool range would be 192.168.0.2 through192.168.0.251.
   Exclude	Enter a list of pool indexes to exclude. The list can be individual indexes or ranges, such as 67-90. The system will automatically compute the exclude addresses in the IP subnet configured on the LAN interface.
   Name Servers	By default the name server is assigned automatically (the slider bar is set to AUTO). If you select MANUAL, enter the following information.
   Primary	Enter the IP address address of the primary name server, such as 10.10.10.1.
   Secondary	Enter the IP address address of the secondary name server.
   Domain	Enter the domain name of the DHCP service, such as versa-networks.com.

5. Click Next. The Reservation tab displays.
   
   
    
6. Click Add to add a DHCP reservation, then enter information for the following fields.
   
   
    

   Field	Description
   MAC Address	Enter the MAC Address of the DHCP Client, for example 0d:56:45:52:53:41.
   Reserve Address	Enter the number of indexes to reserve in the IP address pool for the corresponding MAC addresses. The system will automatically compute reservations based on the IP subnet configured on the LAN interface. The number entered must be greater than 0.

7. Click Next. The Options tab displays.
   
   
    

   Field	Description
   DHCP Options (Group of Fields)	Click Add to add one or more DHCP options, then enter information for the following fields.
   Key	Enter a number for the DHCP options key.
   Type	Select an option type. The supported options are: Boolean FQDN IP Address IPv6 Address String uint8 uint16 uint32 Hex String
   Vendor ID	Enter the vendor information if vendor information is exchanged between the DHCP server and client.
   Value	Enter a value for the vendor ID, then click the Check icon to add the value. The value depends on the Option type you selected, as follows. Boolean—Enter true or false. FQDN—Enter a fully qualified domain name (FQDN). IP Address—Enter an IPv4 address. IPv6 Address—Enter an IPv6 address. String—Enter a text string. uint8—Enter a number from 0 through 255. uint16—Enter a number from 0 through 65535. uint32—Enter a number from 0 through 4294967295. Hex String—Enter a valid hexadecimal string.
   Boot Options (Group of Fields)
   File Name	Enter the name of the file to use to boot the DHCP client.
   Next Server	Enter a valid IP address of the next DHCP server in the boot sequence..
   Echo Client ID	Click the slider bar to enable or disable the echo client ID option. The default is Enabled.
   Netbios Options
   Name Servers	Enter the IP address of the Windows Name Internet Server (WINS) to use for name resolution.
   Type	Select the node type of name resolution: b—Broadcast. A b-node client sends the destination name in a broadcast message.  h—Hybrid. An h-node client unicasts the destination name to the WINS server.  m—Mixed. An m-node client broadcasts the destination name. p—Peer to peer. A p-node client sends the destination name in a unicast message to the WINS server.

8. Click Next. The Permissions tab displays.
   
   
    
9. Review and edit the permissions, if desired.
10. Click Save to create the DHCP service.

Configure the CGNAT Service

1. To add a new CGNAT service or update an existing CGNAT service, click the CGNAT box in the Edit Master Profile > Profile > Others screen. The CGNAT screen displays.
   
   
    
2. To add or update an existing CGNAT service, click CGNAT. In the CGNAT screen, click Add Service to add a new service. You can create a new service or choose an existing service. If you select Create New, the Create CGNAT screen displays. Enter information for the following fields.
   
   
    

   Field	Description
   Name	Enter a name for the CGNAT service.
   Enable	The slider bar is in the Enabled position by default. To disable the CGNAT service, click the slider bar so that it is grayed out.
   NAT Mode	Select the NAT mode: Basic NAT. This is the default. Destination NAT Dynamic NAT NAPT Twice Basic NAT No Translation Default: Basic NAT
   Tenant	(For Releases 11.4.1 and later.) Select a tenant. The list displays the current tenant and all child tenants. If a tenant is not selected, the system displays the name of the current tenant only, not any child tenants.

    
   1. Select the Criteria tab, and then enter information for the following fields.
      
      
       

      Field	Description
      Type (Source)	The Source type is selected by default, and you cannot change it. Select the type of source to use: IP Ranges—Enter an IP address range, such as 10.10.1.1-10.10.1.100, and then click the Check mark icon or press Enter. You can enter multiple address ranges. Subnets—Enter an IP address subnet, such as 10.1.1.0/24. VPN Name—Select a VPN name. Zones—Select a zone.
      Type (Destination)	The Destination type is selected by default, and you cannot change it. Select the type of destination to use: Note: The IP Ranges and Subnets options are mutually exclusive; you can select one or the other, but you cannot select both of them. IP Ranges—Enter an IP address range, such as 10.10.1.1- 10.10.1.100, then click the Check mark icon or press Enter. You can enter multiple address ranges. Port—Enter a destination port number. Range: 1 through 65535 Default: None Port Range—Enter a destination port range, such as 80-88. Subnets—Enter an IP address subnet, such as 10.1.1.0/24. Zones—Select a zone.
      Protocols	Select one or more protocols: AH ESP ICMP TCP UDP 0 through 255

   2. Select the Action tab, and then enter information for the following fields.
      
      
       

      Field	Description
      Logging	Click the slider bar to enable logging to Versa Analytics.
      Translated Sources	Select the translated sources based on VPN names or WAN connections: VPN Name—Select a VPN name. WAN Connection—Select a WAN connection. Select the translated sources from IP addresses, subnets, or IP address ranges: IP Addresses—Enter an IP address, and then click the Check mark icon or press Enter. You can enter multiple IP addresses. IP Ranges—Enter an IP address range, and then click the Check mark icon or press Enter. You can enter multiple IP address ranges. Subnets—Enter an IP subnet, and then the Check mark icon or press Enter. You can enter multiple IP subnets.

   3. Select the Permissions tab, and revise the permissions, if needed.
   4. Click Save to create the CGNAT service.

Configure VPN Instances

1. To add new VPN instances or display existing VPN instances, click VPN. The VPN Instances screen displays.
   
   
    
2. To add a VPN instance, click Add VPN Instance > Create New.
   
   
   
   The Edit VPN Instance screen displays with the Settings tab selected by default. Enter information for the following fields.
   
   
    

   Field	Description
   VPN (Group of Fields)
   Tenant (Required)	Select a tenant from the list.
   VPN Name (Required)	Select a VPN from the list.
   Topology (Group of Fields)
   Spoke Parameters
   Topology	Select a topology. The options are: Full Mesh Spoke to Hub Only Spoke to Spoke via Hub
   Scope	Select Enterprise or Region from the list. If you select Region, the following field appears: Select a hub LAN route. The options are: Reach Directly Reach via Local Hubs (default) Reject
   Hub Parameters
   Reject Other Region Routes	Enabled by default. To disable this option, click the slider bar so that it is grayed out.
   Spoke Communities	Enter one or more spoke community numbers.
   + Add Variable	Click to create a variable for a spoke community, then enter the variable name in the popup window. You can add multiple variables.
   Split Tunnels (Group of Fields)
   Direct Internet Access (DIA) Disabled	Click the slider bar to enable DIA (DIA is disabled by default, then enter information the following fields. Connection Name—Select the connection to use for DIA. Priority—Select a priority for the connection, then click the  Plus icon. The priority range is 1 through 16. You can select multiple connections. If you enable Gateway, the appliance acts as an internet gateway for the enterprise and re-advertises default routes on the SD-WAN overlay to other appliances.
   Gateway Capability Disabled	Click the slider bar to allow the DIA connection to be a gateway. If you enable Gateway, the appliance acts as a gateway to non-SD-WAN networks and re-advertises routes from the MPLS underlay to the SD-WAN overlay.
   Underlay Disabled	Click the slider to enable underlay routing to non-SD-WAN appliances over the MPLS network without performing NAT on the traffic. Underlay routing is disabled by default. Enter information the following fields. Connection Name—Select the connection to use for underlay routing. Priority—Select a priority for the connection, then click the  Plus icon. The priority range is 1 through 16.   You can select multiple connections.
   Gateway Capability Disabled	Click the slider bar to prevent the VPN from being a gateway.

3. Click Next. In the Routes Redistribution tab screen, enter the following information. 
   
   Note: By default, the redistribution policy configuration is automatically generated by the system based on the routing protocols enabled on the LAN interfaces and the type of the device (hub, hub-controller, spoke, full mesh). For most use cases you are not required to create redistribution policies. Use custom redistribution policies only if you need to overwrite the default configuration.
   
   
    

   Field	Description
   From RIB (Required)	Select IPv4 unicast or IPv6 unicast.
   Destination Protocol (Required)	Select the destination protocol. The options are: BGP OSPF RIP
   Redistribution Policy Name (Required)	Select the name of the redistribution policy. For information about creating a redistribution policy, see Configure Redistribution Policies in Concerto.

4. Click Next. In the Permissions tab, you can change permissions for the defined roles, if desired. 
   
   
    
5. Click Next. The Review and Submit screen displays.
   
   
    
6. Enter a name for the VPN instance in the Name field.
7. Review the configuration. To make changes, click the Edit icon, make the changes, and then return to this screen.
8. Click Save to create the VPN instance.

Configure BGP Peer Policies

1. ​​​To add a new BGP peer policy or update an existing policy, click + BGP Peer Policy.
   
   Note: If you refer to a BGP peer policy in the BGP neighbor configuration on a WAN or LAN interface, you should attach the peer policy to the BGP peer policies list. For more information, see Configure SASE BGP Peer Policies.
   
   
   
   You can choose an existing policy, or you can create a new policy. 
   
   
2. If you click Choose Existing, the Choose Policies screen displays all configured BGP peer policies.
   
   
3. Click a policy to use, then click Add. The BGP peer policy is added to the Profile > Others screen:
   
   
    
4. If you click Create New Policy, the Create BGP Peer Policy screen displays.
   
   
    
   1. Enter a name for the policy, then click Next. The New Policy Term screen displays.
      
      
       
   2. Enter a name for the policy term.
   3. The new policy term will be enabled by default. To disable the policy term, click the slider bar.
      
      
       
   4. Click Next. In the Criteria tab, enter information for the following fields.
      
      
       

      Field	Description
      Community	Enter the BGP community string to match. A BGP community is a group of destinations with a common property. This path attribute in BGP update messages identifies community members and performs actions at a group level instead of at an individual level. BGP communities help identify and segregate BGP routes, enabling smooth traffic flow.
      Extended Community	Enter the extended BGP community string to match. In an extended community, you can group a larger number of destinations than in a community. Range: 0000000000000000 to FFFFFFFFFFFFFFFF Default: None
      AS Path	Enter the AS path number to match.
      Metric	Enter the metric value to assign to the route. Range: 0 through 4294967295
      IPv4 Prefix (Group of Fields)
      IPv4 Subnet	Click Add to display fields for IPv4 Subnet, Min Length, Max Length, and Action. Enter the IPv4 subnet, such as 10.1.1.0/24.
      Min Length	Enter the minimum length of the IPv4 prefix. Range: 24 through 36 Default: None
      Max Length	Enter the maximum length of the IPv4 prefix. Range: 24 through 36 Default: None
      Action	Select Permit or Deny.
      IPv6 Prefix (Group of Fields)
      IPv6 Subnet	Click Add to display fields for IPv6 Subnet, Min Length, Max Length, and Action. Enter the IPv6 subnet, such as 2001:db8:1234:0000::/64.
      Min Length	Enter the minimum length of the IPv4 prefix. Range: 64 through 128 Default: None
      Max Length	Enter the maximum length of the IPv4 prefix. Range: 0 through 128 Default: None
      Action	Select Permit or Deny.

      
       
   5. Click Next to go to the Action tab, then enter information for the following fields.
      
      
       

      Field	Description
      Action	Select the action to take on the routes: Accept Reject
      Local Preference	Enter the local preference value to use to choose the outbound external BGP path. Range: 0 through 2147483647
      Next Term	Select the name of the next term to evaluate. You can use this field to create a sequence of terms, and then you use the Next Term Action field to configure the sequence as an AND or OR series. If you had previously selected the policy term action to be Reject, this field is grayed out.
      Next Term Action	When you use the Next Term field, select whether to create an AND series and an OR series if the policy term action is Accept. If the policy term action is Reject, this field is grayed out.
      Enabled ECMP for BGP Routes in RIB	Click the slider bar to enable ECMP for BGP routes in RIB. The default is Disabled.
      Route Preference (Group of Fields)	Range: 0 through 255
      Metric Action	Select the metric action to take: Set Value IGP (interior gateway protocol) Add Subtract
      Metric	Enter the metric value for the chosen metric action. Set Value—Enter a number from 0 through 2147483647 IGP (interior gateway protocol)—No metric is required Add—Enter a number from 0 through 2147483647 Subtract—Enter a number from 0 through 2147483647
      Community (Group of Fields)
      Community Action	Select how to match the community list for a route: Community field is ignored. Remove all communities from the route. Replace all communities with the single community specified by set-community. Remove all communities that match community value. Append the value of community value into the communities list.
      Community Value	Enter the community value. The value should be a set of communities separated by a space in the format 2-byte decimal:2-byte decimal. Note that not all extended community actions require a community value. Range: 0 through 65535
      Extended Community Action	Select how to match the community list for a route: Community field is ignored. Remove all communities from the route. Replace all communities with the single community specified by set-community. Remove all communities that match community value. Append the value of community value into the communities list.
      Extended Community Value	Enter the BGP extended community value. The extended community value should be 16 characters. Range: 0000000000000000 to FFFFFFFFFFFFFFFF Default: None
      AS Path (Group of Fields)
      AS Path Action	Select a regular expression to match the AS path for the route: No AS path action. Prepend the local AS path the number of times specified by local AS prepend count. Remove all AS numbers matched by match as-path. Remove all AS numbers matched by match as-path and prepend the local AS the number of times specified by the local AS prepend count.
      AS Path Prepend	Select how to prepend the AS number to an AS path. Range: 1 through 4294967295
      Local AS Path Count	Enter a value from 1 through 255.

   6. Click Save to create the new policy term. You can now choose this term when creating a BGP peer policy.

Configure Director Service Templates

<STOPPED HERE 5/22/25>

1. To add or move a Director service template, click Director Service Templates. The following screen displays.
   
   
    
   1. To move a service template up or down in the list, click Move. The following screen displays.
      
      
       
   2. To choose which direction to move the rule, click Before or After.
   3. Enter the rule number.
   4. Click Move.
   5. To add a service template, click + Select Templates. The following screen displays the available templates.
      
      
       
   6. Select one or more service templates, and then click Add. The template is added to the Director Service Templates screen.
2. For Releases 11.1.1 and later, to update management server policies for NTP, SNMP, syslog, and TACACS+, or to add a new management server policy, click + Management Servers. For more information, see Configure Management Servers.
   
   
    
3. For Releases 11.3.1 and later, to create a user management policy or associate an existing user management policy with the master profile to add and manage VOS device users, click + User Management. For more information, see Manage VOS Users.
   
   
    
4. For Releases 11.3.1 and later, to apply different services templates to the devices in a master profile for redundant devices:
   1. Go to Configure > Profiles > Master Profiles, and select a master profile for redundant devices.
   2. In the Edit Master Profile screen, click Profile > Others.
   3. Under Director Service Templates, click the Service Template box. The Director Service Templates screen displays the tenant's current service templates.
   4. Click + Service Templates in the lower right corner of the screen. The Choose Service Template screen displays the available service templates.
   5. Select one or more service templates, and then click Add. The templates are added to the Director Service Templates screen. By default, the service templates are added to both the primary and secondary devices in the redundant configuration. Note that the Appliance Type column displays only when you are editing a master profile for redundant devices.
   6. Click Sync Service Templates to synchronize service template bind data variable updates on a Concerto node. The service templates attached to the master profiles exist on Versa Director and any service template variable changes in Concerto must be in sync with Director. If service templates have new variables and values are not set, the publishing process fails.
      
      
   7. To apply the service template to only one of the redundant devices, click the drop-down list and then select either the Primary or Secondary device in the pair.