Concerto SD-WAN Demo
Corrected Video Transcript
Versa Networks  |  Concerto Portal v13.1.1
0:00  Hello, in this video I will demonstrate how easy it is to configure and deploy an SD-WAN network using the Concerto portal version 13.1.1.
0:11  As part of SD-WAN device configuration.
0:14  The first step is to create main templates.
0:18  Once a main template is created, it can be used to deploy multiple sites.
0:24  Instead of creating separate templates for each site, you can use bind variables to reuse the same template and configure multiple devices simultaneously.
0:33  Let me walk you through a quick overview of the main template creation workflow.
0:39  As you can see, the interface provides a workflow-based user experience with a validated path at the top.
0:46  Each step represents a functional area where configurations can be applied based on your requirements.
0:52  The first step is the deployment tier.
0:54  Here you select the appropriate tier, choose add-ons, and optionally enable High Availability.
1:02  Next you configure interfaces.
1:05  You can select the device model and add WAN interfaces, LAN interfaces, site-to-site tunnels, loopbacks, and other interface types.
1:16  In step three, you configure routing protocols for both LAN and WAN.
1:22  You also define the topology, whether it is full mesh, hub and spoke, or spoke to spoke via a hub.
1:29  Additionally, you can enable direct Internet access in this step.
1:33  Under Network Services, you can configure CG-NAT and DNS proxy settings.
1:39  In the QoS Traffic Steering and Monitoring section, you define policies to steer application traffic through the most appropriate path.
1:48  For example, business critical applications can be routed through an MPLS link.
1:54  You can also enable SLA requirements, forward error correction, and packet replication.
2:00  Here you configure QoS policies including both application-based and stateless policies.
2:07  Traffic monitoring allows you to send logs to appropriate destinations.
2:11  Flow logs can be configured for specific applications or traffic flows and sent to external SIEM systems.
2:20  In the authentication step, you can enforce user authentication for accessing specific applications or services.
2:27  The device ensures users are authenticated before allowing traffic to pass.
2:32  The security step allows you to configure all security features, including access control policies.
2:39  This includes next-generation firewall features, TLS decryption, and DoS protection.
2:46  Next you configure system services such as Syslog, NTP, DNS, TACACS+, and RADIUS servers.
2:55  If certain configurations are not supported in the current release, you can use director-level service templates.
3:01  These allow you to extend functionality by attaching additional configurations to the device.
3:07  Finally, all configuration variables are displayed.
3:10  These variables must be filled per device during deployment.
3:14  Let me quickly go back to Step 2 and show you how to add WAN or LAN interfaces.
3:20  When you click on Add, you will see options for different types of interfaces.
3:25  You can either create a brand new interface or select an existing WAN interface.
3:30  These existing interfaces are typically created as part of previous templates.
3:35  You can reuse them here without having to rebuild everything from scratch.
3:39  Let me select an existing WAN interface.
3:43  As you can see, this interface was previously configured as part of another main template.
3:51  Click Submit and the WAN interface is now attached to this template.
3:59  If you want to create an additional WAN interface that is not available in the list, simply click on Add New.
4:06  When you select Add New, you first choose the interface location.
4:10  Then you can configure additional attributes for that WAN interface.
4:15  Next, go to the connection section and associate the interface with a transport.
4:21  The remaining parameters are optional.
4:24  You can enable IPv4 or IPv6, and you can also configure monitoring based on remote destination availability.
4:37  This allows you to mark the link as up or down instead of relying only on the physical interface status.
4:43  You also have the option to monitor just the next-hop gateway or define a custom remote destination for more advanced monitoring.
4:53  So the next step is QoS, the traffic scheduler, and traffic shaping.
4:58  These are the profiles that you can build using the system.
5:02  You can select an existing one or you can also create a new one here if you do not see anything you want for this interface.
5:15  The next step is for a multi-tenant system where you can allocate bandwidth for each sub-tenant, and the next step is permissions.
5:25  Here you can see the various roles that are available in this tenant, assign role-based permissions, and then give a name.
5:34  I do not want to make this interface reusable and I want to build it only for this template.
5:40  Then you can select this.
5:41  Otherwise the newly created interface will be added to the reusable list.
5:51  So a new WAN interface is added.
5:54  The next step is to add some LAN interfaces and let me choose one of the LAN interfaces.
6:05  So if you open the LAN interface you can see the configurations.
6:11  This LAN interface was built before but with a single click.
6:14  I have attached it here.
6:16  The next step is again LAN and WAN routing protocols.
6:21  So let me use one of the previously built LAN routing protocol and topology objects.
6:30  When you expand it, you can see the configuration which you can review.
6:36  As you can see, this particular routing instance is participating in a full mesh topology and it has DIA enabled with WAN circuit one and WAN circuit 2 with different priorities.
6:48  It also has routing protocols configured including static routes.
6:53  So you can review the static routes configured in this object.
6:56  OSPF is also enabled.
7:03  Let me submit this.
7:05  You can do the same thing for the WAN-facing side.
7:09  After each WAN circuit, we can enable routing protocols.
7:13  You can configure static routes.
7:15  Let me skip through this CG-NAT and DNS configuration.
7:19  Let me go to the security step.
7:20  Here you can add existing policies that are already created as in a typical enterprise setup.
7:33  They may have the same security policy or different security policies based on the region or hub location.
7:41  When you have a small number of policies, you do not need to rebuild them again and again.
7:46  Every time you create a main template.
7:48  You can maintain them as a repository of policies and then select them as needed.
7:53  If you want to create a new policy, you click here.
7:56  If you want to use an existing policy, you click on this option.
8:01  As you can see, there are two policies available.
8:04  I am selecting the default ACL policy.
8:08  There are multiple versions available, but I am selecting the latest version, version 5.
8:13  This policy has three rules.
8:16  When you expand the policy, you can review the rules within it.
8:19  For example, Rule 3, the Scheme Users rule and Allow some apps.
8:25  These are three different rules available.
8:27  You can open them and review the content of each rule.
8:31  After reviewing, you can apply this policy to the selected main template.
8:35  You can also add additional policies.
8:38  If you want to add a new policy on top of the existing one, click on Add New Policy.
8:54  This is again a guided workflow for creating rules within the Access Control policy.
9:02  In the first step you can select Applications or Application groups.
9:07  These include user-defined applications as well as predefined applications.
9:11  You can select predefined application groups or individual applications.
9:18  There are over 4,500 predefined applications available.
9:26  You can also define custom applications.
9:31  The next step is to match based on the user.
9:34  You can match based on user groups or individual users using an authentication profile.
9:39  The profile helps fetch the users and groups available under it.
9:54  The next step is to match based on source and destination zones, source sites, or traffic destined for a specific site.
10:06  You can also match based on geolocation such as country, state, or city for both source and destination.
10:15  You can define match criteria based on Layer 3 and Layer 4 services.
10:20  There are over 700 predefined services available.
10:26  You can also define custom services for private applications within the network.
10:32  Finally, you select the action - Allow, Deny, or Reject - or apply a security profile.
10:40  These are advanced security profiles with UTM features such as malware protection.
10:45  There are predefined profiles available and you can also create custom profiles.
10:55  This also includes URL filtering.
11:03  You can enable IPS, IP filtering, file filtering, and DNS filtering.
11:10  All of these can be enabled together if required.
11:14  Then you can give a name to this rule.
11:16  You can also define a schedule to specify when the rule should be active.
11:20  You can create schedules and apply them.
11:26  Optionally, you can enable logging for all traffic matching this rule.
11:30  By default, logs are sent to the Analytics cluster.
11:34  You can also send logs to an external SIEM system.
11:42  Finally, you can review and save the configuration.
11:47  This is how you configure ACL rules and multiple rules can be combined into a policy.
11:59  In this example, the first policy has one rule and the second reusable policy has three rules.
12:10  This is how you configure all types of policies including TLS decryption and DoS protection, which are policy-based engines.
12:22  Now let me go back to traffic steering.
12:25  I will select one of the existing traffic steering policies and show you the rules.
12:32  Similar to access control, this is also a collection of rules.
12:40  Each rule is based on applications, user-based criteria, source and destination, and geolocation.
12:51  The action here is defined through a forwarding profile.
12:56  This determines how traffic is routed to the destination based on various criteria.
13:02  You can prioritize traffic based on user groups and send it through a specific path.
13:07  You can also define SLA requirements and enable features like forward error correction and packet replication.
13:18  Existing profiles may already be available from previous configurations.
13:24  If you need a different configuration, you can create a new profile.
13:33  The workflow guides you through defining a new forwarding profile.
13:40  You can define path priorities based on name or tag.
13:46  For example, the primary path can be WAN one, followed by any remote circuit, and then a backup path.
13:59  Next you can configure SLA requirements.
14:05  You can define conditions such as low latency and low packet loss.
14:12  You can also enforce absolute thresholds, for example a maximum latency of 60 milliseconds.
14:19  If the SLA condition is not met, traffic will automatically switch to another path that meets the requirement.
14:25  You can also enable forward error correction and packet replication.
14:29  These are the key attributes for configuring a forwarding profile.
14:40  Next, you can configure SNMP, Syslog, and NTP services.
14:49  You can also attach additional service templates along with the main template.
14:55  These variables come from different configuration steps and must be filled for each device.
15:02  Let me give a name to this template.
15:10  Now I have created a new demo template.
15:13  You can go to the deployment lifecycle.
15:17  You can create a new site, add a device inside the site, apply this template, and publish it.
15:26  You can either add a new device to an existing site or create a new site.
15:35  You can also organize sites into regions and apply role-based access control.
15:45  Once the site is created, you can add an appliance, provide a name, and enter the serial number of the device.
16:01  Then select the bandwidth to be provisioned.
16:05  Next, set the template.
16:07  You will see all available templates and can select the newly created one.
16:18  Once the appliance is created, there may be some pending variables.
16:23  These variables come from the template and must be filled.
16:31  For example, assign a unique LAN interface IP address.
16:37  Since this is a second device, it must have a different IP within the same segment.
16:46  Then configure the WAN interface and next-hop details.
16:53  If the interface is parameterized, you need to select the appropriate values.
16:58  In this case WAN one is parameterized, so I need to select the location.
17:06  Now the device is ready to be published.
17:10  Thank you for watching.
17:12  To learn more, visit www.versa-networks.com.
www.versa-networks.com