1. Help Center
  2. Elisity Edge, Micro Edge, and Virtual Edge

Elisity Micro Edge Deployment Guide

Elisity Micro Edge is a docker container-based implementation of Elisity Cognitive Trust software running on a Cisco Catalyst 9000 series switch by leveraging the switch’s integrated application hosting functionality.

HubSpot Video

As of today, all Cisco Catalyst 9300 and 9300L models support Elisity Micro Edge. Cisco StackWise© switch stacking technology is also supported. Additional Cisco 9000 series models will be supported in future releases.

NOTE:

  • Switches running Elisity Micro Edge must be equipped with a supported storage device such as the SSD-120G or C9400-SSD-240GB (M.2)​ module. Front panel USB and internal flash are not supported.
  • All Catalyst 9000 series switches require DNA Advantage licensing. This requirement is not unique to the Elisity Micro Edge container. It is a requirement imposed by Cisco on the application hosting environment within IOS-XE.
  • The Elisity Micro Edge has been developed using IOS-XE version 17.6.1. While it may work with earlier versions of IOS-XE we cannot guarantee that it will operate correctly.
  • All switches running Elisity Micro Edge must have their clocks synchronized with the Active Directory server so that attachment events are displayed accurately. You can use your own NTP server or a public one such as time.google.com 
  • Catalyst 9400 series switches must have application hosting verification disabled by issuing the app-hosting verification disable command. 

The Elisity Micro Edge container has two virtual interfaces; a management interface and an identity (uplink) interface. The Micro Edge management interface is used for communicating with the switch over the default out-of-band switch management VRF. This connection is leveraged to read the Catalyst configuration and configure security policies, traffic filters and other switch functions. The Micro Edge Identity (or Uplink) interface is used as the source interface to reach Cloud Control Center and as a connection for the Micro Edge to glean identity and behavior of users, apps and devices.

The following image is a high-level depiction of the Elisity Micro Edge architecture:

Slide5-jpg(Click to enlarge)

NOTE: Elisity Micro Edge supports connectivity to both Layer 3 and Layer 2 industry standard access switch infrastructure designs. The difference between the two deployment models from the perspective of the Elisity Edge is detailed later in this document.

The following chart describes the terminology used in this document.

Host/Switch

Host and switch are used interchangeably, both mean the same underlying host switch that is hosting the Micro Edge container.

Micro Edge Management IP

The management IP address on the Micro Edge. This IP address is assigned to the management eth0 port on the Micro Edge. It should be in the same subnet as the host switch management IP address. Micro Edge and the host management IP addresses are used as source and destination IP addresses for configuration of the Catalyst 9000 series switch. 

Micro Edge Uplink IP

The uplink IP address on the Micro Edge. This IP address is assigned to the uplink port eth1 on the Micro Edge. It should be in the same subnet as the host uplink IP. This IP address is the source address for Micro Edge to reach Cloud Control Center and also the destination address for the host switch to send identity data to the Micro Edge.

Host Management IP

The management IP address of the host switch configured on gi0/0.

Host Uplink IP

The host uplink IP address has a different set of roles depending on if the Micro Edge is deployed in a Layer 2 or Layer 3 access switch deployment

Layer 2 Access Design: This IP address will be configured on a switch SVI mapped to the host uplink VLAN. It will be used as the source address for the host switch to send identity data to the Micro Edge.

Layer 3 Access Design: This IP address will be configured on a switch SVI mapped to the host uplink VLAN. It will be used for the host switch to send identity data to the Micro Edge. In addition, this IP address will be the default gateway for Micro Edge to reach Cloud Control Center through the Catalyst 9000 series switch. The switch must route this traffic to Cloud Control Center.

Host Uplink VLAN

Layer 2 Access Design: The VLAN configured on uplink port on the switch. An SVI for this VLAN is configured on the switch and the host uplink IP address is assigned to the SVI.

Layer 3 Access Design: Any free VLAN on the switch which will be used for communication between Micro Edge and the switch. An SVI for this VLAN is configured on the switch and host uplink IP address is assigned to the SVI.

Uplink Gateway IP

Layer 2 Access Design: The gateway IP address for the host to reach the internet. The default gateway on Micro Edge would be configured with this IP address.

Layer 3 Access Design: Not used because the host switch does the routing. The Micro Edge has a default route pointed at the switch as the next hop.

 

Cloud Control Center Prerequisite:

Before onboarding an Elisity Micro Edge, an Elisity Connect Subnet must be configured in Cloud Control Center. Typically, this subnet is used to hand out private IP addresses to users connecting to the network via the Elisity Connect remote access client (deprecated), however it is also used for backend registration of the Micro Edge. 

To configure the Elisity Connect Subnet navigate to Administration > Settings > Elisity Connect

Screen Shot 2022-01-29 at 1.06.12 PM

(Click to enlarge)

 

Step 1: To onboard a Catalyst 9000 series switch onto the Elisity secured network first ensure that the switch is running a Network Advantage license with the DNA Advantage add-on. Execute the following commands under global configuration mode

switch# show license summary

! check the license level first

switch(config)# license boot level network-advantage addon dna-advantage

Step 2: The switch should either have a user account with privilege 15 configured or TACACS/RADIUS login configured to provide privilege 15 level access. This is needed for the Micro Edge to authenticate with the host switch. Execute the following command under global configuration mode

switch(config)# username <username> privilege 15 secret 0 <password>

Step 3: Log into Cloud Control Center and navigate to Policy Fabric > Elisity Edge > Add Edge

(Click to enlarge)

Step 4: Select Micro Edge on the screen that follows. This will take you to the configuration page.

(Click to enlarge)

Step 5: Using the following guidelines, enter the required details on the Micro Edge configuration page.

Host Management IP: Specify the host switch’s management IP address and subnet mask. This is used by the Micro Edge to communicate with the host switch for switch configuration management. If the host switch’s management IP address is DHCP assigned, configure the DHCP server to reserve this IP address and to always assign the same address.

Micro Edge Management IP: Specify an IP address and mask from the host switch’s management subnet. This will be used to configure the Micro Edge management interface for  communication with the host switch during switch configuration management. If this is DHCP assigned, select the DHCP checkbox and configure the DHCP server to reserve this IP address and to always assign the same address.

Uplink Gateway IP: This is required only if deploying the Micro Edge with a layer 2 access switch design. Typically, this IP address exists northbound from the host switch and is the next hop to reach the internet. If deploying the Micro Edge with a layer 3 access switch design, then this input isn't required. However, the host switch should have a default route to an upstream gateway or reachability to the internet by means of an IGP learned route.

Host Uplink VLAN: If deploying the Micro Edge with a layer 2 access switch design, specify the VLAN ID of the host uplink SVI that is created during the deployment (see diagram). If deploying the Micro Edge with a layer 3 access switch design, specify any free VLAN on the switch and an SVI for this VLAN must also be built for layer 3 connectivity between the Micro Edge and the switch.

Host Uplink IP: If deploying the Micro Edge with a layer 2 access switch design, specify a free IP address from the uplink subnet. An SVI must be configured on the host with this address. If deploying Micro Edge with a layer 3 access switch design, pick an unused private subnet and specify an IP address from this subnet. An SVI should be configured on the host switch with this address.

Micro Edge Uplink IP: If deploying the Micro Edge with a layer 2 access switch design, specify a free IP address from the uplink subnet. If deploying the Micro Edge with a layer 3 access switch design, specify a free IP address from the private subnet.

The following design diagrams and configuration examples clarify how the Micro Edge works with both Layer 2 and Layer 3 access switch designs and how they differ.

NOTE: The management connectivity is the same between the two models and is reflected in the diagrams.

Layer 2 Access Switch Deployment Model

The host switch has an interface (Te1/0/48) connected to an uplink switch or router for internet access and in this example the interface is configured as a trunk that transports the host uplink VLAN (4000). The remote switch or router that provides access to the internet has an SVI or gateway interface with an IP address of 10.20.20.254/24.

High-Level-Design-Guide---L2-Mode-ME-(1)-png(Click to enlarge)

!

interface TenGigabitEthernet1/0/48

 switchport mode trunk

 switchport trunk allowed vlan 1-5,4000

NOTE: If configuring an existing uplink trunk, be sure to use the “switchport trunk allowed vlan add” command when adding the Uplink VLAN to the trunk otherwise you might cause a network outage by overwriting all VLANs on the trunk.

The user inputs for this example would be:

Uplink Gateway IP:                10.20.20.254

Host Uplink VLAN:                 4000

Host Uplink IP:                     10.20.20.174/24 //Assuming this is a free address in the subnet

Micro Edge Uplink IP:          10.20.20.175/24 //Assuming this is a free address in the subnet

These inputs would translate as below on the host switch and the Micro Edge.

Host Switch

An SVI 4000 (host uplink VLAN) is used mainly as a source address for identity traffic from the host to the Micro Edge and should be created with IP address 10.20.20.174/24 (host uplink IP)

!

interface Vlan4000

 ip address 10.20.20.174 255.255.255.0

Micro Edge

Uplink interface eth1 would be configured with 10.20.20.175/24 (Micro Edge Uplink IP)

sh-4.4# ip -f inet addr show eth1

32: eth1@if33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link-netnsid 0

    inet 10.20.20.175/24 scope global eth1

       valid_lft forever preferred_lft forever

And a default route would be configured with a destination of 10.20.20.254 (Uplink Gateway IP)

sh-4.4# route -n

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

0.0.0.0         10.20.20.254    0.0.0.0         UG    0      0        0 eth1

Layer 3 Access Switch Deployment Model

High-Level-Design-Guide---L3-Mode-ME-(1)-png(Click to enlarge)

The host switch has a layer 3 interface (Te1/0/48) connected to an uplink switch or router for internet access with IP address 192.168.0.9/24. Alternatively, a trunked SVI could be used rather than a layer 3 interface for upstream connectivity. The Uplink Gateway IP address is 192.168.0.1. Alternatively, an IGP could be configured, and a peering established over the Layer 3 interface or SVI that dynamically learns the default route via the upstream switch or router.

!

ip route 0.0.0.0 0.0.0.0 192.168.0.1

!

interface TenGigabitEthernet1/0/48

 no switchport

 ip address 192.168.0.9 255.255.255.0

The user inputs for this case would be:

Uplink Gateway IP:                None (switch does routing)

Host Uplink VLAN:                 4000                   //Assuming this is a free VLAN on host

Host Uplink IP:                     10.20.20.174/24 //Assuming this is a free subnet

Micro Edge Uplink IP:          10.20.20.175/24 //Assuming this is a free subnet

These inputs would translate as below on the host switch and the Micro Edge.

Host Switch

An SVI 4000 (host uplink VLAN) is used mainly as a source address for identity traffic from the host to the Micro Edge and should be created with IP address 10.20.20.174/24 (host uplink IP)

!

interface Vlan4000

 ip address 10.20.20.174 255.255.255.0

Micro Edge

Uplink interface eth1 would be configured with 10.20.20.175/24 (Microedge Uplink IP)

sh-4.4# ip -f inet addr show eth1

32: eth1@if33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link-netnsid 0

    inet 10.20.20.175/24 scope global eth1

       valid_lft forever preferred_lft forever

And default route would be configured to 10.20.20.174 (Host Uplink IP). The switch would then route the traffic from the Micro Edge upstream to reach Cloud Control Center.

sh-4.4# route -n

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

0.0.0.0         10.20.20.174    0.0.0.0         UG    0      0        0 eth1

(Click to enlarge)

If all fields have the correct entries, select Generate Configuration and Cloud Control Center will lead you to the next page. Otherwise, an error will be displayed. Correct the errors and click on Generate Configuration again.

Download the Micro Edge bootstrap json file and the Micro Edge tar files to a location to which the host switch has access. Copy the files to external storage (ie. USB Flash Drive) and insert into the switch and copy to usbflash1. Alternatively, SCP the files from your local workstation to the switch usbflash1.  Follow the steps outlined in the switch configuration file to set the switch up for communication with the Micro Edge container.

(Click to enlarge)

Below is the content of the host switch configuration file generated from the layer 2 access switch example. Notice how the default gateway IP is pointed at the IP specified in the Uplink Gateway IP field:

# Step 1: Download the docker tar file provided by your Elisity SE and copy to switch.

#     - The docker file should be downloaded to a local customer location to which Catalyst9000 has access.

#     - Copy the docker tar file to usbflash1: of Catalyst9000.

# Step 2: Copy the downloaded "BootStrap Configuration" file to usbflash1: of Catalyst9000 as Elisity_Microedge.json

# Step 3: Apply the below configurations on Catalyst9000

     ip routing

     iox

     ip http server

     ip http authentication local

     ip http secure-server

     netconf-yang

     netconf-yang feature candidate-datastore

     restconf

     interface AppGigabitEthernet1/0/1

       switchport mode trunk

     app-hosting appid Elisity_Microedge

      app-vnic AppGigabitEthernet trunk

       vlan 4000 guest-interface 1

        guest-ipaddress 10.20.20.175 netmask 255.255.255.0

      app-vnic management guest-interface 0

       guest-ipaddress 10.10.10.175 netmask 255.255.255.0

      app-default-gateway 10.20.20.254 guest-interface 1

      app-resource docker

       run-opts 1 "--entrypoint /etc/init.d/cat9k"

      app-resource profile custom

       cpu 1024

       memory 800

       persist-disk 500

       vcpu 2

      name-server0 8.8.8.8

      start

! Optionally configure the VLAN and VLAN interface if not already provisioned on switch

     vlan 4000

     interface Vlan4000

      ip address 10.20.20.174 255.255.255.0


# Step 4: Execute the following exec command on Catalyst9000

     app-hosting install appid Elisity_Microedge package usbflash1:<tar file name>

     app-hosting data appid Elisity_Microedge copy usbflash1:Elisity_Microedge.json ee_cfg.json


# Step 5: Verify Elisity microedge is RUNNING using following exec command on Catalyst9000

     show app-hosting list

Below is the content of the host switch configuration file generated from the layer 3 access switch example. Notice how the default gateway IP is pointed at the host switch SVI:

# Step 1: Download the docker tar file provided by your Elisity SE and copy to switch.

#     - The docker file should be downloaded to a local customer location to which Catalyst9000 has access.

#     - Copy the docker tar file to usbflash1: of Catalyst9000.

# Step 2: Copy the downloaded "BootStrap Configuration" file to usbflash1: of Catalyst9000 as Elisity_Microedge.json

# Step 3: Apply the below configurations on Catalyst9000

     ip routing

     iox

     ip http server

     ip http authentication local

     ip http secure-server

     netconf-yang

     netconf-yang feature candidate-datastore

     restconf

     interface AppGigabitEthernet1/0/1

       switchport mode trunk

     app-hosting appid Elisity_Microedge

      app-vnic AppGigabitEthernet trunk

       vlan 4000 guest-interface 1

        guest-ipaddress 10.20.20.175 netmask 255.255.255.0

      app-vnic management guest-interface 0

       guest-ipaddress 10.10.10.175 netmask 255.255.255.0

      app-default-gateway 10.20.20.174/24 guest-interface 1

      app-resource docker

       run-opts 1 "--entrypoint /etc/init.d/cat9k"

      app-resource profile custom

       cpu 1024

       memory 800

       persist-disk 500

       vcpu 2

      name-server0 8.8.8.8

      start

! Optionally configure the VLAN and VLAN interface if not already provisioned on switch

     vlan 4000

     interface Vlan4000

      ip address 10.20.20.174 255.255.255.0

# Step 4: Execute the following exec command on Catalyst9000

     app-hosting install appid Elisity_Microedge package usbflash1:<tar file name>

     app-hosting data appid Elisity_Microedge copy usbflash1:Elisity_Microedge.json ee_cfg.json

# Step 5: Verify Elisity microedge is RUNNING using following exec command on Catalyst9000

     show app-hosting list

After the Micro Edge has been configured and connectivity to Cloud Control Center established, the Micro Edge should be listed on the Elisity Edge page.

(Click to enlarge)

The Device Track feature enables the Micro Edge to glean additional user, application, and device identity via Cisco IP Device Tracking technology. By default, this feature is disabled. It is recommended to enable this feature after deploying an Elisity Micro Edge.

Screen Shot 2022-01-03 at 11.53.24 AM(Click to enlarge)

To review all the previously provisioned Micro Edges, select More Options > Micro Edge Configuration. From here, an administrator can review and edit the configured Micro Edge variables, delete unwanted Micro Edge configurations, and more.

Screen Shot 2022-01-03 at 12.00.28 PM(Click to enlarge)

Screen Shot 2022-01-03 at 12.07.49 PM(Click to enlarge)

In addition, the Micro Edge container tar file can be downloaded from this section of Cloud Control Center by selecting More Options > Download Micro Edge Container (tar).

Screen Shot 2022-01-03 at 12.01.18 PM(Click to enlarge)