1. Help Center
  2. Elisity Edge, Micro Edge, and Virtual Edge

Elisity Virtual Edge Deployment Guide

Elisity Virtual Edge is a hypervisor deployed virtual machine that collects device and user identity telemetry, forwards network information to Cloud Control Center, and learns and distributes policy across the enterprise access infrastructure.

HubSpot Video


Today, all Cisco Catalyst 3850 and 3650 models support least privilege policy control via Elisity Virtual Edge. Cisco StackWise© switch stacking technology is also supported. Cisco Catalyst, 9000 series models, will be supported in a future release. 

NOTE:

  • Catalyst 3850/3650 series switches require a minimum of IPBase licensing to be onboarded as Virtual Edge Nodes. 
  • Catalyst 9000 series switches (future support) require a minimum of DNA Advantage licensing to be onboarded as Virtual Edge Nodes.
  • The Elisity Virtual Edge has been developed to work with IOS-XE version 16.12.5b. While it may work with earlier versions of IOS-XE we cannot guarantee that it will operate correctly.
  • Virtual Edge VM should be configured with NTP. You can use your own NTP server or a public one such as time.google.com. 
  • All switches being onboarded with Cloud Control Center must have their clocks synchronized with the Active Directory server so that attachment events are displayed accurately. You can use your own NTP server or a public one such as time.google.com. 

The Elisity Virtual Edge has two virtual interfaces; a management interface (ma0) and a data interface (Gi0-1). The Virtual Edge management interface is used for admins to SSH to the appliance for initial deployment and troubleshooting. The Virtual Edge data interface is used as the source to reach Cloud Control Center, glean the identity and behavior of users, apps, and devices on the network, and communicate the policy to all onboarded Virtual Edge Nodes (access switches). 

The following image is a high-level depiction of the Elisity Virtual Edge architecture:

                                                                           (Click to enlarge)

NOTE: Elisity Virtual Edge supports connectivity to both layer 3 and layer 2 industry standard access switch infrastructure designs. The only requirement is for the Virtual Edge to have IP connectivity to the Virtual Edge Nodes (access switches). 

The following chart describes the terminology used in this document.

Virtual Edge 

The Elisity Identity and Policy Engine on-premise. Deployed on a hypervisor as a virtual machine. Connects to Cloud Control Center. Manages policy on onboarded Virtual Edge Nodes (access switches). 

Virtual Edge Management IP

This IP address is assigned to the management ma0 port on the Virtual Edge. This IP is the target for administrators to establish an SSH connection in order to initially configure and troubleshoot the appliance. This IP can be in any subnet and VLAN as long as it is reachable by administrators. DHCP is enabled by default on the ma0 interface for initial zero-touch management access. 

Virtual Edge Uplink IP

This IP address is assigned to the data interface Gi0-1 on the Virtual Edge. It can be in any subnet and VLAN as long as it has reachability to all of the Virtual Edge Nodes. This IP address is used as the source to reach Cloud Control Center, to glean the identity and behavior of users, apps, and devices on the network, and to communicate the policy to all onboarded Virtual Edge Nodes (access switches). 

Virtual Edge Uplink Gateway IP

The default gateway IP is in the same subnet and VLAN as the Virtual Edge Uplink IP. This is configured on the Virtual Edge as the default route next hop in order for the Virtual Edge to reach Cloud Control Center and the managed Virtual Edge Nodes (access switches). 

Virtual Edge Uplink VLAN

This can be any VLAN of your choosing and does not have to match the data interface VLAN configured on the VMware ESXi Port Group. The VLAN configured on the Virtual Edge by this field is for internal identifier purposes only today. 

Virtual Edge Node

The onboarded enterprise access switch is managed by Virtual Edge for policy control. 

Virtual Edge Node Management IP

The IP is assigned to the Virtual Edge Node (access switch) that the Virtual Edge communicates with. This can be any IP and any VLAN as long as it has IP reachability to the Virtual Edge.

Virtual Edge Node ERSPAN Source IP

The IP on the Virtual Edge Node (access switch) will be used as the source for ERSPAN traffic. This is usually the same IP as the Virtual Edge Node Management IP but can be any routable IP address. 


Cloud Control Center Prerequisite:

Before onboarding a Virtual Edge and accompanying Virtual Edge Nodes, an Elisity Edge Subnet must be configured in Cloud Control Center. When a Virtual Edge or Elisity Edge is deployed, Cloud Control Center dynamically hands out an IP from this subnet to the Edge as an internal fabric identifier. Any IP range can be used but it is recommended to use one that is private or owned by the enterprise.

To configure the Elisity Edge Subnet navigate to Administration > Settings > Elisity Edge

                                                                   (Click to enlarge)

Virtual Edge VM Deployment

Deploy Elisity Virtual Edge virtual machine on ESXi. The Virtual Edge VM is offered as an OVA and takes only a couple of minutes to fully deploy. 

Step 1: Configure ESXi Port Groups for Virtual Edge. Two Port Groups are required, one for the management interface and one for the data interface. 

                                                                   (Click to enlarge)

VE_PortGroup_Mgmt-png-1

                                                                   (Click to enlarge)

VE_PortGroup_Data-png-1

                                                                   (Click to enlarge)

NOTE: 

It is mandatory to configure the Data Port Group to accept both Promiscuous Mode and Forged Transmits. The management Port Group does NOT need this configuration. 

Step 2: Deploy the OVA by following the steps in the wizard below. 

                                                                      (Click to enlarge)

                                                              (Click to enlarge)

                                                              (Click to enlarge)

                                                              (Click to enlarge)

                                                              (Click to enlarge)

                                                              (Click to enlarge)

                                                              (Click to enlarge)

 

It is best practice to enable Autostart for the VM so that if the hypervisor host reboots, the VM will automatically start up. This this can avoid service interruption after a hypervisor host outage. 

Screen Shot 2022-03-29 at 9.29.54 AM

                                                              (Click to enlarge)


Step 3:
Provision the Virtual Edge in Cloud Control Center by navigating to Policy Fabric > Elisity Edge > Add Edge and following the examples below. 

                                                              (Click to enlarge)

 

                                                              (Click to enlarge)

 

Step 4: After clicking Submit & Generate Configuration Cloud Control Center will automatically download the Virtual Edge and Virtual Edge Node initial configurations to your workstation. You can edit or fetch the configuration at any point by selecting the three dots next to the Virtual Edge and selecting Edit/Download Virtual Edge Configuration.

                                                              (Click to enlarge)


Here is an example of the initial configuration file generated by Cloud Control Center.

Configuration commands on VE:
=============================

cloud-manage example-tls.elisity.net
cloud-manage-gateway 10.60.1.1
vlan 601
cloud-manage-vlan 601

# update the nameserver to your choice
nameserver 8.8.8.8

ip route 0.0.0.0/0 10.60.1.1

interface Gig0-1
 no portmode routed
 vlan mode access
 access vlan 601

interface etun0
 mtu 1500
 ip address 10.60.1.11/24


Commands to configure REST API on Catalyst switch:
=================================================

ip routing
ip http secure-server
netconf-yang
netconf-yang feature candidate-datastore
restconf


Step 5: 
Copy the initial configuration to the Virtual Edge VM by either using ESXi virtual console or through an SSH session to the VM if an IP was handed out to the ma0 interface via DHCP. 

NOTE:

Ask your Elisity Sales Engineer for the Virtual Edge default login credentials. After logging in, enter eshell into the command prompt to enter Elisity CLI mode. 

                                                              (Click to enlarge)


eshell(VE1)# do show run
Building configuration...

Current configuration:
!
elisity version 3.0.22
elisity defaults traditional
hostname VE1
!
cloud-manage example-tls.elisity.net
cloud-manage-gateway 10.60.1.1
cloud-manage-vlan 601
nameserver  8.8.8.8
vlan 601
  set mac-age 5 
monitor session 1 type erspan-destination
 source srcip 10.60.0.1 dstip 10.60.1.11 
no ipv6 forwarding
username netadmin group netadmin password &4DP7SfSs.iE92
ztp disable
!
ip route 0.0.0.0/0 10.60.1.1
!
interface Gig0-1
 access vlan 601
 no portmode routed
 no shutdown
 vlan mode access
!
interface etun0
 ip address 10.60.1.11/24
 mtu 1500
 no shutdown
!
interface sys0
 ip address 1.1.1.8/32
 no shutdown
!
interface ma0 vrf mgmt
 ip address dhcp
!
end
eshell(VE1)#

Step 6: After configuring the Virtual Edge, verify that it has successfully registered with Cloud Control Center by navigating to Policy Fabric > Elisity Edge or by issuing the show cloud-manage status command in Elisity CLI. 

                                                              (Click to enlarge)

eshell(VE1)# show cloud-manage status
Cloud-manage session status:

Registration Status: Registered

TLS Underlay mapping Table
--------------------------------
TLS IP                   Session Idx (Thread idx)  
18.189.65.93:443                 1       1 

TLS Overlay mapping Table
-----------------------------
Dst IP           TLS IP
10.202.4.8       18.189.65.93:443
10.202.4.185     18.189.65.93:443
18.189.65.93     18.189.65.93:443
10.202.4.51      18.189.65.93:443
10.202.4.92      18.189.65.93:443


TLS session details:
Thread 0: no sessions

Connection                                        State          Rx-f      Tx-f      
[1:0][T] 10.60.1.11:56303->18.189.65.93:443       ESTABLISHED    0         0         
[1:1][TLS] app_wrk 1 index 0 engine 2 tcp 1:0     state: 4      0         0         
Thread 1: active sessions 2
Thread 2: no sessions

Virtual Edge Node (access switch) Deployment

Now that the Virtual Edge is up and running, we can onboard Virtual Edge Nodes (access switches). 

Step 1: Before onboarding a Virtual Edge Node it is important to first apply their initial configuration so that the Virtual Edge can communicate with them via REST API. Apply the following commands to all of your Virtual Edge Nodes (access switches) you plan to onboard. 

Commands to configure REST API on Catalyst switch:
=================================================

ip routing
ip http secure-server
netconf-yang
netconf-yang feature candidate-datastore
restconf


Step 2:
In Cloud Control Center, navigate to Policy Fabric > Elisity Edge. Select the three dots next to the Virtual Edge and select Add Virtual Edge Node

                                                              (Click to enlarge)

Step 3: Fill out the required IP address, login credentials and location information for the Virtual Edge Node (access switch) you wish to onboard and select Submit.

                                                              (Click to enlarge)

Select the arrow next to the Virtual Edge to see all of the Virtual Edge Nodes that are being discovered or have fully registered. Within a minute the status of the Virtual Edge Node you just onboarded should go from Discovered to Registered.

                                                              (Click to enlarge)

The Device Track feature enables the Virtual Edge Node to glean additional user, application, and device identity via Cisco IP Device Tracking technology. By default, this feature is disabled. It is recommended to enable this feature after onboarding a Virtual Edge Node.

                                                              (Click to enlarge)


The Elisity Virtual Edge will dynamically configure the Virtual Edge Node (access switch) with the appropriate IOS-XE configuration for the Virtual Edge to glean user, device, and application identity and behavior. Existing and new Elisity Cognitive Trust policies will be pushed to the appropriate Virtual Edge Node immediately after onboarding.