1. Help Center
  2. Elisity Virtual Edge

Elisity Virtual Edge Deployment Guide (Switch Hosted)

Elisity Virtual Edge (Switch Hosted) is a docker container-based implementation of Elisity Cognitive Trust software running on a Cisco Catalyst 9000 series switch by leveraging the switch’s integrated application hosting functionality.

 

As of today, all Cisco Catalyst 9300, 9300L and 9400 models support hosting Elisity Virtual Edge container using Cisco Application Hosting. Cisco StackWise© switch stacking technology is also supported. Additional switch models will be supported in future releases. Please see the switch compatibility matrix for more details. 

NOTE:

  • Switches running Elisity Virtual Edge must be equipped with a supported storage device such as the SSD-120G or C9400-SSD-240GB (M.2)​ module. Front panel USB and internal flash are not supported.
  • All Catalyst 9000 series switches require DNA Advantage licensing. This requirement is not unique to the Elisity Virtual Edge container. It is a requirement imposed by Cisco on the application hosting environment within IOS-XE.
  • The Elisity Virtual Edge has been developed using IOS-XE version 17.6.1. While it may work with earlier versions of IOS-XE we cannot guarantee that it will operate correctly.
  • All switches running Elisity Virtual Edge must have their clocks synchronized with the Active Directory server so that attachment events are displayed accurately. You can use your own NTP server or a public one such as time.google.com 
  • Catalyst 9400 series switches must have application hosting verification disabled by issuing the app-hosting verification disable command. 



The following chart describes the terminology used in this document

Cloud Control Center

Elisity's cloud native and cloud delivered control, policy and management plane.

Virtual Edge

The Elisity Cognitive Trust software running as a docker container on an access or aggregation switch that supports Application Hosting functionality.

Virtual Edge Node

An access switch onboarded to a Virtual Edge to be leveraged as an enforcement point in the network.

 

Deploying Elisity Virtual Edge (Switch Hosted)

The Elisity Virtual Edge container has a single virtual interface used to communicate with Cloud Control Center as well as with Virtual Edge Nodes. In more detail, the Virtual Edge virtual interface is used to maintain a persistent control plane connection to Cloud Control Center in order to receive identity based policies as well as to send identity metadata and analytics to Cloud Control Center. This same interface is used to glean identity metadata, traffic analytics and other switch information from the Virtual Edge Nodes and to read the Catalyst configuration and configure security policies, traffic filters and other switch functions. 

Elisity Virtual Edge supports a 1:1 and a 1:Many model. In other words, you can deploy a Virtual Edge on every access switch that supports application hosting functionality and onboard that same switch as a Virtual Edge Node or you could deploy a Virtual Edge on an aggregation switch that supports application hosting functionality and onboard many access switches as Virtual Edge Nodes. The 1:Many model would be beneficial in the case where the access switches to onboard do not support application hosting, ie. Catalyst 3850 or Catalyst 9200, but you could really onboard any supported switch. Both models are depicted below:

(Click to enlarge)

 

Step 1: To deploy Elisity Virtual Edge on a Catalyst 9000 series switch first ensure that the switch is running a Network Advantage license with the DNA Advantage add-on. Execute the following commands under global configuration mode

 

switch# show license summary

! check the license level first

switch(config)# license boot level network-advantage addon dna-advantage


Step 2:
If the witch hosting the Virtual Edge container is also going to be onboarded as a Virtual Edge Node you should either have a user account with privilege 15 configured or TACACS/RADIUS login configured to provide privilege 15 level access. This is needed for the Virtual Edge to authenticate with the host switch. Execute the following command under global configuration mode if a local account is being used and is not already configured:

 

switch(config)# username <username> privilege 15 secret 0 <password>


Step 3:
 Log into Cloud Control Center and navigate to Policy Fabric > Elisity Edge > Add Edge

Screen Shot 2022-07-20 at 9.06.51 PM
(Click to enlarge)


Step 4:
Select the Virtual Edge tile. 

 

Screen Shot 2022-07-20 at 9.09.54 PM
(Click to enlarge)


Step 5:
Fill out the required fields and select Submit & Generate Configuration. Details about each field are provided in the chart below. These details can always be viewed and edited by selecting the more options icon to the right and selecting Edit/Download Virtual Edge Configuration. 

 

Screen Shot 2022-07-20 at 9.12.49 PM
(Click to enlarge)

The following chart provides details about each required field

Uplink IP Address

This is the IP assigned to the Virtual Edge container. This IP needs to be routable and must have access to reach Cloud Control Center. This IP also needs reachability to any Virtual Edge Node management interface you plan to onboard. The network for this IP can be configured locally on the application hosting switch or it can be configured on an aggregation switch upstream. This can be a new network or an existing network. This field is mandatory

Uplink Gateway IP

This is the default gateway IP for the network described above. The default gateway for this IP can be configured locally on the application hosting switch or it can be configured on an aggregation switch upstream. This can be a a default gateway IP from a new network or an existing network. This field is mandatory.

Uplink VLAN

This is the VLAN assigned to the network described above. This can be a new VLAN or an existing VLAN. This VLAN is assigned to the container's virtual interface so that the container has access to the network it was configured on. This field is mandatory. 

Host Name

This is the host name assigned to the Virtual Edge container. This will be used by Cloud Control Center when automating the generation of the application hosting configuration to be configured on the application hosting switch. This field is mandatory.

Domain Name Server (DNS)

This is the DNS server IP to be used by the Virtual Edge container. This can be either a public or private DNS server. This will be used by Cloud Control Center when automating the generation of the application hosting configuration to be configured on the application hosting switch. To specify more than one DNS server use a comma. This field is mandatory. 

Virtual Edge Location Address

The location of the Virtual Edge so that Cloud Control Center reflects the location of the installed container. This field is optional. 


Step 6:
After clicking Submit & Generate Configuration, two files will be automatically downloaded to your workstation. 

  • VE_xxxxxxxxxxxxxxxx.txt

This text file contains the instructions and configurations required to bring up the Virtual Edge container on the application hosting switch as well as the switch configurations required to onboard a Virtual Edge Node. Each Virtual Edge receives a unique identifier which is embedded in the file name. Below is an example of the content in the text file generated by CCC. 

NOTE:

Disregard the first section of the file titled "Configuration commands on legacy VE"

# Configuration commands for new generation VE:
# ===============================================
# Step 1: Download the docker tar file provided by your Elisity SE and copy to switch.
#     - The docker file should be downloaded to a local customer location to which Catalyst9000 has access.
#     - Copy the docker tar file to usbflash: of Catalyst9000.

# Step 2: Apply the below configurations on Catalyst9000
# Replace AppGigabitEthernet1/0/1 with the suitable interface for your system
# AppGigabitEthernet1/0/1 will be the case for 1 RU systems, on a Cat 9400, this
# will usually be the supervisor slot, like AppGigabitEthernet3/0/1
     ip routing
     iox
     ip http server
     ip http authentication local
     ip http secure-server
     restconf
     interface AppGigabitEthernet1/0/1
       switchport mode trunk
   app-hosting appid VE
      app-vnic AppGigabitEthernet trunk
       vlan 63 guest-interface 1
        guest-ipaddress 10.63.0.12 netmask 255.255.255.0
      app-default-gateway 10.63.0.1 guest-interface 1
      app-resource docker
       run-opts 1 "--entrypoint /etc/init.d/cat9k"
       run-opts 2 --cap-add=NET_ADMIN
       run-opts 3 "--ulimit nofile=90000:90000"
       run-opts 4 "--env EDGE_TYPE=VE --env EDGE_REG_KEY=8c36964cde35b6ed --env EDGE_CLOUD_MANAGE_URL=latest-tls.elisity.net --env EDGE_UPLINK_IP=10.63.0.12 --env EDGE_DNS_SERVER=4.2.2.2,8.8.8.8"
       run-opts 5 "--hostname VE-9K"
      app-resource profile custom
       cpu 1024
       memory 800
       persist-disk 500
       vcpu 2
      name-server0 8.8.8.8
      start

# Step 3: Execute the following exec command on Catalyst9000
     app-hosting install appid VE package usbflash1:<tar file name>
# Step 4: Verify Elisity virtualedge is RUNNING using following exec command on Catalyst9000
     show app-hosting list

# =================================================

 

  • VE_DOCKER_xxxxxxxxxxxxxxxx.yml

The YAML file is not used when deploying an Elisity Virtual Edge hosted by a switch. This is used when deploying an Elisity Virtual Edge VM hosted by hypervisor such as VMware ESXi. More details on this file are provided in the Elisity Virtual Edge VM (hosted by hypervisor) deployment guide. 


Step 7:
Copy the Elisity Virtual Edge .tar file provided by your Elisity SE to the application hosting switch's SSD drive usually called usbflash1:. Make sure to confirm your switch's USB flash storage name so that it is copied to the correct storage media. You can use any method you wish to transfer the file such as FTP, SCP, TFTP, HTTPS etc. The file name should look something like this: docker_edge-14.2.13.tar

Screen Shot 2022-07-20 at 9.57.24 PM(Click to enlarge)


Step 8:
Log into the application hosting switch, copy and paste the configuration provided by Cloud Control Center into the command line and don't forget to write mem. 

 

(Click to enlarge)

Step 9: Run the provided command to install the Virtual Edge Container on the application hosting switch. Replace <tar file name> with the name of the .tar file name provided by your Elisity SE. For example, docker_edge-14.2.13.tar. 

app-hosting install appid VE package usbflash1:<tar file name>


Step 10:
Wait a minute or two until the application is finished installing and then run the following command to ensure it was correctly installed and running.

 

Latest.Elisity.Core.ME#show app-hosting list
App id                                   State
---------------------------------------------------------
VE                                      RUNNING


Step 11: Check Cloud Control Center to ensure that the Virtual Edge registered successfully. If the Virtual Edge status never changes to green then there is an IP connectivity issue between the Virtual Edge and Cloud Control Center. 

 

(Click to enlarge)

 

Onboarding a Virtual Edge Node


Step 1:
Make sure the access switches you wish to onboard with the newly deployed Virtual Edge have the following commands configured.

On Catalyst 3850/3650:
=================
ip routing
ip http secure-server
restconf
netconf-yang cisco-ia auto-sync disabled
no netconf-yang cisco-ia intelligent-sync
 
On Catalyst 9000:
=================
ip routing
ip http secure-server
restconf


Step 2:
Log into Cloud Control Center and navigate to Policy Fabric > Elisity Edge. Next to the Virtual Edge you want to use to onboard your access switch and make it a Virtual Edge Node for policy enforcement, select the more options icon to the right and then select Add Virtual Edge Node. In this example we will be onboarding the same switch we are using to host the Virtual Edge Container. 

(Click to enlarge)

Step 3: Fill out the required fields and select Submit. Details about each field are provided in the chart below. These details can always be viewed and edited by selecting the more options icon to the right and selecting Edit Virtual Edge Node Configuration. 

(Click to enlarge)

 

The following chart provides details about each required field

Switch Management IP

This is the management IP of the switch you wish to onboard as a Virtual Edge Node for policy enforcement. This can be an IP as long as it is reachable by the previously deployed Virtual Edge container. This field is mandatory

Switch Admin Username

This is the admin username of the switch you wish to onboard as a Virtual Edge Node for policy enforcement. This can either be local or TACACS/RADIUS. Privilege 15 is required. This field is mandatory. 

Switch Admin Password

This is the admin password of the switch you wish to onboard as a Virtual Edge Node for policy enforcement. This can either be local or TACACS/RADIUS.
Privilege 15 is required. This field is mandatory.

Virtual Edge Node Location Address

The location of the Virtual Edge Node so that Cloud Control Center reflects the location of the onboarded switch. This field is optional. 


Step 4: Refresh the page and select the expand icon next to the Virtual Edge until the circle next to the Virtual Edge Node name goes from grey with a status of Discovered to green with a status of Registered. This can take several minutes. If the status never changes then there is an IP connectivity issue between the Virtual Edge and the switch you are trying to onboard as a Virtual Edge Node. 

(Click to enlarge)

 

You can select the Virtual Edge Node name to see more details about the switch you just onboarded. 

 

(Click to enlarge)

 

Step 5: Enable Device Track. The Device Track feature enables the Virtual Edge Node to glean additional user, application, and device information via Cisco IP Device Tracking technology. By default, this feature is disabled. It is recommended to enable this feature after onboarding a Virtual Edge Node.

(Click to enlarge)

The Virtual Edge will dynamically configure the Virtual Edge Node with the appropriate IOS-XE configuration for the Virtual Edge to glean user, device, and application identity and behavior. Existing and new Elisity Cognitive Trust policies will be pushed to the appropriate Virtual Edge Node immediately after onboarding.

Decommissioning and Deleting a Virtual Edge


Step 1:
Select the more options icon to the right of the Virtual Edge and then select Decommission Virtual Edge

 

NOTE:

Before you can decommission a Virtual Edge, all Virtual Edge Nodes onboarded with that Virtual Edge must first be decommissioned and deleted.  

 

(Click to enlarge)


Step 2:
Wait 60 seconds after decommissioning the Virtual Edge. Select the more options icon to the right of the Virtual Edge and then select Delete Virtual Edge. Refer to the previous image. 

Decommissioning and Deleting a Virtual Edge Node

Step 1: Select the more options icon to the right of the Virtual Edge Node and then select Decommission Virtual Edge Node. The Virtual Edge Node status will say Decommissioned.

 

(Click to enlarge)


Step 2:
Wait 60 seconds after decommissioning the Virtual Edge Node. Select the more options icon to the right of the Virtual Edge Node and then select Delete Virtual Edge Node. Refer to the previous image.