1. Help Center
  2. Elisity Edge, Micro Edge, and Cloud Edge

How to configure an Elisity Edge Device

Elisity Edge hardware is a purpose-built high-performance enforcement node that is deployed on-premises at a campus or at a data center.

Elisity Edge Overview

The Elisity Edge supports layer 3 and layer 2 functionality for ease of insertion. Please review the Introduction to Elisity Cognitive Trust article for more details on how to design the network for Elisity Edge insertion.

Elisity offers two models of Elisity Edge enforcement nodes, a mini-1U form factor node, and a full-sized 1U form factor node. Please contact your Elisity Sales Engineer if performance specifications are required.

The mini-1U Elisity Edge offers 5x1G copper ports and 2x10G SFP ports that can be configured in Layer 3 or Layer 2 mode for data plane forwarding, an IPMI and management interface for node management, VGA and USB ports for console access, and an expansion slot for additional copper or SFP interface modules. Please contact your Elisity Sales Engineer for a list of supported SFP transceivers.

ee-1

(Click to enlarge)

The full-sized 1U Elisity Edge offers 8x1G copper ports, 2x10G copper ports, and 2x10G SFP ports that can be configured in Layer 3 or Layer 2 mode for data plane forwarding, an IPMI and management interface for node management, a COM port for console access and two expansion slots for additional copper or SFP interface modules. Please contact your Elisity Sales Engineer for a list of supported SFP transceivers.

ee-2

(Click to enlarge)

Elisity Edge Console Access and Authentication Configuration

Several options exist to access the Elisity Edge console to begin initial configuration.

Accessing Edge Console via VGA

Connect a VGA monitor and USB keyboard to the Elisity Edge to be presented with the Linux shell. Contact your local Elisity Sales Engineer for Linux shell credentials. Once access to the shell has been established change the Linux root password by issuing the following command:

SM141# passwd

NOTE: Only the user “root” can access the console port. All other local or TACACS users can only access via SSH. 

Accessing Edge Console via Dedicated Management Port

The Elisity Edge management port is pre-configured to accept a DHCP IP address. Connect this port to your local LAN that supports DHCP and SSH to the IP address allocated to the management port. The default credentials for SSH access are netadmin/netadmin.

Accessing Edge IPMI

The Elisity Edge IPMI port is pre-configured to accept a DHCP IP address. Connect this port to your local LAN that supports DHCP and browse to https://<dhcp address> to access the configuration page. The default username for IPMI access is ADMIN and the password is captured on the bottom of the chassis.

To configure the Elisity Edge after accessing the console switch to Elisity shell mode by issuing the following command:

SM141# eshell

Change the default netadmin password and set an enable password by issuing the following commands:

eshell(SM141)>enable

eshell(SM141)#

eshell(SM141)#config term

eshell(SM141)(config)# username netadmin group netops password <new password here>

eshell(SM141)(config)# enable password <new password here>

eshell(SM141)(config)# end

eshell(SM141)#

Save the Edge configuration by issuing the following command:

eshell(SM141)# write memory

Elisity Edge Base Configuration

Hostname

Set the hostname of the Edge by issuing the following commands under config terminal mode:

eshell(SM141)(config)# hostname <hostname>

Location

Set the location of the Edge (displayed in Cloud Control Center) by issuing the following command under config terminal mode:

eshell(SM141)(config)# location city <city name>

eshell(SM141)(config)# location latitude <lat>

eshell(SM141)(config)# location longitude <long>

eshell(SM141)(config)# location building <building name>

DNS

Configure DNS under config terminal mode on the Elisity Edge so that FQDNs used in the configuration can be resolved:

eshell(SM141)(config)# nameserver <IP of primary DNS server> <IP of secondary DNS server> 

Cloud Manage

Connect the Elisity Edge to Cloud Control Center by issuing the following commands under config terminal mode:

eshell(SM141)(config)# cloud-manage <IP or FQDN of Cloud Control Center>

eshell(SM141)(config)# cloud-manage-vlan <VLAN ID>

eshell(SM141)(config)# cloud-manage-gateway <gateway IP to reach Cloud Control Center>

NOTE: cloud-manage-vlan is only used in L2 mode to tell the Elisity Edge which VLAN to source traffic from. cloud-manage-gateway is only used when the etun interface is configured with a /32 subnet mask to tell the Elisity Edge what the next hop is to reach Cloud Control Center.

etun0 interface

etun0 (Elisity Tunnel Interface) is used for management plane connectivity to Cloud Control Center. This interface serves as the source interface to form TLS tunnels to Elisity Access Service. It also serves as the source TEP IP for Elisity VXLAN tunnels for overlay transport between campus and cloud Elisity Edges. This IP must be routable and is the source of all tunneled traffic. Customer firewall and NAT entries may be required for connectivity to be established. Configure the etun interface by issuing the following command under config terminal mode:

eshell(SM141)(config)# interface etun0

eshell(SM141)(config-if)# ip address <etun0 IP>

sys0 interface

The sys0 interface is used by the Elisity Edge to uniquely identify itself on the Elisity fabric. This IP does not have to be routable, however, it must be within the range configured on Cloud Control Center in the Edge Configuration page. Configuration for this interface is not necessary as Cloud Control Center will automatically configure it with an IP address for you once registered. The IP address configured will be within the range specified in the Elisity Edge settings of the Cloud Control Center. If you wish to configure this interface yourself, issue the following commands under config terminal mode:

eshell(SM141)(config)# interface sys0

eshell(SM141)(config-if)# ip address <sys0 IP>

ma0

The ma0 interface is used for the management of the Elisity Edge. One can configure a routable IP on this interface and use SSH to configure the Edge. This interface is placed into a dedicated management VRF by default. DHCP is enabled on this interface by default. Configure the sys0 interface by issuing the following command under config terminal mode:

eshell(SM141)(config)# interface ma0

eshell(SM141)(config-if)# ip address <ma0 IP>

Elisity Edge Layer 2 Configuration

Elisity Edges can be configured to run in Layer 2 mode. This mode places the Edge as a “bump in the wire” and is one of the simplest ways to insert an edge into an existing network. The Elisity Edge can be inserted between the access and distribution layer, and it can also be inserted between a wireless controller and the access switch to capture wireless traffic if required. Devices, Users, and Applications can also be directly connected to Layer 2 configured interfaces on an Elisity Edge to achieve micro-segmentation. Please review the Introduction to Elisity Cognitive Trust article for more details on how to design the network for Elisity Edge insertion.

VLAN

For an Elisity Edge to participate in an existing layer 2 domain, the relevant VLANs must be configured globally. Issue the following commands under config terminal mode to configure a VLAN:

eshell(SM141)(config)# vlan <vlan ID>

eshell(SM141)(config-vlan)# desc <description>

To review the configured VLANs issue the following show command:

eshell(SM141)# show vlan all

BD-ID   Index   BSN  Age(min)  Learning  U-Forwrd   UU-Flood   Flooding  ARP-Term  arp-ufwd   BVI-Intf

    1       1      0      5         on        on       flood        on       off       off        N/A

   200      2      0      5         on        on       flood        on       off       off       bvi200

   202      3      0      5         on        on       flood        on       off       off       bvi202

   203      4      0      5         on        on       flood        on       off       off       bvi203

   999      5      0      5         on        on       flood        on       off       off        N/A

Spanning-Tree Protocol

To ensure a loop-free topology is always built when Elisity Edges are in Layer 2 mode, Spanning-Tree Protocol is fully supported. The primary spanning-tree mode Elisity Edges support is MST however interoperability with Rapid PVST can also be achieved. To configure MST mode with PVST interoperability, first configure the MST instances and then enable Spanning-Tree PVST mode. This config model works for most deployments, however, please contact your Elisity Sales Engineer if a change is necessary to work with your network. Issue the following commands under config terminal mode to configure Spanning-Tree for the respective VLANs:

eshell(SM141)(config)# spanning-tree mst config

eshell(SM141)(config-mst)# instance 1 vlan <VLAN ID>

eshell(SM141)(config-mst)# instance 2 vlan <VLAN ID>



eshell(SM141)(config)# spanning-tree mode pvst

Lastly, enable Spanning-Tree on all layer 2 interfaces connected to all other devices running Spanning-Tree such as a switch.

eshell(SM141)(config)# interface TenGig0-0

eshell(SM141)(config-if)# spanning-tree enable

Spanning-Tree features such as bpduguard and portfast are also supported.

To review the Spanning-Tree operation issue any of the following show commands:

eshell(SM141)# show spanning-tree

  <cr>

  active             active

  blockedports       blockedports

  bpdu               bpdu

  detail             detail

  instance           instance

  interface          Interface

  mst-configuration  mst-configuration

Trunk Interface

To configure a layer 2 trunk port on an Elisity Edge, issue the following commands under config terminal mode:

eshell(SM141)(config)# interface TenGig0-0

eshell(SM141)(config-if)# no portmode routed

eshell(SM141)(config-if)# vlan mode trunk

eshell(SM141)(config-if)# spanning-tree enable

eshell(SM141)(config-if)# trunk allowed vlans <VLAN ID list>

eshell(SM141)(config-if)# trunk native vlan <Native VLAN ID> -> Optional

eshell(SM141)(config-if)# no shutdown

Access Interface

To configure a Layer 2 access interface on an Elisity Edge, issue the following commands under config terminal mode:

eshell(SM141)(config)# interface TenGig0-0

eshell(SM141)(config-if)# no portmode routed

eshell(SM141)(config-if)# vlan mode access

eshell(SM141)(config-if)# access vlan <VLAN ID>

eshell(SM141)(config-if)# no shutdown

Port Channel

To support link aggregation (LAG) to downstream or upstream devices, Elisity Edges can enable LACP. The following is an example configuration for a LAG interface and a member interface:

eshell(SM141)(config)# interface lag1 mode lacp loadbalance l2

eshell(SM141)(config-if)# no portmode routed

eshell(SM141)(config-if)# vlan mode trunk

eshell(SM141)(config-if)# trunk allowed vlans <VLAN ID list>

eshell(SM141)(config-if)# trunk native vlan <Native VLAN ID> -> Optional

eshell(SM141)(config-if)# no shutdown



eshell(SM141)(config)# interface TenGig0-1

eshell(SM141)(config-if)# no portmode routed

eshell(SM141)(config-if)# description “<description>”

eshell(SM141)(config-if)# lag-group 1 active

eshell(SM141)(config-if)# no shutdown

Trust

Any trunk or access interface facing devices, users or applications must be trusted for Cloud Control Center to learn about them. Issue the following commands under config terminal mode:

eshell(SM141)(config)# interface TenGig0-1

eshell(SM141)(config-if)# trust

LLDP

To enable LLDP, issue the following command under interface configuration mode:

eshell(SM141)(config-if)# lldp rxtx

To review learned LLDP neighbors issue the following show command:

eshell(SM141# show lldp neighbor

Local intf  Chassis ID           Peer intf           Peer address     Peer

Gig0-1      00:04:96:99:5c:d6    Failed to get port description

Elisity Edge Layer 3 Configuration

Elisity Edges can be configured to run in Layer 3 mode at the same time as Layer 2 mode. This mode allows an Elisity Edge to be the gateway for multiple VLANs, inter-VLAN route and switch traffic, and participate in routing protocols such as OSPF and BGP. Essentially an Elisity Edge can operate as a full-blown router for your edge network. The Elisity Edge can be inserted anywhere including at the distribution layer to inherit Layer 3 responsibilities. Please review the Introduction to Elisity Cognitive Trust article for more details on how to design the network for Elisity Edge insertion.

BVI Interface

To provide a layer 3 gateway for a local or downstream VLAN, a BVI interface is configured. BVI interfaces can also be leveraged for routing protocol peering. The BVI is tied to the VLAN ID its services through the interface number configured. Trust must also be enabled on a BVI interface. Issue the following commands under config terminal mode to configure a BVI:

eshell(SM141)(config)# interface bvi<VLAN ID #>

eshell(SM141)(config-if)# description <”description”>

eshell(SM141)(config-if)# ip address <IP address and mask>

eshell(SM141)(config-if)# trust

eshell(SM141)(config-if)# no shutdown

Static Routing

To configure a static route issue the following command under config terminal mode:

eshell(SM141)(config)# ip route <Subnet and Mask> <Next Hop IP>

To review the configured static route issue the following command:

eshell(SM141)# show ip route static

Codes: K - kernel route, C - connected, S - static, R - RIP,

       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,

       T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,

       F - PBR, f - OpenFabric,

       > - selected route, * - FIB route, q - queued, r - rejected, b - backup

 

S>  0.0.0.0/0 [1/0] via 10.10.10.254 (recursive), weight 1, 2d18h57m

  *                   via 10.20.20.254, Gig0-4, weight 1, 2d18h57m

                    via 10.20.20.254, Gig0-4, weight 1, 2d18h57m

S>* 150.0.0.0/16 [1/0] via 10.20.20.254, Gig0-4, weight 1, 3d18h06m 

OSPF Routing

Elisity Edges support the OSPF routing protocol in order to connect to existing upstream routing domains. This might be necessary in order to learn routes to other networks or to reach the internet for Elisity Edge registration on Cloud Control Center. OSPF can also be leveraged to advertise the local BVI networks configured on the Edge to other routers in the network. Since there are many advanced options available under OSPF configuration mode, the following example will be basic. To configure OSPF issue the following commands under config terminal mode:

eshell(SM141)(config)# ip router-id <router ID>

eshell(SM141)(config)# router ospf

eshell(SM141)(config-router)# redistribute connected

eshell(SM141)(config-router)# passive-interface etun0

Enable OSPF under the interfaces you wish to advertise and participate in OSPF routing by issuing the following command under interface config mode:

eshell(SM141)(config)# interface TenGig0-1

eshell(SM141)(config-if)# ip ospf area <area ID>

NOTE: Be sure to enable OSPF on the etun0 interface so that it is reachable across the network. etun0 must be reachable by Cloud Control Center for the Elisity Edge to join the fabric. BVI interfaces can also be configured to participate in OSPF. 

To review OSPF adjacencies and routing issue the following show commands:

eshell(SM141)# show ip ospf neighbor

 

Neighbor ID     Pri State           Dead Time Address         Interface                        RXmtL RqstL DBsmL

10.70.70.14       1 2-Way/DROther     36.744s 10.20.20.14     Gig0-4:10.20.20.8                    0     0     0

172.17.0.1        1 2-Way/DROther     36.819s 10.20.20.166    Gig0-4:10.20.20.8                    0     0     0

172.30.10.8       1 Full/DR           39.440s 10.20.20.241    Gig0-4:10.20.20.8                    0     0     0

99.165.197.153   10 Full/Backup       38.070s 10.20.20.254    Gig0-4:10.20.20.8                    0     0     0

 

 

eshell(SM141)#  show ip route ospf

Codes: K - kernel route, C - connected, S - static, R - RIP,

       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,

       T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,

       F - PBR, f - OpenFabric,

       > - selected route, * - FIB route, q - queued, r - rejected, b - backup

 

O>* 1.1.1.1/32 [110/20] via 10.20.20.241, Gig0-4, weight 1, 3d18h02m

O>* 10.10.0.0/16 [110/10010] via 10.20.20.254, Gig0-4, weight 1, 2d18h53m

O   10.20.0.0/16 [110/10000] is directly connected, Gig0-4, weight 1, 3d18h02m

O>* 10.70.0.0/16 [110/10010] via 10.20.20.254, Gig0-4, weight 1, 2d18h54m

O>* 10.99.0.0/16 [110/20000] via 10.20.20.14, Gig0-4, weight 1, 1d09h39m

BGP Routing

Elisity Edges support the BGP routing protocol in order to connect to existing upstream routing domains. This might be necessary in order to learn routes to other networks or to reach the internet for Elisity Edge registration on Cloud Control Center. BGP can also be leveraged to advertise the local BVI networks configured on the Edge to other routers in the network. Since there are many advanced options available under BGP configuration mode, the following example will be basic. To configure BGP issue the following commands under config terminal mode:

eshell(SM141)(config)# ip router-id <router ID>

eshell(SM141)(config)# router bgp <ASN>

eshell(SM141)(config-router)# neighbor <neigbor IP> remote-as <remote ASN>

eshell(SM141)(config-router)# address-family ipv4 unicast

eshell(SM141)(config-router-af)# network <subnet and mask to advertise>

eshell(SM141)(config-router-af)# redistribute connected  

To review BGP adjacencies and routing issue the following show commands:

eshell(SM141)# show bgp summary

IPv4 Unicast Summary:

BGP router identifier 10.20.20.8, local AS number 65000 vrf-id 0

BGP table version 7

RIB entries 14, using 2800 bytes of memory

Peers 1, using 21 KiB of memory

 

Neighbor        V         AS   MsgRcvd   MsgSent   TblVer  InQ OutQ  Up/Down State/PfxRcd   PfxSnt

1.1.1.1         4      65001         0         0        0    0    0    never       Active        0

 

Total number of neighbors 1

 

eshell(SM141)# show ip bgp

BGP table version is 7, local router ID is 10.20.20.8, vrf id 0

Default local pref 100, local AS 65000

Status codes:  s suppressed, d damped, h history, * valid, > best, = multipath,

               i internal, r RIB-failure, S Stale, R Removed

Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self

Origin codes:  i - IGP, e - EGP, ? - incomplete

 

   Network          Next Hop            Metric LocPrf Weight Path

*> 10.20.0.0/16     0.0.0.0                  0         32768 ?

*> 10.100.8.0/24    0.0.0.0                  0         32768 ?

*> 10.200.1.0/24    0.0.0.0                  0         32768 ?

*> 10.202.1.0/24    0.0.0.0                  0         32768 ?

*> 10.203.1.0/24    0.0.0.0                  0         32768 ?

   172.0.0.0/8      0.0.0.0                  0         32768 i

*> 172.17.10.8/32   0.0.0.0                  0         32768 ?

*> 198.51.100.1/32  0.0.0.0                  0         32768 ?

L3 Routed Interface

To configure a basic L3 routed interface issue the following commands under config terminal mode:

eshell(SM141)(config)# interface Gi0-1

eshell(SM141)(config-if)# description <”description”>

eshell(SM141)(config-if)# ip address <IP address and mask>

eshell(SM141)(config-if)# mtu 1500

eshell(SM141)(config-if)# trust

eshell(SM141)(config-if)# no shutdown

If the interface was previously configured as an L2 interface, first remove all L2 interface commands and then issue the following command to enable L3 interface mode:

eshell(SM141)(config-if)# portmode routed 

VRRP 

VRRP is supported on both physical layer 3 interfaces as well as on BVI interfaces. To configure VRRP on an interface issue the following commands under config terminal mode (BVI example):

eshell(SM141)(config)# interface bvi25

eshell(SM141)(config-if)# vrrp <vrrp instance ID> ip <VRRP virtual IP>

eshell(SM141)(config-if)# vrrp <vrrp instance ID> priority <VRRP priority value>

! to track an interface and decrement the configured priority by a specified value
issue the following command

eshell(SM141)(config-if)# vrrp <vrrp instance ID> track <interface> weight <decrement value>

! save the vrrp configuration

eshell(SM141)(config-if)# vrrp save

! save the Elisity Edge configuration

eshell(SM141)(config-if)# do write mem

! show the active configuration

eshell(SM141)#  show run interface bvi25

interface bvi25
 ip address 192.168.25.2/24
 no shutdown
 trust
 vrrp 25 priority 200
 vrrp 25 ip 192.168.25.1
 vrrp 25 track Gig0-1 weight 10

end

NOTE: It is important to configure NTP and sync the clock on each Elisity Edge VRRP member so that device, user and application attach events are displayed accurately in Cloud Control Center. 

After both Elisity Edge VRRP members are configured, you can issue the following show command to verify VRRP operation:

eshell(SM141)# show vrrp summary 

bvi25 - Instance 25
  State is MASTER
  Virtual IP address is 192.168.25.1
  Advertisement interval is 1 secs
  Priority is 200
  Preemption is enabled
  Tracking interface Gig0-1 weight 10

Other Elisity Edge Features

DHCP Proxy

In some environments it might be required to proxy DHCP exchanges to an off network DHCP server. Elisity Edges support DHCP proxy functionality to meet this requirement. To configure DHCP proxy functionality issue the following command under config terminal mode:

eshell(SM141)(config)# dhcp-proxy server-ip <DHCP server IP>

NTP

To configure NTP on an Elisity Edge, issue the following command:

eshell(SM141)(config)# ntp server <NTP server IP or FQDN> 

To review the NTP sources and operation issue the following show command:

eshell(SM141)# show ntp sources

NTP SOURCES

==================================

210 Number of sources = 4

MS Name/IP address         Stratum Poll Reach LastRx Last sample             

===============================================================================

^+ pugot.canonical.com           2   3   377     6    -46us[  -19us] +/-  111ms

^+ alphyn.canonical.com          2   3   377     7  +1377us[+1404us] +/-  102ms

^+ chilipepper.canonical.com     2   3   377     7   -724us[ -698us] +/-   86ms

^* golem.canonical.com           2   3   377     6    +29us[  +56us] +/-   89ms

Syslog

To configure Syslog export on an Elisity Edge, issue the following command:

eshell(SM141)(config)# logging host <syslog server IP>

SNMP

Elisity Edges support both SNMPv2 and SNMPv3. To configure SNMPv2 on an Elisity Edge, issue the following command under config terminal mode:

eshell(SM141)(config)# snmp-server community <com string> readonly 1 

To configure SNMPv3 on an Elisity Edge, issue the following command under config terminal mode:

eshell(SM141)(config)# s snmp-server user <username> auth md5 password1 priv aes <password>

Updating Elisity Edges and Elisity Access Services

Step 1 – Build a compatibility matrix for your target version

Go To: Policy Fabric > Elisity Edge > More Configurations > View Compatibility Matrix

(Click to enlarge)

Click Add Version

(Click to enlarge)

Fill out the following fields:

  • Target Release Version – the version you want to run on the Elisity Edge
  • Min Version – this can be any version of an Elisity Edge software released earlier than the target version.
  • Max Version – typically you can use the target version as the max version.

Select Elisity Edge as the package name

Click Submit.

(Click to enlarge)

STEP 2 (Option 1) - Upgrade Your Elisity Edge from the Elisity Edge dashboard

To upgrade the Elisity Edge or Elisity Cloud Edge:

Go Back to the Elisity Edge dashboard, and select the Elisity Edge you would like to upgrade.

Click More Configurations > Install Different Version

(Click to enlarge)

Give your upgrade a name

check the Upgrade box

Select Elisity Edge as your package to upgrade

Select the target version that you configured in the compatibility matrix

Click submit.

(Click to enlarge)

STEP 2 (Option 2) – Upgrade your Elisity Edge or Access Service Nodes from the Access Service Dashboard

You can upgrade your Elisity Edge, Cloud Edge, and Access Service Nodes from the Access Service dashboard. You can upgrade each node individually or upgrade an entire region with one action.

Click the three dots to the right of the node or region, and click Install Different Version

(Click to enlarge)

Give your upgrade a name

Check the Upgrade box

Select Elisity Edge as your package to upgrade

Select the target version that you configured in the compatibility matrix

Click Submit.

(Click to enlarge)

You can check the status of any upgrade in the Elisity Edge Dashboard by selecting More Configurations > View Job Status

(Click to enlarge)