Onboarding Catalyst 9000/3850/3650 series switch as a Virtual Edge Node

This article summarizes how to onboard your access layer switches as Virtual Edge Nodes for policy enforcement. This should only be done after deploying Virtual Edge.

 

Quick Links:

Onboarding Steps

Disabling Elisity Identity on Select Switchports 

Decommissioning and Deleting a Virtual Edge Node

 

NOTE:

  • IOS-XE version 17.6.4 is the recommended code version
  • All switches being onboarded must have their clocks synchronized with the Active Directory server so that attachment events are displayed accurately. You can use your own NTP server or a public one such as time.google.com. 
  • Catalyst series switches require a minimum of IPBase licensing to be onboarded as Virtual Edge Nodes.

 

CATALYST 9400 SPECIFIC NOTE:

  • Catalyst 9410 series switch. If the Catalyst 9410 being onboarded is hosting a Virtual Edge using the Application Hosting functionality, it is mandatory to disable Elisity identity on GigabitEthernet4/0/48. See this step for instructions. 

Onboarding Steps 


Step 1:
Make sure the access switches you wish to onboard with the newly deployed Virtual Edge have the following commands configured.

On Catalyst 3850/3650:
=================
ip routing
ip http secure-server
restconf
netconf-yang cisco-ia auto-sync disabled
no netconf-yang cisco-ia intelligent-sync
 
On Catalyst 9000:
=================
ip routing
ip http secure-server
restconf

 

Step 2:  You should either have a user account with privilege 15 configured or TACACS login configured to provide privilege 15 level access. This is needed for the Virtual Edge to authenticate with the switch. Execute the following command under global configuration mode if a local account is being used and is not already configured:

switch(config)# username <username> privilege 15 secret 0 <password>

Add the following commands to your switch configuration if using TACACS

switch(config)# aaa authentication login HTTP_AUTH group <group name> local
switch(config)# ip http authentication aaa login-authentication HTTP_AUTH


Step 3:
Log into Cloud Control Center and navigate to Policy Fabric > Elisity Edge. Next to the Virtual Edge you want to use to onboard your access switch and make it a Virtual Edge Node for policy enforcement, select the more options icon to the right and then select Add Virtual Edge Node. In this example we will be onboarding the same switch we are using to host the Virtual Edge Container. 

(Click to enlarge)

Step 4: Fill out the required fields and select Submit. Details about each field are provided in the chart below. These details can always be viewed and edited by selecting the more options icon to the right and selecting Edit Virtual Edge Node Configuration. 

(Click to enlarge)

 

The following chart provides details about each required field

Switch Management IP

This is the management IP of the switch you wish to onboard as a Virtual Edge Node for policy enforcement. This can be an IP as long as it is reachable by the previously deployed Virtual Edge container. This field is mandatory

Switch Admin Username

This is the admin username of the switch you wish to onboard as a Virtual Edge Node for policy enforcement. This can either be local or TACACS/RADIUS. Privilege 15 is required. This field is mandatory. 

Switch Admin Password

This is the admin password of the switch you wish to onboard as a Virtual Edge Node for policy enforcement. This can either be local or TACACS/RADIUS.
Privilege 15 is required. This field is mandatory.

Virtual Edge Node Location Address

The location of the Virtual Edge Node so that Cloud Control Center reflects the location of the onboarded switch. This field is optional. 


Step 5: Refresh the page and select the expand icon next to the Virtual Edge until the circle next to the Virtual Edge Node name goes from grey with a status of Discovered to green with a status of Registered. This can take several minutes. If the status never changes then there is an IP connectivity issue between the Virtual Edge and the switch you are trying to onboard as a Virtual Edge Node. 

(Click to enlarge)

 

You can select the Virtual Edge Node name to see more details about the switch you just onboarded. 

 

(Click to enlarge)

 

Step 6: Enable Device Track. The Device Track feature enables the Virtual Edge Node to glean additional user, application, and device information via Cisco IP Device Tracking technology. By default, this feature is disabled. It is recommended to enable this feature after onboarding a Virtual Edge Node.

(Click to enlarge)

The Virtual Edge will dynamically configure the Virtual Edge Node with the appropriate IOS-XE configuration for the Virtual Edge to glean user, device, and application identity and behavior. Existing and new Elisity Cognitive Trust policies will be pushed to the appropriate Virtual Edge Node immediately after onboarding.

Disabling Elisity Identity on Select Switchports

In some scenarios it may be beneficial to disable Elisity Identity on select switchports such as on an uplink trunk port so as not to collect the identity and flow information from devices upstream from the local switch. Disabling Elisity Identity on a switchport means that CDT and Flow collection will be removed from that specific switchport. 

Step 1: Next to the Virtual Edge Node, select the more options button and select Virtual Edge Node Port Configuration. 

 


Step 2: 
Select the interface you want to disable Elisity Identity on and select Submit. 

 

 

Decommissioning and Deleting a Virtual Edge Node

Step 1: Select the more options icon to the right of the Virtual Edge Node and then select Decommission Virtual Edge Node. The Virtual Edge Node status will say Decommissioned.

 

(Click to enlarge)


Step 2:
Wait 60 seconds after decommissioning the Virtual Edge Node. Select the more options icon to the right of the Virtual Edge Node and then select Delete Virtual Edge Node. Refer to the previous image.