Onboarding Catalyst IE3400 as a Virtual Edge Node

Elisity supports the onboarding of Cisco Catalyst IE3400 as a Virtual Edge Node for policy enforcement. This document details how to onboard an IE3400 into Elisity Cloud Control Center.

Quick Links:

Introduction

Onboarding Catalyst IE3400 as a Virtual Edge Node

Disabling Elisity Identity on Select Switchports

Decommissioning and Deleting an IE3400 Virtual Edge Node

 

Elisity announced support for the Cisco Catalyst IE3400 series switch and IEM3400 switch modules in Q4 of 2022. Due to platform limitations on the IE3400 the deployment model is unique and requires a Virtual Edge Identity Agent to be hosted locally by the IE3400. This agent assists in metadata collection, efficient packaging and transmission to the Elisity Virtual Edge for further processing and forwarding to Cloud Control Center. 

Catalyst IE3400 can either be onboarded with a Virtual Edge hosted as a VM on a hypervisor, or with a Virtual Edge hosted on a switch that supports application hosting (ie. Catalyst 9400). To learn more about our Virtual Edge deployment models read this article. 

The following diagram depicts the supported deployment architectures mentioned above. 



 

NOTE:

  • Catalyst IE3400 switches require a Cisco SD Card (P/N SD-IE-4GB) to host the Virtual Edge Identity Agent 
  • IOS-XE version 17.6.4 is the recommended code version to run on IE3400
  • Only IEM3400 switch modules are supported
  • All switches being onboarded must have their clocks synchronized with the Active Directory server so that attachment events are displayed accurately. You can use your own NTP server or a public one such as time.google.com. 
  • Catalyst series switches require a minimum of IPBase licensing to be onboarded as Virtual Edge Nodes.

 

The following chart describes the terminology used in this document

Cloud Control Center

Elisity's cloud native and cloud delivered control, policy and management plane.

Virtual Edge

The Elisity Cognitive Trust software running as a docker container on either a hypervisor such as VMware ESXi or on a switch that supports Application Hosting.

Virtual Edge Node

An access switch onboarded to a Virtual Edge to be leveraged as an enforcement point in the network.

Virtual Edge Identity Agent

Lightweight Elisity application that runs on the IE3400 application hosting container space and assists in metadata collection, efficient packaging and transmission to the Elisity Virtual Edge

Onboarding Catalyst IE3400 as a Virtual Edge Node


Before we get started, we need to familiarize ourselves with how the Virtual Edge Identity Agent hosted on the IE3400 communicates with the switch itself as well as with the Virtual Edge. 

The Virtual Edge Identity Agent hosted by the IE3400 has two interfaces: guest-interface 0 and guest-interface 1. The first guest interface is used solely to receive identity metadata from the switch, while the second guest interface is used to communicate back to the Virtual Edge. 

The IE3400 must have a dedicated Identity VLAN and VLAN interface for communication with the Virtual Edge Identity Agent. This VLAN cannot be used for any other purpose on the switch and must not be carried on any interface other than the AppGigEthernet interface. This VLAN and VLAN interface communicates with the Virtual Edge Identity Agent's guest-interface 0 and must be on the same network.

There must also be another VLAN and gateway (local or remote) available that provides a routed or switched path to the Virtual Edge. This must be in the same network as guest-interface 1 on the Virtual Edge Identity Agent.

Lastly, the IE3400 leverages a virtual interface called AppGigabitEthernet to trunk both VLANs to the container space where the Virtual Edge Identity Agent is hosted and must be configured as a trunk. The AppGigabitEthernet interface is numbered based on whether or not an additional IEM module is installed or not. Typically AppGigabitEthernet1/1 is the correct interface when no IEM module is installed. 

The following diagram depicts the details explained above.


Step 1:
Make sure the IE3400 you wish to onboard with the Virtual Edge has the following commands configured.

ip routing
iox
ip http authentication local
ip http secure-server
restconf
netconf-yang cisco-ia auto-sync disabled
no netconf-yang cisco-ia intelligent-sync


Step 2: 
You should either have a user account with privilege 15 configured or TACACS login configured to provide privilege 15 level access. This is needed for the Virtual Edge to authenticate with the IE3400. Execute the following command under global configuration mode if a local account is being used and is not already configured:

switch(config)# username <username> privilege 15 secret 0 <password>

Add the following commands to your IE3400 configuration if using TACACS

switch(config)# aaa authentication login HTTP_AUTH group <group name> local
switch(config)# ip http authentication aaa login-authentication HTTP_AUTH

 

Step 3: Copy the Virtual Edge Identity Agent .tar file to the IE3400 internal flash using SCP, FTP or whatever method you prefer. 

Step 4: Log into Cloud Control Center and navigate to Policy Fabric > Elisity Edge. Next to the Virtual Edge you want to use to onboard your IE3400 and make it a Virtual Edge Node for policy enforcement, select the more options icon to the right and then select Add Virtual Edge Node.

(Click to enlarge)

Step 5: Fill out the required fields and select Submit. Details about each field are provided in the chart below. These details can always be viewed and edited by selecting the more options icon to the right and selecting Edit Virtual Edge Node Configuration. 

 

(Click to enlarge)

 

The following chart provides details about each required field

 

Switch Management IP

This is the management IP of the IE3400 you wish to onboard as a Virtual Edge Node for policy enforcement. This can be any IP as long as it is reachable by the previously deployed Virtual Edge container. This field is mandatory

Switch Admin Username

This is the admin username of the IE3400 you wish to onboard as a Virtual Edge Node for policy enforcement. This can either be local or TACACS/RADIUS. Privilege 15 is required. This field is mandatory. 

Switch Admin Password

This is the admin password of the IE3400 you wish to onboard as a Virtual Edge Node for policy enforcement. This can either be local or TACACS/RADIUS.
Privilege 15 is required. This field is mandatory.

Virtual Edge Node Location Address

The location of the IE3400 you wish to onboard as a Virtual Edge Node so that Cloud Control Center reflects the location of the onboarded switch. This field is optional. 

 

Step 6: Create the Identity VLAN and VLAN interface. 

switch(config)# vlan 10
switch(config-vlan)# name Identity_VLAN

switch(config)# interface vlan 10
switch(config)# description Identity_SVI
switch(config)# ip address 192.168.10.1 255.255.255.0

 

Step 7: Usually the second VLAN that provides connectivity to the Virtual Edge for the Virtual Edge Identity Agent already exists. If it does not, go ahead and create this VLAN and VLAN interface as a gateway (if locally routed) and make sure it can provide connectivity to the Virtual Edge. 

 

switch(config)# vlan 11
switch(config-vlan)# name Gateway_VLAN

*** If locally routed ***

switch(config)# interface vlan 11
switch(config)# description Gateway_SVI
switch(config)# ip address 192.168.11.1 255.255.255.0

 

Step 8: Configure the appropriate AppGigEthernet interface as a trunk to carry both the Identity VLAN as well as the gateway VLAN.

 

switch(config)# interface AppGigEthernet1/1
switch(config-if)# switchport mode trunk
switch(config-if)# switchport trunk allowed vlan 10,11

 

Step 9: Use the following example, chart and diagram to configure the IE3400 to host the Virtual Edge Identity Agent. You will need to assign an IP to guest-interface 0 and guest-interface 1 based on the VLAN and networks previously configured. Make sure to change all of the IP addresses in the example below to those that are relevant for your deployment. 

 

Identity VLAN

Dedicated Identity VLAN for communication with the Virtual Edge Identity Agent. This VLAN cannot be used for any other purpose on the switch and must not be carried on any interface other than the AppGigEthernet interface. This VLAN communicates with the Virtual Edge Identity Agent's guest-interface 0 and must be on the same network.

Gateway VLAN

A gateway VLAN available that provides a routed or switched path to the Virtual Edge. This must be in the same network as guest-interface 1 on the Virtual Edge Identity Agent. 

Identity VLAN IP

IP address in the Identity VLAN subnet assigned to guest-interface 0 of the Virtual Edge Identity Agent. This IP is used for communication between the IE3400 and the Virtual Edge Identity Agent. The IE3400 should also have a VLAN interface configured with an IP address in the same VLAN and subnet. 

Gateway VLAN IP

IP address in the Gateway VLAN subnet assigned to guest-interface 1 of the Virtual Edge Identity Agent. This IP is used for communication between the Virtual Edge Identity Agent and the Virtual Edge. The IE3400 may also have a VLAN interface configured with an IP address in the same VLAN and subnet if it is being used as a local default gateway. If the default gateway for this VLAN is remote (upstream), no IP address in this VLAN is required on the IE3400. 

Gateway VLAN Default Gateway

IP address of the Gateway VLAN default gateway. This may be local to the IE3400 or remote (upstream). The only requirement is that this IP be layer 2 reachable by the Virtual Edge Identity Agent and provide a routed path to the Virtual Edge.

Management IP

The IP address of the IE3400 that was defined during onboarding into Cloud Control Center in Step 5.

Virtual Edge IP

The IP address of the Virtual Edge being used to onboard the IE3400.

 

app-hosting appid VE 
app-vnic AppGigabitEthernet trunk 
vlan <Identity VLAN> guest-interface 0
guest-ipaddress <Identity VLAN IP> netmask <Subnet Mask>
vlan <Gateway VLAN> guest-interface 1
guest-ipaddress <Gateway VLAN IP> netmask <Subnet Mask>
app-default-gateway <Gateway VLAN Default Gateway> guest-interface 1
app-resource docker
run-opts 1 "--entrypoint /etc/init.d/edge" 
run-opts 2 --cap-add=NET_ADMIN 
run-opts 3 "--ulimit nofile=90000:90000" 
run-opts 4 "--env EDGE_TYPE=VE-AGENT --env EDGE_UPLINK_IP=<Gateway VLAN IP> --env EDGE_AGENT_SRC=<Management IP> --env EDGE_AGENT_DST=<Virtual Edge IP>"
run-opts 5 "--hostname VE-AGENT" 
app-resource profile custom 
cpu 1400 
memory 768 
vcpu 2 
name-server0 8.8.8.8
persist-disk 1024
start

*** Example Config ***

app-hosting appid VE 
app-vnic AppGigabitEthernet trunk 
vlan 10 guest-interface 0
guest-ipaddress 192.168.10.2 netmask 255.255.255.0
vlan 11 guest-interface 1
guest-ipaddress 192.168.11.2 netmask 255.255.255.0
app-default-gateway 192.168.11.1 guest-interface 1
app-resource docker
run-opts 1 "--entrypoint /etc/init.d/edge" 
run-opts 2 --cap-add=NET_ADMIN 
run-opts 3 "--ulimit nofile=90000:90000" 
run-opts 4 "--env EDGE_TYPE=VE-AGENT --env EDGE_UPLINK_IP=192.168.11.2 --env EDGE_AGENT_SRC=192.168.11.1 --env EDGE_AGENT_DST=10.1.1.1"
run-opts 5 "--hostname VE-AGENT" 
app-resource profile custom 
cpu 1400 
memory 768 
vcpu 2 
persist-disk 1024
name-server0 8.8.8.8
start

 

Step 10: The .tar file was previously copied to IE3400 internal flash in step 3. Install the Virtual Edge Identity Agent application on the IE3400 using the following command. 

switch# app-hosting install appid VE package flash:<tar file name> 

 

Step 11: Verify that the Virtual Edge Identity Agent is running using the following command.

switch# show app-hosting list
App id                                   State
---------------------------------------------------------
VE                                       RUNNING

 

Step 12: Log into the CLI of the Virtual Edge you are using to onboard the IE3400 with and generate the flow export configuration. If you need help accessing the CLI of the Virtual Edge, review this document or contact your Elisity support engineer. 

Make sure to change the IP addresses and VLAN in the example below to those that are relevant for your deployment. 

NOTE:

This is an important step and must not be skipped. Not only does it generate the flow export configuration, it sets up the Virtual Edge to listen to data coming from the Virtual Edge Identity Agent running on the IE3400.   In a future release, this will be automated. 

 

pshell generate erspan-config --address <Identity Agent IP> --<Identity VLAN> --interface "<Interface Range>" 

*** Example Config ***

> pshell generate erspan-config --address 192.168.10.2 --vlan 10 --interface "GigabitEthernet1/1 - 10"

*** Output ***

monitor session 1 source interface GigabitEthernet1/1 - 10 rx
monitor session 1 destination remote vlan 10                
monitor session 1 destination format-erspan 192.168.10.2    

 

Step 13: Use the flow export configuration generated in the previous step to configure the IE3400 to enable flow export of the identity metadata to the Virtual Edge Identity Agent. In an upcoming release this configuration will be automated. 

switch(config)# monitor session 1 source interface Gi1/1 - 10 rx    
switch(config)# monitor session 1 destination remote vlan 10
switch(config)# monitor session 1 destination format-erspan 192.168.10.2

 

Step 14: Refresh Cloud Control Center and select the expand icon next to the Virtual Edge you used to onboard the IE3400.  The Virtual Edge Node should show as Registered. If the status doesn't show Registered after a couple minutes then there is an IP connectivity issue between the Virtual Edge and the IE3400 you are trying to onboard as a Virtual Edge Node. 

(Click to enlarge)

 

You can select the Virtual Edge Node name to see more details about the IE3400 you just onboarded. 

 

(Click to enlarge)

 

Step 15: Enable Device Track. The Device Track feature enables the Virtual Edge Node to glean additional user, application, and device information via Cisco IP Device Tracking technology. By default, this feature is disabled. It is recommended to enable this feature after onboarding a Virtual Edge Node.

(Click to enlarge)

The Virtual Edge will dynamically configure the Virtual Edge Node with the appropriate IOS-XE configuration for the Virtual Edge to glean user, device, and application identity and behavior. Existing and new Elisity Cognitive Trust policies will be pushed to the appropriate Virtual Edge Node immediately after onboarding.

 

Disabling Elisity Identity on Select Switchports

In some scenarios it may be beneficial to disable Elisity Identity on select switchports such as on an uplink trunk port so as not to collect the identity and flow information from devices upstream from the local switch. Disabling Elisity Identity on a switchport means that CDT and Flow collection will be removed from that specific switchport. 

Step 1: Next to the Virtual Edge Node, select the more options button and select Virtual Edge Node Port Configuration. 

 


Step 2: 
Select the interface you want to disable Elisity Identity on and select Submit. 

 

 

Decommissioning and Deleting an IE3400 Virtual Edge Node

Step 1: Select the more options icon to the right of the Virtual Edge Node and then select Decommission Virtual Edge Node. The Virtual Edge Node status will say Decommissioned.

(Click to enlarge)


Step 2:
Wait 60 seconds after decommissioning the Virtual Edge Node. Select the more options icon to the right of the Virtual Edge Node and then select Delete Virtual Edge Node. Refer to the previous image.