Elisity Overview for Enterprise Network Pros
Introduction
Microsegmentation projects are known as never-ending projects. There are many paths to achieving microsegmentation, from NAC/802.1x to Agents to Firewalls and VLANs everywhere.
Elisity’s platform is different. Already trusted by pharmaceuticals, healthcare systems, and manufacturing companies, its microsegmentation platform is designed with an identity-centric model that decouples access from the underlying network and infrastructure. It can be deployed with your existing switching infrastructure at scale in days or weeks, not months or years
NO NEW Hardware -- No NEW VLANs/Firewall Rules -- No Host/Agent-Based Enforcement
Elisity deploys in hours without any network outages. Then, within minutes, you’ll gain visibility into network assets and flows, and within an hour, you can create your first policies and simulate and/or deploy them with confidence. Elisity keeps the control and data planes separate and independent. By design Elisity’s Virtual Edge Nodes doesn't process or intercept packets, but instead relies on your existing switch to do so.
Download this White Paper
How It Works:
No Agents. No Hardware. Cloud-delivered Identity-based Microsegmentation
Elisity uses your existing network hardware and software investments, maximizing the value of what your organization has already built. This approach optimizes costs, accelerates deployment times, and enhances the return on investment for network security infrastructure.
Elisity transforms your existing switching infrastructure into policy enforcement nodes through our innovative technology called Virtual Edge. Virtual Edge translates identity and policy data from Cloud Control Center into policy enforcement mechanisms native to the onboarded switches, called Virtual Edge Nodes (VENs). This approach allows rapid onboarding of existing infrastructure into the Elisity fabric, with large numbers of VENs controlled by a single Virtual Edge.
Elisity Implementation vs. Legacy Solutions
FAQ Frequently Asked Questions
1) What is Elisity pulling from the switch/traffic (flow data)?
Elisity Virtual Edge is a secure virtual appliance that provides identity-based zero trust control and microsegmentation at the network edge. When deployed, it gathers critical identity metadata from traffic flows and , such as:
- Device Identifiers (e.g., MAC/IP addresses)
- MAC-to-IP address mapping
- Switchport location via DHCP and ARP snooping, including VLAN and Subnet
- Source and destination IP addresses
- TCP/UDP port information
This data is collected using your existing switch infrastructure. The Elisity Cloud Control Center then uses this information for further identity and policy classification.
2) What feature/function is Elisity using for policy enforcement (tagging)?
Elisity enforces policies using your existing network switches and its innovative Virtual Edge Distribution Zones (DZs). DZs are logical segments within your network that efficiently manage policy enforcement.
- Policy Tag Distribution: Within each DZ, Elisity assigns device-to-Policy Group (PG) tags based on identity metadata, ensuring local policy enforcement and reducing the need for complex, end-to-end tagging.
- Intelligent Tag Distribution: For traffic crossing between zones, Elisity dynamically distributes tags using its Intelligence Tag Distribution system, maintaining consistent policy enforcement without overwhelming the network.
- Scalability and Optimization: DZs allow Elisity to scale policy enforcement across large environments, overcoming hardware limits like the 10,000 IP-SGT mapping cap on Cisco Catalyst 9K switches. This approach also optimizes network performance by enforcing policies close to the source, minimizing unnecessary traffic and ensuring precise security.
3) Will Elisity impact network performance and why?
Elisity minimizes network performance impact by using switch-native policy enforcement mechanisms, leaving the dataplane untouched. This means that traffic flows on your network remain completely unaltered. Operating at the control plane, Elisity enforces policies without disrupting data flow.
However, enabling high-volume logging can increase CPU usage on Virtual Enforcement Nodes (VENs) due to syslog message generation. While normal operations remain unaffected, it's advisable to monitor VEN performance and adjust logging settings if needed. We offer per-rule logging and Final Policy Action logging to help manage performance risks effectively.
4) Can we implement policy enforcement at the aggregation layer?
Yes, we can implement policy enforcement at the aggregation layer.
This approach is suitable in scenarios such as:
- When access switches do not support the necessary features for policy enforcement.
- When Wireless LAN Controllers (WLCs) or other critical devices are connected directly at the aggregation layer.
- When there is a specific use case for limiting traffic flow at the aggregation layer.
However, it’s important to note that policy enforcement is generally most effective when applied as close to the network edge as possible, where assets are directly connected. While aggregation layer enforcement is a viable solution, it is less optimal for controlling east-west traffic, which is best managed at the access layer.
5) Where can the Elisity Virtual Edge be deployed?
They can be installed anywhere on your network on a VM, in a container or on a supported Cisco switch itself. The recommended requirements to run Virtual Edge VM on a hypervisor, for example: VMware ESXi 7.x or later. VMware vCenter is supported. 2 CPU (4 vCPU with hyper-threading) 2 GB RAM 40 GB Storage 1 x Virtual Network Adapter Cisco switches That Support Hosting Virtual Edge Container Catalyst 9300 Series 17.6.6a/17.9.4* Catalyst 9300L Series 17.6.6a/17.9.4* Catalyst 9400 Series 17.6.6a/17.9.4*
6) Elisity enforces policy in your existing switch infrastructure. What switch models/code versions does It work with?
An up-to-date list is always kept here: https://support.elisity.com/hc/en-us/articles/15540856958740-Switch-Compatibility-Matrix
CISCO: Catalyst 9200 Series* 17.6.6a/17.9.4 Catalyst 9300 Series 17.6.6a/17.9.4 Catalyst 9300L Series 17.6.6a/17.9.4 Catalyst 9400 Series 17.6.6a/17.9.4 Catalyst 9500 Series 17.6.6a/17.9.4 Catalyst 9600 Series (Beta) 17.6.6a/17.9.4 Catalyst 3850 Series 16.12.10a Catalyst 3650 Series 16.12.10a Catalyst IE3400 Series 17.6.6a/17.9.4
Arista: 720XP (Beta) 4.30.3M
Juniper: EX4400 22.4R1
Additional switch models will be supported in future releases.
Case Study: Global Biopharma Company GSK is Deploying Elisity with Unprecedented Speed
“Elisity’s deployment at GSK is nothing short of revolutionary, making every other solution pale in comparison.”
Michael Elmore
CISO at GSK
Sites Per Week
As GSK rides the wave of global expansion, it successfully initiates three new Elisity-powered sites every week.
About Elisity
Elisity is leading the enterprise effort to achieve Zero Trust maturity and reduce network security complexity by replacing legacy architectures that don’t scale, lack visibility, and rely on implicit trust. The Elisity platform provides every device and network with a Zero Trust identity-based microsegmentation architecture that accelerates the transition to explicit access policies aligned with business objectives. Elisity’s granular policies are managed in the cloud and enforced everywhere in real time, even on ephemeral IT/IoT/OT devices. The AI/ML-powered solution automates discovery and policy enforcement and integrates with existing ecosystems to enable a scalable, unified approach. Founded in 2019, Elisity has a global employee footprint and a growing number of customers in the Fortune 500.
Download this Solution Brief
From Our Blog
Stay up to date with what is new in our industry, learn more about the upcoming products and events.