<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2849132&amp;fmt=gif">

Elisity Overview for Enterprise Network Pros

     

Introduction

Microsegmentation projects are known as never-ending projects. There are many paths to achieving microsegmentation, from NAC/802.1x to Agents to Firewalls and VLANs everywhere.

Elisity’s platform is different. Already trusted by pharmaceuticals, healthcare systems, and manufacturing companies, its microsegmentation platform is designed with an identity-centric model that decouples access from the underlying network and infrastructure. It can be deployed with your existing switching infrastructure at scale in days or weeks, not months or years

NO NEW Hardware -- No NEW VLANs/Firewall Rules -- No Host/Agent-Based Enforcement

Elisity deploys in hours without any network outages. Then, within minutes, you’ll gain visibility into network assets and flows, and within an hour, you can create your first policies and simulate and/or deploy them with confidence. Elisity keeps the control and data planes separate and independent. By design Elisity’s Virtual Edge Nodes doesn't process or intercept packets, but instead relies on your existing switch to do so.

Download this White Paper

    

How It Works:

No Agents. No Hardware. Cloud-delivered Identity-based Microsegmentation

elisity-architecture-diagram

Elisity uses your existing network hardware and software investments, maximizing the value of what your organization has already built. This approach optimizes costs, accelerates deployment times, and enhances the return on investment for network security infrastructure.

Elisity transforms your existing switching infrastructure into policy enforcement nodes through our innovative technology called Virtual Edge. Virtual Edge translates identity and policy data from Cloud Control Center into policy enforcement mechanisms native to the onboarded switches, called Virtual Edge Nodes (VENs). This approach allows rapid onboarding of existing infrastructure into the Elisity fabric, with large numbers of VENs controlled by a single Virtual Edge.

 

Elisity Implementation vs. Legacy Solutions

Screenshot 2024-07-18 at 3.34.03 PM

FAQ Frequently Asked Questions

1) What is Elisity pulling from the switch/traffic (flow data)?

Elisity Virtual Edge is a secure virtual appliance that provides identity-based zero trust control and microsegmentation at the network edge. When deployed, it gathers critical identity metadata from traffic flows and , such as:

  • Device Identifiers (e.g., MAC/IP addresses)
  • MAC-to-IP address mapping
  • Switchport location via DHCP and ARP snooping, including VLAN and Subnet
  • Source and destination IP addresses
  • TCP/UDP port information

This data is collected using your existing switch infrastructure. The Elisity Cloud Control Center then uses this information for further identity and policy classification.

2) What feature/function is Elisity using for policy enforcement (tagging)?

Elisity enforces policies using your existing network switches and its innovative Virtual Edge Distribution Zones (DZs). DZs are logical segments within your network that efficiently manage policy enforcement.

  • Policy Tag Distribution: Within each DZ, Elisity assigns device-to-Policy Group (PG) tags based on identity metadata, ensuring local policy enforcement and reducing the need for complex, end-to-end tagging.
  • Intelligent Tag Distribution: For traffic crossing between zones, Elisity dynamically distributes tags using its Intelligence Tag Distribution system, maintaining consistent policy enforcement without overwhelming the network.
  • Scalability and Optimization: DZs allow Elisity to scale policy enforcement across large environments, overcoming hardware limits like the 10,000 IP-SGT mapping cap on Cisco Catalyst 9K switches. This approach also optimizes network performance by enforcing policies close to the source, minimizing unnecessary traffic and ensuring precise security.

3) Will Elisity impact network performance and why?

Elisity minimizes network performance impact by using switch-native policy enforcement mechanisms, leaving the dataplane untouched. This means that traffic flows on your network remain completely unaltered. Operating at the control plane, Elisity enforces policies without disrupting data flow.

However, enabling high-volume logging can increase CPU usage on Virtual Enforcement Nodes (VENs) due to syslog message generation. While normal operations remain unaffected, it's advisable to monitor VEN performance and adjust logging settings if needed. We offer per-rule logging and Final Policy Action logging to help manage performance risks effectively.

4) Can we implement policy enforcement at the aggregation layer?

Yes, we can implement policy enforcement at the aggregation layer.

This approach is suitable in scenarios such as:

  • When access switches do not support the necessary features for policy enforcement.
  • When Wireless LAN Controllers (WLCs) or other critical devices are connected directly at the aggregation layer.
  • When there is a specific use case for limiting traffic flow at the aggregation layer.

However, it’s important to note that policy enforcement is generally most effective when applied as close to the network edge as possible, where assets are directly connected. While aggregation layer enforcement is a viable solution, it is less optimal for controlling east-west traffic, which is best managed at the access layer.

5) Where can the Elisity Virtual Edge be deployed?

They can be installed anywhere on your network on a VM, in a container or on a supported Cisco switch itself. The recommended requirements to run Virtual Edge VM on a hypervisor, for example: VMware ESXi 7.x or later. VMware vCenter is supported. 2 CPU (4 vCPU with hyper-threading) 2 GB RAM 40 GB Storage 1 x Virtual Network Adapter Cisco switches That Support Hosting Virtual Edge Container Catalyst 9300 Series 17.6.6a/17.9.4* Catalyst 9300L Series 17.6.6a/17.9.4* Catalyst 9400 Series 17.6.6a/17.9.4*

6) Elisity enforces policy in your existing switch infrastructure. What switch models/code versions does It work with?

An up-to-date list is always kept here: https://support.elisity.com/hc/en-us/articles/15540856958740-Switch-Compatibility-Matrix

CISCO: Catalyst 9200 Series* 17.6.6a/17.9.4 Catalyst 9300 Series 17.6.6a/17.9.4 Catalyst 9300L Series 17.6.6a/17.9.4 Catalyst 9400 Series 17.6.6a/17.9.4 Catalyst 9500 Series 17.6.6a/17.9.4 Catalyst 9600 Series (Beta) 17.6.6a/17.9.4 Catalyst 3850 Series 16.12.10a Catalyst 3650 Series 16.12.10a Catalyst IE3400 Series 17.6.6a/17.9.4

Arista: 720XP (Beta) 4.30.3M

Juniper: EX4400 22.4R1

Additional switch models will be supported in future releases.

 

GSK-Logo

Case Study: Global Biopharma Company GSK is Deploying Elisity with Unprecedented Speed

“Elisity’s deployment at GSK is nothing short of revolutionary, making every other solution pale in comparison.”
michael-elmore
Michael Elmore

CISO at GSK

:30

Minutes

With a striking speed of less than 30 minutes per location, Elisity's integration is bolstering GSK's operations like never before. 

 

3

Sites Per Week

As GSK rides the wave of global expansion, it successfully initiates three new Elisity-powered sites every week.

About Elisity

 

Elisity is leading the enterprise effort to achieve Zero Trust maturity and reduce network security complexity by replacing legacy architectures that don’t scale, lack visibility, and rely on implicit trust. The Elisity platform provides every device and network with a Zero Trust identity-based microsegmentation architecture that accelerates the transition to explicit access policies aligned with business objectives. Elisity’s granular policies are managed in the cloud and enforced everywhere in real time, even on ephemeral IT/IoT/OT devices. The AI/ML-powered solution automates discovery and policy enforcement and integrates with existing ecosystems to enable a scalable, unified approach. Founded in 2019, Elisity has a global employee footprint and a growing number of customers in the Fortune 500.

Download this Solution Brief

Related Articles

From Our Blog

Stay up to date with what is new in our industry, learn more about the upcoming products and events.

Healthcare Cybersecurity in 2025: Why Claroty's Medigate, Microsegmentation and IoMT Security Are Critical for Compliance
Healthcare Cybersecurity Compliance with Claroty's Medigate and Elisity Microsegmentation

Healthcare Cybersecurity in 2025: Why Claroty's Medigate, Microsegmentation and IoMT Security Are Critical for Compliance

5 min read
Building Cyber Resilience: A 2025 Strategy Guide for Manufacturing and Healthcare Organizations
Cyber Resilience Strategies in 2025

Building Cyber Resilience: A 2025 Strategy Guide for Manufacturing and Healthcare Organizations

3 min read
Zero-Day Exploits in 2024: What We Learned and Why Lateral Movement Prevention is Critical for Enterprise Security
Blog Zero-Day Exploits in 2024 and Why Lateral Movement

Zero-Day Exploits in 2024: What We Learned and Why Lateral Movement Prevention is Critical for Enterprise Security

6 min read