This compatibility matrix shows supported switches that can be onboarded as Policy Enforcement Points (Virtual Edge Nodes) as well as switches that can host our Virtual Edge Container. The matrix also details firewalls that support integration with Elisity Cloud Control Center.
Switches That Support Hosting Virtual Edge Container
Cisco
| Model | Minimum Recommended IOS Code |
|---|---|
| Catalyst 9300 Series | 17.9.4 |
| Catalyst 9300X Series | 17.15.1 |
| Catalyst 9300L Series | 17.9.4 |
| Catalyst 9300LM Series * | 17.9.4 |
| Catalyst 9400 Series | 17.9.4 |
Switches Supported as Virtual Edge Nodes for Policy Enforcement
Cisco
| Model | Minimum Recommended IOS Code |
| Catalyst 9200 Series | 16.10.1 |
| Catalyst 9200CX Series | 16.10.1 |
| Catalyst 9200L Series | 16.10.1 |
| Catalyst 9300 Series | 16.10.1 |
| Catalyst 9300X Series | 17.15.1 |
| Catalyst 9300L Series | 16.11.1 |
| Catalyst 9350 Series | 17.18.1 |
| Catalyst 9400 Series | 16.10.1 |
| Catalyst 9500 Series * | 16.10.1 |
| Catalyst 9600 Series * | 16.10.1 |
| Catalyst 3850 Series | 3.07.05E |
| Catalyst 3650 Series | 3.07.05E |
| Catalyst IE3400 Series | 17.9.4 |
| Catalyst 9800 Series Wireless Controller | 17.9.4 ** |
Cisco Notes:
- The recommended IOS code listed for each switch in the above chart is based on Elisity QA testing. Older versions of code may still operate with potential caveats.
- Any switch on the list above can be onboarded to any Elisity Virtual Edge (either Hypervisor-Hosted Virtual Edge or Switch-Hosted Virtual Edge)
- Cisco StackWise Virtual is supported.
- Elisity recommends onboarding access layer infrastructure as Virtual Edge Nodes (VENs - policy enforcement points), however some environments may not have supported switches deployed at the access layer. In these scenarios, aggregation layer switches can be onboarded as VENs and offer many of the same benefits. For See this guide for design details.
- * Catalyst 9500X and 9600X is not supported for Flow Telemetry collection.
- ** 17.9.4 on the 9800 WLC is minimum supported - Cisco IOS XE 17.15.4 or newer is recommended to support Intra-SSID/VLAN enforcement.
Arista
| Model | Min EOS Code |
|---|---|
| CCS-720XP-48Y6-F | 4.30.3M |
| CCS-720XP-48ZC2-F | 4.30.3M |
| CCS-720XP-96ZC2 | 4.30.3M |
| CCS-720DP (48S) | 4.30.3M |
| CCS-722XPM-48ZY8 | 4.30.3M |
| DCS-7050SX3-48YC8 | 4.30.3M |
| DCS-7010TX-48 | 4.30.3M |
| CCS-720DF* | 4.30.3M |
|
CCS-720DT* (excluding CCS-720DT-24S) |
4.30.3M |
| CCS-750* | 4.30.3M |
| CCS-755* | 4.30.3M |
| DCS-7010TX* | 4.30.3M |
| DCS-7050CX3* | 4.30.3M |
| DCS-7050SX3* | 4.30.3M |
| DCS-7050TX3* | 4.30.3M |
| DCS-7300X3* | 4.30.3M |
|
7500R3* ** (TCAM profile req.) |
N/A |
|
7800R* ** (TCAM profile req.) |
N/A |
|
7280R3* ** (TCAM profile req.) |
N/A |
Arista Notes:
* The switch vendor supports the functionality (on the specified switch for the specified minimum code version) which Elisity requires enable telemetry and enforce policy. Hardware labeled with * has not been tested/validated by Elisity.
** The switch requires a specific TCAM template for MSS to function and is validated for lab use only. It is not recommended for production deployment.
Please refer to the Onboarding Arista Switches as a Virtual Edge Node article for caveats.
Juniper
| Model | Minimum JunOS Code |
| EX4100 | 22.4R1 |
| EX4400 | 22.4R1 |
|
QFX5120* (32C, 48Y) |
22.4R1 |
| EX4650* | 22.4R1 |
Juniper Notes:
Hardware marked with * has not been tested or validated by Elisity. Support is based on available switch vendor functionality for the specified models and minimum software versions, and some platforms may not support simultaneous telemetry and policy enforcement due to hardware limitations.
Juniper switches can be onboarded via Juniper Mist, or can be onboarded using direct integeration.
- Please refer to the Onboarding Juniper Switches as Virtual Edge Nodes (Juniper Mist) article for caveats regarding onboarding via Juniper Mist.
- Please refer to the Onboarding Juniper Switches as a Virtual Edge Node (Direct Switch Integration) article for caveats regarding onboarding switches directly as a Virtual Edge Nodes.
HPE Aruba
| Model | Min HPE Code |
|---|---|
| HPE Aruba 6200 Series* | 10.15 |
| HPE Aruba 6300 Series | 10.11+ |
| HPE Aruba 6400 CX Series* | 10.11+ |
HPE Aruba Notes:
* The switch vendor supports the functionality (on the specified switch for the specified minimum code version) which Elisity requires enable telemetry and enforce policy. Hardware labeled with * has not been tested/validated by Elisity.
Can only be managed by Virtual Edge VM.
- Please refer to the Onboarding HPE Aruba switches as a Virtual Edge Node article for details and caveats.
Hirschmann
| Model | Min Hirschmann Code |
|---|---|
| OS2x | Octopus 2 |
Hirschmann Notes:
Can only be managed by Virtual Edge VM.
Firewalls Supporting Integration with Cloud Control Center
Palo Alto Networks
| Model | Minimum Recommended PAN-OS Code |
|---|---|
| Palo Alto Networks VM Series | 10.2+ |
| Palo Alto Networks NGFW | 10.2+ |
| Palo Alto Panorama | 10.2+ |
Palo Alto Networks Notes:
Palo Alto Networks firewalls can be onboarded via our Panorama integration, or can be directly onboarded by a Virtual Edge.
- Panorama - Please refer to the Palo Alto Networks Panorama Integration - Policy Group Derived Dynamic Address Groups (DAG) article for more information.
- Direct Firewall Integration - Please refer to the Palo Alto Networks Firewall Integration - Policy Group Derived Dynamic Address Groups (DAG) article for more information.