Onboarding Catalyst 9000/3850/3650 as a Virtual Edge Node

This article summarizes how to onboard your access layer switches as Virtual Edge Nodes for policy enforcement. This can only be done after deploying a Virtual Edge. This article shows this workflow for Cloud Control Center version 15.5 and newer.

NOTE:

  • For Catalyst 3650/3850 Switches
    • IOS-XE version 16.12.10a is the minimum recommended code version
    • Switches require a minimum of IPBase licensing to be onboarded as Virtual Edge Nodes.
  • For Catalyst 9000 Series Switches
    • IOS-XE version 17.6.6a/17.9.4 is the minimum recommended code version
    • Switches require a minimum of DNA Advantage licensing to be onboarded as Virtual Edge Nodes.
  • It is important that your onboarded switches, as well as any Active Directory Domain Controllers being monitored by Elisity, are synced to an NTP server so that all user and device attachment events are synchronized. This ensures that regardless of where your DC's and onboarded switches are located, Cloud Control Center will receive accurate date and time data from both. It is ideal for switches and DC's to be synced to the same NTP server, however you can use a public NTP server such as time.google.com.

  • SSH access must be enabled on the switches you wish to onboard. Follow this article to enable SSH. 

CATALYST 9400 SPECIFIC NOTE:

  • Catalyst 9410 series switch. If the Catalyst 9410 being onboarded is hosting a Virtual Edge using the Application Hosting functionality, it is mandatory to disable Elisity identity on GigabitEthernet4/0/48. See this step for instructions. 

CATALYST 9600 SPECIFIC NOTE:

As of release 15.5, Cloud Control Center offers beta support for Catalyst 9600 series switches

 

Onboarding Steps 

Step 1: Make sure the access switches you wish to onboard with the newly deployed Virtual Edge have the following commands configured.

On Catalyst 3850/3650:
=================
ip http secure-server
restconf

note: restconf is only used during switch onboarding on catalyst 3000 series.
 
On Catalyst 9000:
=================
ip http secure-server
restconf

 

Step 2:  You should either have a user account with privilege 15 configured or TACACS login configured to provide privilege 15 level access. This is needed for the Virtual Edge to authenticate with the switch. Execute the following command under global configuration mode if a local account is being used and is not already configured:

switch(config)# username <username> privilege 15 secret 0 <password>

Add the following commands to your switch configuration if using TACACS

switch(config)# aaa authentication login HTTP_AUTH group <group name> local
switch(config)# ip http authentication aaa login-authentication HTTP_AUTH

NOTE: Special characters in your RADIUS/TACACS passwords can cause issues with Cisco RESTCONF or scripting for certain activities (such as troubleshooting or upgrading procedures.) We recommend regenerating passwords with special characters such as & and " to avoid such issues which will save time down the line.

Depending on AAA/TACACS configuration, it may be required to add the following configurations to the switch for the Virtual Edge (VE) to successfully onboard the switch.

   Change the following TACACS+ config:

aaa authorization exec default if-authenticated

   to the following:

aaa authorization exec default group <ise-tacacs> if-authenticated

 

You can start onboarding Virtual Edge Nodes in two ways.

Method 1: Select your Virtual Edge and Add a VEN
Go to the Virtual Edge dashboard in Cloud Control Center, select the Virtual Edge you would like to use as the parent for the Virtual Edge Node you are about to onboard. 

After clicking on the VE, you can click on Add Virtual Edge Node and select Add Single Virtual Edge Node.

 

Method 2: Onboard VENs Directly from the Virtual Edge Node panel.

Select the Virtual Edge Node tab in the bottom menu, and select Add Virtual Edge Node then select Add Single Virtual Edge Node. Note that adding a VEN from this screen requires you to select a Virtual Edge or VE Group as a parent.

When deploying new Virtual Edge Nodes, you can select standalone Virtual Edges or VE Groups to manage the Nodes you are onboarding. Click + Add Virtual Edge Node as normal.

After clicking the Add Single Virtual Edge Node option, a selection pane will appear with options for selecting a VE Group, Standalone VE, Switch-hosted VE, or Cloud-hosted VE (ie. Juniper VE) for managing the VEN or VENs that you are attempting to deploy. Note that Standalone Virtual Edges are not currently supported when onboarding multiple VENs.

 

After selecting your VE or VE Group and clicking save, you can finish filling out the required fields for deploying your VEN. 

 

The following chart provides details about each field in the VEN onboarding workflow.

Switch Management IP

This is the management IP of the switch you wish to onboard as a Virtual Edge Node for policy enforcement. This can be an IP as long as it is reachable by the previously deployed Virtual Edge container. This field is mandatory.

Description

This allows a user-defined description to be configured for the VEN. This field is optional.

**Enable Enhanced Endpoint Discovery

Selecting this option enables the active collection of identifying data for endpoints discovered behind a VEN, gleaned from access switch telemetry. This feature actively tracks assets for updates in identifying data. (Recommended)

This setting is autoconfigured per switchport if enabled during this onboarding. You can choose to enable autoconfiguration or manually configure after onboarding by leaving this box unchecked. The logic for this autoconfiguration is discussed later in this article.

**Enable Flow Telemetry

Selecting this option enables the collection of flow data and network traffic analytics that are sent to Cloud Control Center. (Recommended)

This setting is autoconfigured per switchport if enabled during this onboarding. You can choose to enable autoconfiguration or manually configure after onboarding by leaving this box unchecked. The logic for this autoconfiguration is discussed later in this article.

**Enable Passive Endpoint Discovery

Selecting this option enables the passive collection of identifying data using data plane telemetry about endpoints discovered behind a VEN. This is a global setting per VEN. (Recommended)

You can choose to enable this setting later by leaving this box unchecked.

Site Label

Site labels can be applied to Virtual Edge Nodes for policy distribution and for analytics purposes. Site labels are used to assign Virtual Edges and Virtual Edge Nodes to Policy Sets.

If this field is left blank, the site label from the parent Virtual Edge is inherited, if it exists.

Distribution Zone

Here we can select to inherit the Distribution Zone from the parent Virtual Edge, or we can assign a Distribution Zone manually. If you are unfamiliar with the concept of Distribution Zones, read here.

Switch Admin Username

If not using global admin credentials, this is the admin username of the switch you wish to onboard as a Virtual Edge Node for policy enforcement. This can either be local or TACACS/RADIUS. Privilege 15 is required. This field is mandatory. 

Username should be alphanumerical and may contain only permitted special characters (_, +, \\\\, /, -).'}

Switch Admin Password

If not using global admin credentials, this is the admin password of the switch you wish to onboard as a Virtual Edge Node for policy enforcement. This can either be local or TACACS/RADIUS.
Privilege 15 is required. This field is mandatory.

Password cannot contain whitespaces

 

**NOTE: If you would prefer to manually configure switchport configurations, or enable autoconfiguration at a later time, leave these settings disabled.

 

After filling out all the required fields, click Add. The Virtual Edge Node onboarding process will begin immediately.

 

Checking the Status of a VEN Onboarding

In the top right of your Cloud Control Center dashboard, you will see a notification icon. After beginning the VEN onboarding, a blue dot will indicate that the status of your VEN onboarding has an update. 


 

Clicking on this icon will reveal the status of your VEN onboarding n the Activity tab. As each step of the onboarding is completed successfully, that item is marked with a green check mark and a "Success" status.

 

If any errors are encounter during onboarding, a red error indicator will appear on that item, with a brief description of the issue. In this case, we can surmise that the reason this onboarding has failed is because the switch is unreachable. We need to then check for errors and confirm that our Virtual Edge Node can reach both CCC and our VE.

Once the onboarding is complete, your VEN will show green in Cloud Control Center and information about the switch is now visible such as hostname, switch model, number of discovered devices, and more. 

 

You are now ready to review port configurations for this VEN in the next step.

 

Port Configurations on Virtual Edge Nodes

Port configurations for endpoint discovery and analytics can be manually configured or automated based on the following logic.

Elisity offers the ability to automate the configuration process for switch ports to selectively enable or disable the collection of device and analytics data. This automation is enabled during Virtual Edge Node onboarding where administrators have the option to enable Enhanced Endpoint Discovery, Flow Telemetry, and Passive Endpoint Discovery upon onboarding. This automation is designed to enhance network security and operational efficiency by focusing on relevant data collection and minimizing unnecessary endpoint discovery and telemetry on specific ports. This prevents discovery and analytics of devices that are not in the scope of an organizations microsegmentation efforts, such as upstream networking equipment or daisy chained access switch designs.  

 

Endpoint Discovery and Telemetry Mechanisms

Enhanced Endpoint Discovery
Enhanced Endpoint Discovery is key for identifying and managing devices on your network. However, Elisity now provides the ability to automatically exclude certain port types (as listed above) from this discovery process to optimize network performance and security. This is configured at the port level on each VEN.

Passive Endpoint Discovery
Passive Endpoint Discovery remains a global configuration within Elisity and is not subject to automatic enablement or disablement based on port types. This ensures consistent passive monitoring across the network. This is a global setting per VEN, but only collects data for devices discovered through one of the other mechanisms.

Flow Telemetry
Flow Telemetry, Elisity's equivalent of NetFlow, provides valuable insights into your network's traffic patterns. With automatic configuration, Flow Telemetry will be disabled on the specified port types but can still be enabled or disabled manually per switchport, or globally on a per-VEN basis as required.

 

Criteria for Automatic Configuration

Elisity automatically disables Active Endpoint Discovery and Flow Telemetry on the following types of switch ports:

100Gig and 40Gig Interfaces

Due to their high capacity, these interfaces are typically used for backbone connections or high-traffic areas where endpoint discovery and flow telemetry is typically not desired. Commonly these interfaces are used as uplinks to other switching infrastructure. 


AppGig Interfaces

These application-specific interfaces are excluded from automatic discovery to prioritize more critical network traffic and devices. These interfaces are not typically in scope for policy enforcement and discovery.


VLAN Interfaces & Port Channel Members

Switch Virtual Interfaces (SVIs) or interfaces that are a member of a Port Channel are also excluded from discovery to avoid redundancy and focus on individual device connectivity.

 

Utilizing CDP/LLDP for Uplink Detection
Elisity leverages CDP (Cisco Discovery Protocol) and LLDP (Link Layer Discovery Protocol) to identify switch and router uplinks. The system periodically checks (every 5 minutes) LLDP/CDP neighbors to update configurations based on network topology changes, ensuring accurate and up-to-date discovery and telemetry data. If a switch or router is identified on the other end of a switchport, that port will have Endpoint Discovery and Telemetry disabled.

 

If a switchport meets any of these criteria, the Endpoint Discovery and Telemetry Mechanisms are excluded on those ports.

Modifying Port Configurations for a VEN

After onboarding, you can review the port configurations in Cloud Control Center for each port and modify them according to your network design and the scope of your microsegmentation efforts. If you chose to leave these options disabled during onboarding, now is the time to either enable autoconfiguration or manually configure each switchport for each setting.

To do this, select your VEN, navigate to Port Configurations, and click Edit Port Configuration. This will take you to the port configuration editor for all three settings, regardless of which port configuration setting you are currently viewing.

If you have not yet configured any port configurations, simply click on Add Port Configuration as seen below.

The port configuration editor is very straightforward. For each setting, you can globally enable or disable for the selected VEN. Just below the global setting, you can choose automatic or manual port configurations for the selected setting. For manual configuration, you can select specific ports or select all ports by clicking the top check box. After selecting ports, use the arrows between the two columns to move ports into the Disabled Ports or Enabled Ports tables. 


Selecting Automatic Configuration will overwrite any manually configured ports, and will disable the ability to select switchports for each table as this process will be handled according to the logic defined earlier in this article.

After reviewing these port configs and making any adjustments, click submit and your configurations will be immediately pushed to the VEN. Within 24 hours you should begin to see discovery data and analytics.

 

Decommissioning and Deleting a Virtual Edge Node

Decommissioning a VEN takes the enforcement point out of service by removing the configurations from the switch, but retains the configuration in Cloud Control Center so that you can easily put the VEN back in service with a single click.

 

Open the details view of your Virtual Edge Node and then select Decommission in the top right. The Virtual Edge Node status will say Decommissioned. 

You can also decommission from the main VEN dashboard by clicking the three dots to the right and selecting Decommission Virtual Edge Node

If you want to decommission multiple VENs simultaneously, select the VENs using the check boxes on the left and click Bulk Actions. Here you can perform various bulk actions such as restart Restonf, Decommission, and Delete. 

In any case, you will be presented with a confirmation request to finalize the decommission action with warnings or errors where applicable.


After decommissioning, the Activity Panel will show the status of the decommission process. The Activity Panel is accessible through the notification icon in the top right corner of Cloud Control Center. 


Screen Shot 2024-03-11 at 11.32.40 AM.png

decomm3.gif

After completing the decommission process for the VENs, you can then delete them from Cloud Control Center, or leave as decommissioned for easily recommissioning at a later time. Clicking the more options button under the actions panel to the right of the VENs will show the delete or recommission options for each VEN. These options are also available in the bulk actions menu as seen earlier. Deleting a VEN requires no further action.


Screen Shot 2024-03-11 at 11.47.39 AM.png

 

Recommissioning a VEN will also provide a status feedback in the activity panel for tracking the step by step recommissioning process. 
recomm.gif

Was this article helpful?
0 out of 0 found this helpful