This article summarizes how to onboard your access layer switches as Virtual Edge Nodes for policy enforcement. This should only be done after deploying Virtual Edge.
NOTE:
- For Catalyst 3650/3850 Switches
- IOS-XE version 16.12.5b is the minimum recommended code version
- Switches require a minimum of IPBase licensing to be onboarded as Virtual Edge Nodes.
- For Catalyst 9000 Series Switches
- IOS-XE version 17.6.4 is the minimum recommended code version
-
- Switches require a minimum of DNA Advantage licensing to be onboarded as Virtual Edge Nodes.
-
It is important that your onboarded switches, as well as any Active Directory Domain Controllers being monitored by Elisity, are synced to an NTP server so that all user and device attachment events are synchronized. This ensures that regardless of where your DC's and onboarded switches are located, Cloud Control Center will receive accurate date and time data from both. It is ideal for switches and DC's to be synced to the same NTP server, however you can use a public NTP server such as time.google.com.
- SSH access must be enabled on the switches you wish to onboard. Follow this article to enable SSH.
CATALYST 9400 SPECIFIC NOTE:
- Catalyst 9410 series switch. If the Catalyst 9410 being onboarded is hosting a Virtual Edge using the Application Hosting functionality, it is mandatory to disable Elisity identity on GigabitEthernet4/0/48. See this step for instructions.
Onboarding Steps
Step 1: Make sure the access switches you wish to onboard with the newly deployed Virtual Edge have the following commands configured.
On Catalyst 3850/3650:
=================
ip http secure-server
restconf
netconf-yang cisco-ia auto-sync disabled
no netconf-yang cisco-ia intelligent-sync
note: restconf is only used during switch onboarding on catalyst 3000 series.
On Catalyst 9000:
=================
ip http secure-server
restconf
Step 2: You should either have a user account with privilege 15 configured or TACACS login configured to provide privilege 15 level access. This is needed for the Virtual Edge to authenticate with the switch. Execute the following command under global configuration mode if a local account is being used and is not already configured:
switch(config)# username <username> privilege 15 secret 0 <password>
Add the following commands to your switch configuration if using TACACS
switch(config)# aaa authentication login HTTP_AUTH group <group name> local
switch(config)# ip http authentication aaa login-authentication HTTP_AUTH
Note: Special characters in your RADIUS/TACACS passwords can cause issues with Cisco RESTCONF or scripting for certain activities (such as troubleshooting or upgrading procedures.) We recommend regenerating passwords with special characters such as:& and " to avoid such issues which will save time down the line. |
Depending on AAA/TACACS configuration, it may be required to add the following configurations to the switch for the Virtual Edge (VE) to successfully onboard the switch.
Change the following TACACS+ config:
aaa authorization exec default if-authenticated
to the following:
aaa authorization exec default group <ise-tacacs> if-authenticated
Step 3: Navigate to Virtual Edges. Next to the Virtual Edge you want to use to onboard your access switch and make it a Virtual Edge Node for policy enforcement, select the more options icon to the right and then select Create Virtual Edge Node. In this example we will be onboarding the same switch we are using to host the Virtual Edge Container.
(Click to enlarge)
Step 4: Fill out the required fields and select Submit. Details about each field are provided in the chart below. These details can always be viewed and edited by selecting the more options icon to the right and selecting Edit Virtual Edge Node Configuration.
(Click to enlarge)
The following chart provides details about each required field
|
Switch Management IP |
This is the management IP of the switch you wish to onboard as a Virtual Edge Node for policy enforcement. This can be an IP as long as it is reachable by the previously deployed Virtual Edge container. This field is mandatory |
|
Use Global Switch Admin Username/Password |
This checkbox allows you to use the predefined credentials that you set in Administration>Settings>Virtual Edge Configuration. |
|
Switch Admin Username |
If not using global admin credentials, this is the admin username of the switch you wish to onboard as a Virtual Edge Node for policy enforcement. This can either be local or TACACS/RADIUS. Privilege 15 is required. This field is mandatory. |
|
Switch Admin Password |
If not using global admin credentials, this is the admin password of the switch you wish to onboard as a Virtual Edge Node for policy enforcement. This can either be local or TACACS/RADIUS. |
|
Virtual Edge Node Location Address |
The location of the Virtual Edge Node so that Cloud Control Center reflects the location of the onboarded switch. This field is optional. |
Step 5: Refresh the page and select the expand icon next to the Virtual Edge until the circle next to the Virtual Edge Node name goes from grey with a status of Discovered to green with a status of Registered. This can take several minutes. If the status never changes then there is an IP connectivity issue between the Virtual Edge and the switch you are trying to onboard as a Virtual Edge Node.
(Click to enlarge)
You can select the Virtual Edge Node name to see more details about the switch you just onboarded.
(Click to enlarge)
Configuring Device Tracker and Disabling Elisity Identity on Select Switchports
In some scenarios it may be beneficial to disable Elisity Identity on select switchports such as on an uplink trunk port so as not to collect the identity and flow information from devices upstream from the local switch. Disabling Elisity Identity on a switchport means that CDT and Flow collection will be removed from that specific switchport.
Step 1: Next to the Virtual Edge Node, select the more options button and select Virtual Edge Node Port Configuration.
Step 2: Select the interface you want to disable Elisity Identity on and select Submit.
Step 3: Enable Device Track.
The Device Track feature enables the Virtual Edge Node to glean additional user, application, and device information via Cisco IP Device Tracking technology. By default, this feature is disabled. It is recommended to enable this feature after onboarding a Virtual Edge Node.
The Virtual Edge will dynamically configure the Virtual Edge Node with the appropriate IOS-XE configuration for the Virtual Edge to glean user, device, and application identity and behavior. Existing and new Elisity Cognitive Trust policies will be pushed to the appropriate Virtual Edge Node immediately after onboarding.
Decommissioning and Deleting a Virtual Edge Node
Step 1: Select the more options icon to the right of the Virtual Edge Node and then select Decommission Virtual Edge Node. The Virtual Edge Node status will say Decommissioned.
(Click to enlarge)
Step 2: Wait 60 seconds after decommissioning the Virtual Edge Node. Select the more options icon to the right of the Virtual Edge Node and then select Delete Virtual Edge Node. Refer to the previous image.