1. Elisity
  2. Infrastructure
  3. Virtual Edge

Onboarding Catalyst IE3400 as a Virtual Edge Node

Avatar
Dana Yanch

Elisity supports the onboarding of Cisco Catalyst IE3400 as a Virtual Edge Node for policy enforcement. This document details how to onboard an IE3400 into Elisity Cloud Control Center.

 

Elisity announced support for the Cisco Catalyst IE3400 series switch and IEM3400 switch modules in Q4 of 2022. Due to platform limitations on the IE3400 the deployment model is unique and requires a Virtual Edge Identity Agent to be hosted locally by the IE3400. This agent assists in metadata collection, efficient packaging and transmission to the Elisity Virtual Edge for further processing and forwarding to Cloud Control Center. 

Catalyst IE3400 can either be onboarded with a Virtual Edge hosted as a VM on a hypervisor, or with a Virtual Edge hosted on a switch that supports application hosting (ie. Catalyst 9400). To learn more about our Virtual Edge deployment models read this article. 

The following diagram depicts the supported deployment architectures mentioned above. 



 

NOTE:

  • Catalyst IE3400 switches require a Cisco SD Card (P/N SD-IE-4GB) to host the Virtual Edge Identity Agent 
  • IOS-XE version 17.6.4 is the recommended code version to run on IE3400
  • Only IEM3400 switch modules are supported
  • All switches being onboarded must have their clocks synchronized with the Active Directory server so that attachment events are displayed accurately. You can use your own NTP server or a public one such as time.google.com. 
  • Catalyst IE3400 series switches require a minimum of DNA Advantage licensing to be onboarded as Virtual Edge Nodes.

 

The following chart describes the terminology used in this document

Cloud Control Center

Elisity's cloud native and cloud delivered control, policy and management plane.

Virtual Edge

The Elisity Cognitive Trust software running as a docker container on either a hypervisor such as VMware ESXi or on a switch that supports Application Hosting.

Virtual Edge Node

An access switch onboarded to a Virtual Edge to be leveraged as an enforcement point in the network.

Virtual Edge Identity Agent

Lightweight Elisity application that runs on the IE3400 application hosting container space and assists in metadata collection, efficient packaging and transmission to the Elisity Virtual Edge

 

Onboarding Catalyst IE3400 as a Virtual Edge Node

Before we get started, we need to familiarize ourselves with how the Virtual Edge Identity Agent hosted on the IE3400 communicates with the switch itself as well as with the Virtual Edge. 

The Virtual Edge Identity Agent hosted by the IE3400 has two interfaces: guest-interface 0 and guest-interface 1. The first guest interface is used solely to receive identity metadata from the switch, while the second guest interface is used to communicate back to the Virtual Edge. 

The IE3400 must have a dedicated Identity VLAN and VLAN interface for communication with the Virtual Edge Identity Agent. This VLAN cannot be used for any other purpose on the switch and must not be carried on any interface other than the AppGigEthernet interface. This VLAN and VLAN interface communicates with the Virtual Edge Identity Agent's guest-interface 0 and must be on the same network.

There must also be another VLAN and gateway (local or remote) available that provides a routed or switched path to the Virtual Edge. This must be in the same network as guest-interface 1 on the Virtual Edge Identity Agent.

Lastly, the IE3400 leverages a virtual interface called AppGigabitEthernet to trunk both VLANs to the container space where the Virtual Edge Identity Agent is hosted and must be configured as a trunk. The AppGigabitEthernet interface is numbered based on whether or not an additional IEM module is installed or not. Typically AppGigabitEthernet1/1 is the correct interface when no IEM module is installed. 

The following diagram depicts the details explained above.


Step 1: Make sure the IE3400 you wish to onboard with the Virtual Edge has the following commands configured.

iox
ip http authentication local
ip http secure-server
restconf
netconf-yang cisco-ia auto-sync disabled
no netconf-yang cisco-ia intelligent-sync


Step 2:  You should either have a user account with privilege 15 configured or TACACS login configured to provide privilege 15 level access. This is needed for the Virtual Edge to authenticate with the IE3400. Execute the following command under global configuration mode if a local account is being used and is not already configured:

switch(config)# username <username> privilege 15 secret 0 <password>

Add the following commands to your IE3400 configuration if using TACACS

switch(config)# aaa authentication login HTTP_AUTH group <group name> local
switch(config)# ip http authentication aaa login-authentication HTTP_AUTH

 

Note: Special characters in your RADIUS/TACACS passwords can cause issues with Cisco RESTCONF or scripting for certain activities (such as troubleshooting or upgrading procedures.) We recommend regenerating passwords with special characters such as:& and " to avoid such issues which will save time down the line.

 

Step 3: Copy the Virtual Edge Identity Agent .tar file to the IE3400 internal flash using SCP, FTP or whatever method you prefer. 

Step 4: Navigate to Virtual Edges. Next to the Virtual Edge you want to use to onboard your access switch and make it a Virtual Edge Node for policy enforcement, select the more options icon to the right and then select Create Virtual Edge Node. 

(Click to enlarge)

Step 5: Fill out the required fields and select Submit. Details about each field are provided in the chart below. These details can always be viewed and edited by selecting the more options icon to the right and selecting Edit Virtual Edge Node Configuration. 

(Click to enlarge)

 

The following chart provides details about each required field

Switch Management IP

This is the management IP of the switch you wish to onboard as a Virtual Edge Node for policy enforcement. This can be an IP as long as it is reachable by the previously deployed Virtual Edge container. This field is mandatory

Use Global Switch Admin Username/Password

This checkbox allows you to use the predefined credentials that you set in Administration>Settings>Virtual Edge Configuration.

Switch Admin Username

If not using global admin credentials, this is the admin username of the switch you wish to onboard as a Virtual Edge Node for policy enforcement. This can either be local or TACACS/RADIUS. Privilege 15 is required. This field is mandatory. 

Switch Admin Password

If not using global admin credentials, this is the admin password of the switch you wish to onboard as a Virtual Edge Node for policy enforcement. This can either be local or TACACS/RADIUS.
Privilege 15 is required. This field is mandatory.

Virtual Edge Node Location Address

 The location of the Virtual Edge Node so that Cloud Control Center reflects the location of the onboarded switch. This field is optional. 

 

Step 6: Create the Identity VLAN and VLAN interface. 

switch(config)# vlan 10
switch(config-vlan)# name Identity_VLAN

switch(config)# interface vlan 10
switch(config)# description Identity_SVI
switch(config)# ip address 192.168.10.1 255.255.255.0

 

Step 7: Usually the second VLAN that provides connectivity to the Virtual Edge for the Virtual Edge Identity Agent already exists. If it does not, go ahead and create this VLAN and VLAN interface as a gateway (if locally routed) and make sure it can provide connectivity to the Virtual Edge. 

 

switch(config)# vlan 11
switch(config-vlan)# name Gateway_VLAN

*** If locally routed ***

switch(config)# interface vlan 11
switch(config)# description Gateway_SVI
switch(config)# ip address 192.168.11.1 255.255.255.0

 

Step 8: Configure the appropriate AppGigEthernet interface as a trunk to carry both the Identity VLAN as well as the gateway VLAN.

 

switch(config)# interface AppGigEthernet1/1
switch(config-if)# switchport mode trunk
switch(config-if)# switchport trunk allowed vlan 10,11

 

Step 9: Use the following example, chart and diagram to configure the IE3400 to host the Virtual Edge Identity Agent. You will need to assign an IP to guest-interface 0 and guest-interface 1 based on the VLAN and networks previously configured. Make sure to change all of the IP addresses in the example below to those that are relevant for your deployment. 

Identity VLAN

Dedicated Identity VLAN for communication with the Virtual Edge Identity Agent. This VLAN cannot be used for any other purpose on the switch and must not be carried on any interface other than the AppGigEthernet interface. This VLAN communicates with the Virtual Edge Identity Agent's guest-interface 0 and must be on the same network.

Gateway VLAN

A gateway VLAN available that provides a routed or switched path to the Virtual Edge. This must be in the same network as guest-interface 1 on the Virtual Edge Identity Agent. 

Identity VLAN IP

IP address in the Identity VLAN subnet assigned to guest-interface 0 of the Virtual Edge Identity Agent. This IP is used for communication between the IE3400 and the Virtual Edge Identity Agent. The IE3400 should also have a VLAN interface configured with an IP address in the same VLAN and subnet. 

Gateway VLAN IP

 IP address in the Gateway VLAN subnet assigned to guest-interface 1 of the Virtual Edge Identity Agent. This IP is used for communication between the Virtual Edge Identity Agent and the Virtual Edge. The IE3400 may also have a VLAN interface configured with an IP address in the same VLAN and subnet if it is being used as a local default gateway. If the default gateway for this VLAN is remote (upstream), no IP address in this VLAN is required on the IE3400. 

Gateway VLAN Default Gateway

 IP address of the Gateway VLAN default gateway. This may be local to the IE3400 or remote (upstream). The only requirement is that this IP be layer 2 reachable by the Virtual Edge Identity Agent and provide a routed path to the Virtual Edge.

Management IP

 The IP address of the IE3400 that was defined during onboarding into Cloud Control Center in Step 5.

Virtual Edge IP

 The IP address of the Virtual Edge being used to onboard the IE3400.

 

app-hosting appid VE-AGENT 
app-vnic AppGigabitEthernet trunk 
vlan <Identity VLAN> guest-interface 0 
guest-ipaddress <Identity VLAN IP> netmask <Subnet Mask>
vlan <Gateway VLAN> guest-interface 1 
guest-ipaddress <Gateway VLAN IP> netmask <Subnet Mask>
app-default-gateway <Gateway VLAN Default Gateway> guest-interface 1
app-resource docker 
run-opts 1 "--entrypoint /etc/init.d/edge"  
run-opts 2 --cap-add=NET_ADMIN  
run-opts 3 "--ulimit nofile=90000:90000"  
run-opts 4 "--env EDGE_TYPE=VE-AGENT --env EDGE_UPLINK_IP=<Gateway VLAN IP> 
--env EDGE_AGENT_SRC=<Management IP>  --env EDGE_AGENT_DST=<Virtual Edge IP>" 
run-opts 5 "--hostname VE-AGENT"  
app-resource profile custom  
cpu 1400  
memory 768  
vcpu 2  
name-server0 8.8.8.8
persist-disk 1024 
start 

*** Example Config ***

app-hosting appid VE-AGENT 
 app-vnic AppGigabitEthernet trunk 
  vlan 10 guest-interface 0 
   guest-ipaddress 192.168.10.2 netmask 255.255.255.0
  vlan 11 guest-interface 1 
   guest-ipaddress 192.168.11.2 netmask 255.255.255.0
 app-default-gateway 192.168.11.1 guest-interface 1
 app-resource docker 
  run-opts 1 "--entrypoint /etc/init.d/edge"  
  run-opts 2 --cap-add=NET_ADMIN  
  run-opts 3 "--ulimit nofile=90000:90000"  
  run-opts 4 "--env EDGE_TYPE=VE-AGENT --env EDGE_UPLINK_IP=192.168.11.2 
     --env EDGE_AGENT_SRC=192.168.11.1 --env EDGE_AGENT_DST=10.1.1.1"
  run-opts 5 "--hostname VE-AGENT"  
 app-resource profile custom  
  cpu 1400  
  memory 768  
  vcpu 2  
  persist-disk 1024
 name-server0 8.8.8.8  
 start

 

 

Step 10: Make sure the SD card is inserted and formatted by running the following command: 

switch# format sdflash: ext4

 

Step 11: The .tar file was previously copied to IE3400 internal flash in step 3. Install the Virtual Edge Identity Agent application on the IE3400 using the following command. 

switch# app-hosting install appid VE-AGENT package flash:<tar file name>

 

Step 12: Verify that the Virtual Edge Identity Agent is running using the following command.

switch# show app-hosting list
App id                                   State
---------------------------------------------------------
VE-AGENT                                 RUNNING

 

Step 13: Next we need to configure the IE3400 switch to enable ERSPAN export of identity metadata to the Virtual Edge Identity Agent we just deployed in the previous steps. Use the following configuration example. In an upcoming release this configuration will be automated. 

 

NOTE:

Make sure to change the IP addresses and VLAN in the example below to those that are relevant for your deployment. 

 

monitor session 1 source interface <monitored interface range> 
monitor session 1 destination remote vlan <Identity VLAN ID>
monitor session 1 destination format-erspan <Virtual Edge Identity Agent Identity VLAN IP>

monitor session 1 source interface GigabitEthernet1/1 - 10 rx 
monitor session 1 destination remote vlan 10                  
monitor session 1 destination format-erspan 192.168.10.2    

*** If you want to exclude interfaces (such as Gig1/6) from the list follow this example ***

monitor session 1 source interface GigabitEthernet1/1 - 5, GigabitEthernet 1/7 - 10 rx

 

Step 14: Refresh the page and select the expand icon next to the Virtual Edge until the circle next to the Virtual Edge Node name goes from grey with a status of Discovered to green with a status of Registered. This can take several minutes. If the status never changes then there is an IP connectivity issue between the Virtual Edge and the switch you are trying to onboard as a Virtual Edge Node. 

(Click to enlarge)

 

You can select the Virtual Edge Node name to see more details about the switch you just onboarded. 

 

(Click to enlarge)

 

Step 15: Enable Device Track. The Device Track feature enables the Virtual Edge Node to glean additional user, application, and device information via Cisco IP Device Tracking technology. By default, this feature is disabled. It is recommended to enable this feature after onboarding a Virtual Edge Node.

The Virtual Edge will dynamically configure the Virtual Edge Node with the appropriate IOS-XE configuration for the Virtual Edge to glean user, device, and application identity and behavior. Existing and new Elisity Cognitive Trust policies will be pushed to the appropriate Virtual Edge Node immediately after onboarding.

 

Disabling Elisity Identity on Select Switchports

In some scenarios it may be beneficial to disable Elisity Identity on select switchports such as on an uplink trunk port so as not to collect the identity and flow information from devices upstream from the local switch. Disabling Elisity Identity on a switchport means that CDT and Flow collection will be removed from that specific switchport. 

Step 1: Next to the Virtual Edge Node, select the more options button and select Virtual Edge Node Port Configuration. 

 


Step 2: Select the interface you want to disable Elisity Identity on and select Submit. 

 

 

Decommissioning and Deleting a Virtual Edge Node

Step 1: Select the more options icon to the right of the Virtual Edge Node and then select Decommission Virtual Edge Node. The Virtual Edge Node status will say Decommissioned.

 

(Click to enlarge)


Step 2: Wait 60 seconds after decommissioning the Virtual Edge Node. Select the more options icon to the right of the Virtual Edge Node and then select Delete Virtual Edge Node. Refer to the previous image. 

Was this article helpful?
0 out of 0 found this helpful