Managing Virtual Edges and Virtual Edge Nodes

This article covers the tools available in Cloud Control Center for effectively managing Virtual Edges (VEs) and Virtual Edge Nodes (VENs) within the Elisity platform. In this article, we will cover the essentials for monitoring the status and viewing detailed information for your VEs and VENs. Additionally, we will guide you through the processes of creating and configuring VEs and VENs, including setting up site labels and distribution zones, which are crucial for a well-structured network environment. This guide aims to provide clear, step-by-step instructions and insights to streamline your network management tasks.

Virtual Edge Dashboard

The Virtual Edge Dashboard is your centralized platform for monitoring and managing the status and configurations of your Virtual Edges and Virtual Edge Nodes. This dashboard provides a comprehensive view that ensures you have the necessary insights to maintain optimal network performance and security. Here's how to navigate and interpret the key features of the dashboard:

Summary Section

The Summary section in the top half of the page offers a quick overview of the current state of your VEs and VENs. It displays the total count and status (Online, Offline, Not Registered, Decommissioned, Deleted) of both VEs and VENs in a simple, graphical format. Clicking on any section of the pie graph or one of the VE/VEN status categories will filter the view below to show only the relevant VEs.
This collapsible view helps you assess the overall health of your network infrastructure at a glance and quickly gives visibility into any issues with Virtual Edges or Nodes that need addressed.

Virtual Edges and Virtual Edge Nodes Tabs

Below the Summary section, you'll find tabs for Virtual Edges and Virtual Edge Nodes. These tabs provide detailed lists of all configured VEs and VENs, respectively. Here you can see a list of all Virtual Edges, total counts of VEs within each VE Group, and the total number of Standalone VEs.

Each entry includes crucial information such as the Virtual Edge Name, IP Address, Status, Number of Virtual Edge Nodes (VENs), Status Duration, Site Label, Software Version, number of connected Virtual Edge Nodes (for VEs), Distribution Zone, and available Actions. You can customize these table views by adding, removing, and rearranging the columns. For more in-depth information about each VE and VEN, you can open details about each Virtual Edge or Virtual Edge Node. 

Clickable In-Depth Status Reports

In the Virtual Edge Nodes Tab (both in the main Virtual Edge dashboard and the Virtual Edge details view) you can click the Status of any Virtual Edge Node to see more details about the connection status.  
 

Below is a breakdown of the connection Status Details available on clicking Status. For each of these, a Last Changed timestamp is included in the Status Details view.

The Virtual Edge Node Status will be one of the following:

VEN Status	Description
Online	All applicable statuses are Online - no errors present.
Offline	The Connection Status is Offline - The VEN is not reachable.
Degraded	Management status has a persistent failure for 5 minutes or more, or SXP status is offline. Status Details will show more information.
Decommissioned	The VEN has been successfully decommissioned and the Elisity configuration was successfully removed.
Decommission Started	The decommission process has started and is currently in progress. Status will update with either "Decommissioned" or "Decommission Failed" when the process completes.
Decommission Failed	The VEN could not successfully be decommissioned. Elisity configurations are likely still present and will need manually removed, or the decommission script needs executed. Reach out to your Elisity engineer for assistance if needed.

 

Status for various connection metrics which impact the Virtual Edge Node status can be seen as well, directly below the Virtual Edge Node Status. Refer to the following table:

Status Type	Status Description
Connection Status	Online: Network connectivity to the VEN is stable. Offline: Network Connectivity to the VEN is lost and the VEN is unreachable. This results in an Offline VEN status.
Management Status	Success: The VE can successfully establish a new SSH session with the Virtual Edge Node VEN using the configured credentials. Failure: The VE is not able to establish SSH connectivity to the VEN. Failure messages will appear with more information.
SXP Status	Online: SXP connectivity to the VEN is stable. Offline: SXP connectivity to the VEN is lost and the VEN is unreachable. This results in a Degraded VEN status.
Netflow Status	Online: Netflow status is up and data is being received from the VEN. Offline: Netflow status is down and Netflow data is not being received. This results in a Degraded VEN status.

 

Virtual Edge Actions

Clicking on the Actions button to the far right of a Virtual Edge within the table reveals available actions for the Virtual Edge. These actions include the following:

Clicking on the Actions button to the far right of a Virtual Edge within the table reveals available actions for the Virtual Edge. These actions include the following:

View Virtual Edge: Opens the details view for the selected Virtual Edge. This action performs the same function as clicking on the Virtual Edge name or IP Address in the table.

Edit Virtual Edge: Change the Virtual Edge Host Name or Description.

Change Group: Enables moving the Virtual Edge to a different Virtual Edge Group. The Change Group dialog displays the current group assignment and provides a dropdown to select the target group. Because Site Label and Distribution Zone is configured at the Group Level, the VE will inherit the configurations of the new group. Any Virtual Edge Nodes managed by the given VE will be redistributed to other VEs in the original VE Group. If a Virtual Edge is alone in a VE Group, it cannot be moved.

Delete Virtual Edge: Deletes the Virtual Edge if acceptable conditions are met (ie. no dependent VENs).

Virtual Edge Node Actions

Clicking on the Actions button to the far right of a Virtual Edge Node within the table reveals available actions for the Virtual Edge Node. These actions include the following:

Clicking on the Actions button to the far right of a Virtual Edge Node within the table reveals available actions for the Virtual Edge Node. These actions include the following:

View Virtual Edge Node: Opens the details view for the selected Virtual Edge. This action performs the same function as clicking on the Virtual Edge Node name or IP Address in the table.

Edit Virtual Edge Node: Change the Virtual Edge Node Description, Flow Exporter, Login Credentials, Site Label or Distribution Zone.

Port Configuration: Opens the Port Configuration view for the selected VEN. Use the Endpoint Discovery and Flow Telemetry tabs to (a) enable or disable the feature globally for the VEN and (b) edit per-port settings. Each port exposes Configuration Type (Automatic | Manual) and Status (Enabled | Disabled). For more information about these port configurations and what they do, read Port Configurations on Virtual Edge Nodes.

Decommission/Delete Virtual Edge Node: Decommissioning VENs temporarily removes them from active duty without deleting their configurations. This is useful for maintenance, troubleshooting, or reallocating resources. Decommissioned nodes can be recommissioned later as needed. The Delete option replaces the Decommission option if the VEN is Decommissioned.

Change Group: Allows you to move VENs to another VE Group. Be sure that the VEs in the new group have connectivity to the VEN when changing VE Groups.

Filtering Virtual Edges and Nodes

You can filter VEs and VENs based on Site Labels using the Site Label filter at the top right of the page. This feature enhances your ability to manage large-scale deployments by allowing you to view VEs and VENs associated with specific site labels.

You can filter VEs and VENs based on Site Labels using the Site Label filter at the top right of the page. This feature enhances your ability to manage large-scale deployments by allowing you to view VEs and VENs associated with specific site labels.

Here's how to use this feature effectively:

Multi-Select Dropdown: The site label filter provides a multi-select dropdown, enabling you to choose multiple site labels simultaneously. This flexibility allows for a customized view that matches your specific monitoring or management needs.

Searchable Labels: Begin typing within the dropdown to quickly search and select from the available site labels, making it easier to narrow down to the relevant devices.

Persistent Selections: Your filter selections remain in place even when navigating away from and back to the Virtual Edges page, ensuring continuity in your monitoring activities.

Impact on Dashboard Display: Upon applying one or more site label filters, the dashboard dynamically updates to only display the VEs and VENs associated with the selected labels. This filtering extends to charts and tables, providing a focused view that simplifies management tasks.

Utilizing site label filtering is especially valuable in environments with numerous VEs and VENs, enabling network admins to quickly isolate and manage devices relevant to specific locations or functions.
By integrating these features into your network management routines, you can enhance the efficiency and effectiveness of your monitoring and management activities within the Elisity platform​​.

Exporting Topology Data to CSV

Cloud Control Center provides CSV export functionality across all topology configuration views, enabling administrators to extract data for reporting, auditing, and offline analysis.

Topology Views with CSV Export

The following topology views support CSV export:

• Site Labels
• Distribution Zones
• Virtual Edge Groups
• Virtual Edges (VEs)
• Virtual Edge Nodes (VENs)

Export Options

When exporting data, you can choose between two export modes:

Export Filtered Data: Exports only the devices that match your current filters, search terms, and Site Label selections. Use this option to export a specific subset of topology data based on your active filters.

Export All Data: Exports all topology entities regardless of applied filters. Use this option to generate a complete inventory export.

The exported CSV file name includes the view type and timestamp for easy identification (e.g., Virtual-Edges-11132025-1258PM.csv).

Virtual Edge CSV Export Fields

Virtual Edge CSV exports include the following fields:

Field	Description
Virtual Edge Name	Unique identifier for the Virtual Edge
IP Address	Management IP address of the Virtual Edge
Status	Operational state (Online, Offline, Not Registered, Decommissioned)
Status Duration	Timestamp of when the VE entered its current status
Virtual Edge Nodes	Count of VENs currently managed by this VE
Virtual Edge Group	Name of the VE Group managing this VE (blank for Standalone VEs)
Site Label	Site Label assigned to the VE
Distribution Zone	Distribution Zone assigned to the VE
Software Version	Current software version running on the VE
Node ID	Internal identifier for the VE (useful for troubleshooting)
Description	User-defined description for the VE (contextual information)

Example Virtual Edge CSV export:

Virtual Edge Node CSV Export Fields

Virtual Edge Node CSV exports include the following fields:

Field	Description
Virtual Edge Node Name	Unique identifier for the VEN
Host	IP address of the VEN device
Vendor	Hardware vendor (Cisco, Arista, Juniper, etc.)
Status	Operational state (Online, Offline, Degraded, Decommissioned, etc.)
Last Status Change	Timestamp of when the VEN entered its current status
Virtual Edge	Name of the Virtual Edge managing this VEN
Virtual Edge Group	Name of the VE Group managing this VEN
Type	VEN type (Switch or WLC)
Site Name	Site Label assigned to the VEN
Distribution Zone	Distribution Zone assigned to the VEN
Software Version	Current software version running on the VEN device
Node ID	Internal identifier for the VEN (useful for troubleshooting)
Model	Hardware model of the VEN device
Credentials	Authentication group name used for VEN management
Flow Telemetry	Flow telemetry status (Enabled, Disabled, NOT_SUPPORTED)
Enhanced Discovery	Enhanced discovery status (Enabled or Disabled)
Devices	Count of devices discovered by this VEN
Policy Set Name	Name of the Policy Set applied to this VEN's Site Label
Policy Set Status	Policy Set activation status (Active or Inactive)
Description	User-defined description for the VEN (contextual information)

Example Virtual Edge Node CSV export:

Use Cases for CSV Exports

Reporting and Documentation: Generate snapshots of infrastructure configuration for change management documentation or compliance reporting.

Offline Analysis: Analyze VE/VEN deployment patterns, capacity planning, or identify configuration gaps using spreadsheet tools.

Bulk Updates: Export current configurations, modify values offline, and use as reference for bulk configuration changes.

Audit Trail: Maintain historical records of topology configurations by periodically exporting and archiving CSV files.

Cross-team Collaboration: Share infrastructure details with teams who may not have direct Cloud Control Center access.

Bulk Actions for Managing VEs and VENs

The Elisity platform provides a range of actions that administrators can perform on Virtual Edges, including editing configurations, downloading configurations, and deleting VEs. Each action is designed to offer control over the deployment and management of VEs within the network. With that, the platform supports bulk actions for VEs and VENs, allowing administrators to perform tasks such as restarting Restconf, redeploying, and decommissioning/deleting VENs in a streamlined manner. These actions are contextual based on the types of VEs/VENs selected and what actions are available for the state of each VE/VEN.

Virtual Edges

Change Group: The Change Group option enables moving one or more selected Virtual Edges to a different Virtual Edge Group. Select the desired Virtual Edges from the table and click Bulk Actions > Change Group. The Change Group dialog displays the current VE Group assignment and presents a dropdown of available target groups. Because Site Label and Distribution Zone is configured at the group level, the Virtual Edge(s) will inherit the configurations of the new group. Any Virtual Edge Nodes managed by the given VE(s) will be redistributed to other VEs in the original VE Group. If a Virtual Edge is alone in a VE Group, it cannot be moved.

Delete: This bulk action permits the deletion of multiple VEs at once. It is crucial for efficiently managing the lifecycle of VEs, especially when decommissioning or reorganizing network infrastructure. The delete action should be used with caution to avoid unintentionally removing critical network components.

The Delete option is available as a bulk edit option for both Standalone VEs and Group-associated VEs.

Standalone Virtual Edge Options

Download Configuration: This action enables the download of switch-hosted Virtual Edge configuration files. It's specifically designed for switch-hosted VEs, allowing administrators to obtain the configuration file(s) in bulk. These files can be edited offline and then re-uploaded to apply changes to the VEs.

Download Docker File: Similar to the configuration file download for switch-hosted VEs, this action pertains to hypervisor-hosted VEs. It allows the download of Docker files (in .yml format) that contain the configurations for the docker container running the VE. Administrators can download these files, modify them as needed to adjust the configuration, and then re-upload them to update the VE settings.

 

Virtual Edge Nodes

Bulk Action	Description
Recommission	Recommissioning VENs is a critical step in re-integrating previously decommissioned nodes back into the network. This action reactivates VENs, making them active participants in the network's segmentation and policy enforcement mechanisms.
Decommission	Decommissioning VENs temporarily removes them from active duty without deleting their configurations. This is useful for maintenance, troubleshooting, or reallocating resources. Decommissioned nodes can be recommissioned later as needed.
Change Group	Allows you to move VENs to another VE Group. This requires decommissioning your VENs. You can skip selected VENs that have not been decommissioned in the bulk action.
Change Credentials	Allows bulk application of Authentication Group to multiple VENs simultaneously. This effectively changes the authentication credentials that Elisity uses for login and management to access infrastructure.
Delete	This option allows for the removal of selected Virtual Edge Nodes from the network. Deletion is permanent and typically used when a node is no longer required or is being replaced. It's essential to ensure that decommissioning and data backup procedures are followed before deletion to prevent unintended data loss or network disruptions.

Viewing Virtual Edge Details

Open the Virtual Edges page and click a Virtual Edge (VE) name to view its details. The page is organized into “Virtual Edge Information,” “Additional Information,” “Memory Usage,” “CPU Usage,” and a “Virtual Edge Nodes” table. A status badge is shown in the “Virtual Edge Information” panel.

 

Virtual Edge Information

Field	Description
Virtual Edge Type	Hosting type of the VE (for example, Hypervisor Hosted).
Virtual Edge Group	Name of the Virtual Edge Group that manages this VE.
IP Address	Management IP address of the VE.
Site Label	Site label currently assigned to the VE.
Distribution Zone	Distribution Zone currently assigned to the VE.
Status (icon)	Current operational state shown as a badge in this panel. See VE Status below.

 

VE Status

Value	Definition
Online	Connectivity between the Virtual Edge and Cloud Control Center is operating normally.
Offline	Connection is not active from the Virtual Edge to Cloud Control Center. (Outbound connectivity on TCP/443)

 

Additional Information

Field	Description
Node ID	Internal identifier for the VE. Useful for troubleshooting.
Software Version	Version of the Virtual Edge software currently running on the VE.
OS Software Version	Version of the bootstrap OS responsible for upgrading, restarting, etc the VE
Virtual Edge Nodes	Count of VENs currently managed by this VE.
OTP	Provides a REGENERATE CREDENTIALS control for OTP credentials. Only regenerate credentials if you need to redeploy the Virtual Edge.

 

Resource (Memory and CPU) Usage

Panel	Description
Memory Usage	Current memory consumption for the VE.
CPU Usage	Current CPU utilization for the VE.

 

Virtual Edge Nodes (table)

Column	Description
Virtual Edge Node Name	Clickable VEN name to open the VEN details view.
Host	Host IP address for the VEN.
Vendor	Vendor associated with the hosting device.
Status	Operational state of each VEN (icon). See clickable in-depth status reports in the previous section.
Status Duration	Elapsed time in the current status.
Client	Shows whether the VEN is an active client (actively managed by the current VEN) or a candidate client (would be managed by the VE if the active VE has an outage.) See Virtual Edge Groups rebalancing for more information.

Controls: Search; filter; view/layout; refresh; download. Add Virtual Edge Node opens the creation workflow.

Top-level actions

Action	Description
Edit	Opens editable settings for the VE.
Delete	Deletes the VE (subject to safeguards in your environment).
Show Credentials	Opens the Virtual Edge Configuration modal, which displays the CCC URL and Client Secret with one-click copy functionality. Use these credentials when re-registering a Virtual Edge or performing bulk onboarding.
Close	Returns to the previous page.

The Show Credentials action opens the Virtual Edge Configuration modal:

 

Viewing Virtual Edge Node Details

Open the Virtual Edge Nodes page and click a VEN name to view its details. The page is organized into Virtual Edge Node Information, Additional Information, Memory Usage, CPU Usage, and Port Configuration. The VEN Status icon is shown in Virtual Edge Node Information. When a node is degraded, click the status chip to view the detailed list of causes.

Click the status chip on the details page to view connection status details:

 

Virtual Edge Node Information

Field	Description
Virtual Edge Group	Virtual Edge Group which manages the VEN.
Virtual Edge	The specific Virtual Edge in the VE Group which is actively managing the VEN.
IP Address	Management IP address of the node.
Site Label	Site Label currently assigned to the node.
Distribution Zone	Distribution Zone currently assigned to the node.
Status	Current operational state (Online, Offline, or Degraded). See “VEN status” below for details.

 

VEN status

Value	Definition	Where to view details
Online	VEN is reachable and operating normally.	Status badge on the details page.
Offline	VEN is not reachable by the controller.	Status badge on the details page.
Degraded	VEN is reachable but one or more health checks/resources are not normal.	Click the status chip in the list view or on the details page to see the specific cause(s).

 

Additional Information

Field	Description
Node ID	Internal identifier for the node. Useful in troubleshooting.
Vendor	Hardware vendor of the hosting device.
Model	Hardware model of the hosting device.
Software Version	Vendor software version currently running on the device.
Number of Devices	Count of devices currently associated with or learned by this node. Click on the number to see the list of devices.

 

Resource usage

Panel	Description
Memory Usage	Current memory consumption for the node.
CPU Usage	Current CPU utilization for the node. (number of CPUs)

 

Port Configurations

Details about the port configurations can be viewed and managed from this menu, providing administrators with the ability to tailor network connectivity and traffic flow according to specific requirements. For more information about these port configurations and what they do, read Port Configurations on Virtual Edge Nodes.

Area / Control	Description
Tabs	Endpoint Discovery; Flow Telemetry.
Endpoint Discovery (table)	Searchable list of ports showing their classification Source, Status, and configuration details.
Source	Read-only column indicating how each port was classified as UNI (User-to-Network Interface) or NNI (Network-to-Network Interface). Values include Interface Description, LLDP Host Capabilities, CDP Host Capabilities, Port Channel, and Default, among others. See the Source Value Reference table below for the full list.
Status	Displays the current state of the port as a colored chip: green indicates Enabled, gray indicates Disabled.
Edit Port Configuration	Opens per-port configuration to enable/disable or adjust discovery settings.
Table controls	Filter, view/layout, refresh, and download actions for the table.

 

Source Value Reference

Hovering over a Source value displays additional detail about how the classification was determined:

The following table describes each possible value in the Source column of the Endpoint Discovery port list. Ports without classification source data display a dash (—).

Source Value	Description
Interface Description	Classified based on the interface description.
LLDP Host Capabilities	Neighbor reported as a device via LLDP.
CDP Host Capabilities	Neighbor reported as a device via CDP.
LLDP Platform	Neighbor reported as a device via LLDP Platform.
CDP Platform	Neighbor reported as a device via CDP Platform.
LLDP Capability	Neighbor reported as a network device via LLDP.
CDP Capability	Neighbor reported as a network device via CDP.
Port Channel	Port is a member of a port-channel or LAG.
Interface Type	Classified based on interface properties.
Shutdown	Interface is administratively shut down.
Default	No specific classification matched; default UNI assignment applied.

 

Available Actions

Edit: Allows for the modification of the VEN's configuration settings, including configured flow exporters, descriptions, and associated labels.
Decommission: This option facilitates the safe removal of the VEN from active service, a necessary step before deletion or when the node needs to be temporarily taken offline for maintenance or troubleshooting.

 

Distribution Zones and Site Labels

Elisity’s microsegmentation solution leverages Distribution Zones and Site Labels to streamline the process of managing network segments and applying policies based on the geographical or logical grouping of resources. This approach enables precise control over how policies are distributed and enforced across the network. Both of these constructs are managed in the Virtual Edge dashboard, but before we get into how to create and assign them to VEs, let's quickly review the concepts.

The interplay between Distribution Zones and Site Labels provides a layered approach to policy management, where Distribution Zones handle the distribution scope of device identity tags while Site Labels facilitate the granular application of policies based on site-specific requirements.

 

Distribution Zones are conceptual areas within the network that facilitate the efficient distribution of identity tags and policies. They are pivotal in large-scale environments, helping to overcome the limitations posed by hardware diversity and scale. Each Distribution Zone can support a varying number of devices, depending on the specific hardware used within the zone, and is linked to Virtual Edges, ensuring all nodes of a Virtual Edge belong to the same Distribution Zone. The dynamic nature of Distribution Zones allows for their reassignment to different Virtual Edges as needed, enhancing flexibility in network management.

Site Labels offer a method to both organize and classify VEs/VENs and any devices attached to these Policy Enforcement Points based on their physical or logical location. This allows policies to be applied more contextually, and enhances the visibility and analytics data by utilizing site labels as both a filtering mechanism and a policy enforcement mechanism. 

Below is an example of how Site Labels are used to assign groups of Virtual Edges and Virtual Edge Nodes to different Policy Sets. In this example, we onboarded our VEs into a Simulation (staging) Policy Set with all simulated policies to ensure a safe, non-disruptive deployment where we can analyze the behavior of our simulated policies and how they would impact our production environment. Then, with one simple action, we can move our Virtual Edges to a new Policy Set by either (1) Assigning a new Site Label to our VEs or (2) moving our original site label to a new Policy Set.

Inheritance of Site Labels and the "Default" Site Label

Site Labels can be assigned to both VEs and VENs, as previously mentioned. In the case that a VEN does not have a Site Label explicitly assigned, the VEN inherits the Site Label of the parent VE, if it exists. If no Site Label has been explicitly assigned to a VE, the VE and its VENs are automatically assigned the Default Site Label. If you have Policy Sets enabled, this Default Site Label is assigned to the "Core" Policy Set by default. The Default Site Label is reassignable to other Policy Sets just like any other Site Label, allowing flexibility into how you manage VEs that have not explicitly been assigned a Site Label.

Creating and Assigning Site Labels and Distribution Zones

Creating Site Labels

To create Site Labels and Assign them to your Virtual Edges and Virtual Edge Nodes, start in the Virtual Edges dashboard and navigate to Settings in the top right.

Next, stay on the Site Labels tab and click + Create Site Label.

Give your Site Labels a unique name, and create as many as you need by clicking + Create Another Site Label. Once you have added your Site Labels, click Create.

Afterwards, your Site Labels will appear in the Site Labels list, where you can filter and manage Site Labels, performing actions such as editing and deleting. Note that you can also create new Site Labels on the fly while assigning them to VEs, which will be covered in the next section.

Creating Distribution Zones

The process for creating Distribution Zones is nearly identical to creating Site Labels. Start in the Virtual Edges dashboard and navigate to Settings in the top right.

Next, click the Distribution Zones tab and click + Create Distribution Zone.

Give your DZs a unique name, and create as many as you need by clicking + Create Another Distribution Zone. Once you have added your Distribution Zones, click Create.

Afterwards, your Distribution Zones will appear in the list of DZs, where you can filter and manage them, performing actions such as editing and deleting. Note that you can also create new Distribution Zones on the fly while assigning them to VEs, which will be covered in the next section.

Assigning Site Labels and Distribution Zones

Site Labels and Distribution Zones can be assigned at the Virtual Edge Group level or to individual Virtual Edges, ensuring policy consistency and streamlined management.

To assign these labels within a VE Group:

1. Navigate to the Virtual Edge Groups section in Cloud Control Center.
2. Select the VE Group you want to modify.
3. Click Edit Group Settings and locate the fields for Site Labels and Distribution Zones.
4. Assign the desired Site Label(s) or Distribution Zone(s). If a required label does not exist, you can create a new one during this process.
5. Click Save Changes to apply the updates.

For individual Virtual Edges, these labels are assigned by:

1. Selecting the specific Virtual Edge from the Virtual Edges section.
2. Clicking Edit and assigning Site Labels and Distribution Zones in the corresponding fields.
3. Saving the changes to apply the updates.

Policy Considerations When Assigning Labels

When assigning Site Labels and Distribution Zones, ensure alignment with Policy Sets, as these labels define the policies applied to all endpoints behind the assigned VE Group or Virtual Edge.

To maintain policy accuracy:

• Review the associated Policy Sets before modifying Site Labels or Distribution Zones.
• Monitor endpoint connectivity after making changes to confirm the expected policy application.
• Utilize VE Groups to streamline policy enforcement across multiple Virtual Edges when applicable.

Managing Site Labels and Distribution Zones effectively ensures proper policy distribution and prevents unintended connectivity impacts.

Assigning Site Labels to Virtual Edge Nodes

Site Labels can also be applied to each individual Virtual Edge Node, effectively overwriting the Site Label of the parent Virtual Edge, or adding a Site Label if one does not exist at the VE level. This offers a flexible approach to policy management by giving control of Policy Distribution down to each individual Policy Enforcement Point at the edge of your network. 

To assign a specific Site Label to a Virtual Edge Node, find the VEN and click Edit Virtual Edge Node from anywhere in the Virtual Edge dashboard. 

In the VEN editing window, we can see our current configuration for this Virtual Edge Node. We can also see some information about the parent Virtual Edge, particularly the Site Label of the VE. In this case, our Virtual Edge has the IND Site Label. Click the Site Label field and add any available Site Label, or create a new one. Remember, any time you create a new Site Label, it will be associated with the Core Policy Set, if Policy Sets are enabled. When you are done, click Save Changes.

The same caution applies here. Be sure that you are aware of the implications for assigning new Site Labels and Distribution Zones. You should be aware of what Policy Sets are associated with your Site Labels, as this defines what policies will be applied to all the endpoints attached to the current VE. An error here can result in unintended policies being distributed to this network segment, which could cause unintended connectivity issues between devices, causing disruption.

Configuring and Using Global Credentials for Deployments

The Global Credentials feature streamlines the process of onboarding switches and Wireless LAN Controllers (WLCs) as Virtual Edge Nodes (VENs). This capability allows administrators to define and manage multiple sets of credentials, each specific to a site or region, ensuring smooth and secure deployment across diverse infrastructure.

Benefits of Global Credentials

• Flexibility Across Sites or Regions: Enterprises with varying privilege 15 accounts across sites or regions can use distinct credentials
• Simplified Deployment: By storing reusable credentials, administrators save time during VEN deployment and configuration, eliminating the need to manually re-enter credentials for each deployment.
• Centralized Management: All credentials are managed from a single interface, ensuring consistency and security.

Configuring Global Credentials

To configure Global Credentials:

1. Navigate to Virtual Edges > Settings in the Elisity CCC.
2. Select the Global Credentials tab.
3. Click + Add Credentials to open the configuration pane.
4. Enter the required details:
   • Authentication Group Name: A descriptive name for the credential set.
   • Username: The administrative username for the switches or WLCs to be onboarded.
   • Password: The associated password.
   • Description (optional): Additional notes about the credentials.
5. Click Add to save the credentials.

Using Global Credentials

Once configured, Global Credentials can be applied during the onboarding process for switches or WLCs. The system ensures that the appropriate credential set is used for the device based on the site or regional settings, reducing errors and simplifying the process.

You can view the number of VENs associated with a set of Global Credentials in the Virtual Edge Nodes column from Virtual Edges > Settings > Global Credentials.

Clicking the number in the Virtual Edge Nodes column displays the VEN details. Clicking View Details displays the VEN details in a new tab.

Best Practices

• Regularly review and update credentials to maintain security compliance.
• Use descriptive group names to quickly identify credentials associated with specific regions or sites.
• Limit access to credential management to authorized personnel.

This feature enhances operational efficiency, particularly for organizations with geographically distributed networks, making VEN onboarding seamless and scalable.

Configuring and Assigning Custom Flow Exporters

Custom flow exporters allow organizations to integrate Elisity's Flow Telemetry with existing network monitoring solutions. For customers who already rely on third-party tools for network analytics and traffic visibility, this feature provides a way to direct flow data from Virtual Edge Nodes (VENs) to an external monitoring system. This setup enables seamless continuation of existing monitoring workflows, consolidating network insights in a single tool and enhancing visibility across both Elisity-managed and legacy infrastructure.

Administrators can configure custom NetFlow exporters within the Flow Telemetry settings under Virtual Edges > Settings in Cloud Control Center. This feature supports integration with external network monitoring tools, allowing traffic data to be directed to the IP address of an additional flow collector.

Configuring a Custom Netflow Exporter in CCC

1. Location: Go to Virtual Edges > Settings > Flow Telemetry.
2. Exporter Configuration: Use the Add Exporter button to configure a new NetFlow exporter with the following details:
   • Name: A unique identifier for the exporter.
   • Description: (Optional) Context or notes for the exporter’s usage.
   • IP Address: The IP address of the additional flow collector to which flow data will be sent.

Once configured, these exporters can be selected within each Virtual Edge Node’s (VEN) settings to direct the node’s traffic data to the specified destination.

Assigning a Custom Netflow Exporter to a VEN

In the Virtual Edge Node configuration wizard, administrators can associate a VEN with a specific NetFlow exporter using a dropdown in the Flow Telemetry section. Each VEN can be linked to one custom exporter at a time, which will direct its traffic data to the selected exporter.

Configuration Details and Considerations

• Single Exporter Limitation: Each VEN can be linked to only one third-party NetFlow exporter.
• Validation: IP address inputs are validated to reduce configuration errors.
• Arista Compatibility: For VENs using Arista switches, only a single VE IP is supported as an exporter. When an Arista VEN is detected, the exporter selection is disabled on the Virtual Edge Node Configuration page.

 

Example Flow Exporter Configurations

The following example shows the process of enabling a custom flow exporter, particularly if netflow configurations already exist on the switch.

Customer Flow Exporter Configuration Examples

Here is an example of a customers Flow Monitor configurations before enabling Flow Telemetry for a Virtual Edge Node, if they exist. These NetFlow configs will be replaced by Elisity Flow Telemetry configurations by leveraging the secondary custom flow exporter discussed above.

 

With Flow Telemetry enabled for the VEN, Elisity's flow exporter is added to the switch configuration. The customer's existing netflow configuration (flow record, flow exporter, and flow monitor configuration) is retained, but is no longer referenced on any switchports and takes no effect, as these are overwritten by the Elisity Port Configurations. 

Elisity Netflow Configuration with Retained Customer Netflow Config

Optionally, add the environment variable to the parent Virtual Edge that enables AVC FNF (NBAR support), follow these steps:

1. Log in to the Virtual Edge.
2. Run the command config settings
   • Running this command will show the current config file contents where all environment variables are stored.
   • You can also see the current config settings by running the command show settings.

3. Enter the new contents for the config file. The variable to enable AVC configurations in the Elisity Flow Record config is:

   HAL_CISCO_NETFLOW_AVC=true

Again, you can confirm which environment variables are active by running the command

show settings

Elisity Netflow Configuration with AVC network variable enabled

The Elisity Netflow Configuration on your Virtual Edge will look like this after enabling the environment variable and reapplying the Netflow Port Configuration in Cloud Control Center.

 

If the AVC Environment Variable is enabled, the following fields are added to the configuration:

---

Matched Fields Added:

match ipv4 version

match application name

match connection client ipv4 address

match connection server ipv4 address

match connection server transport port

match flow observation point

match flow direction

---

Collected Fields Added:

collect flow direction

collect connection initiator

collect connection client counter packets long

collect connection client counter bytes network long

collect connection server counter packets long

collect connection server counter bytes network long

collect connection new-connections

 

Netflow Configuration with Custom Flow Exporter and AVC Variable enabled

This example shows Elisity's Netflow configuration enabled with a Secondary Flow Exporter added in Cloud Control Center. In this example, the customer's original netflow configuration has been retained but is inactive. The secondary flow exporter is handling the forwarding of traffic flows that was previously handled by the customer's original configuration. Elisity Flow Telemetry configurations overwrite any existing flow exporter configurations on switchports to use Elisity's flow monitor configuration.

This setup enables telemetry data from VENs to be exported to external systems as configured, supporting detailed traffic analysis and monitoring across third-party tools.

Cisco Catalyst Center Coexistence

In environments where Cisco Catalyst Center (formerly DNA Center) manages NetFlow or IPFIX configuration on switches, the Virtual Edge maintains its global flow telemetry configuration regardless of whether individual interfaces have flow collection enabled. This allows Catalyst Center and the Virtual Edge to coexist as flow exporters on the same switch without configuration conflicts.

The Virtual Edge automatically detects and decodes Cisco proprietary NetFlow and IPFIX field identifiers used by Catalyst Center. No additional configuration is required; flow records from Catalyst Center–managed switches are parsed and processed alongside standard flow telemetry data. Both NetFlow v9 and IPFIX formats are supported.