Managing Virtual Edges and Virtual Edge Nodes

 

This article covers the tools available in Cloud Control Center for effectively managing Virtual Edges (VEs) and Virtual Edge Nodes (VENs) within the Elisity platform. In this article, we will cover the essentials for monitoring the status and viewing detailed information for your VEs and VENs. Additionally, we will guide you through the processes of creating and configuring VEs and VENs, including setting up site labels and distribution zones, which are crucial for a well-structured network environment. This guide aims to provide clear, step-by-step instructions and insights to streamline your network management tasks.

 

Visibility into Virtual Edges (VEs) and Virtual Edge Nodes (VENs)

The Virtual Edge Dashboard is your centralized platform for monitoring and managing the status and configurations of your Virtual Edges and Virtual Edge Nodes. This dashboard provides a comprehensive view that ensures you have the necessary insights to maintain optimal network performance and security. Here's how to navigate and interpret the key features of the dashboard:

 

Summary Section

The Summary section offers a quick overview of the current state of your VEs and VENs. It displays the total count and status (Online, Offline, Not Registered, Decommissioned, Deleted) of both VEs and VENs in a simple, graphical format. Clicking on any section of the pie graph or one of the VE/VEN status categories will filter the view below to show only the relevant VEs.
This immediate visibility helps you assess the overall health of your network infrastructure at a glance and quickly gives visibility into any issues with Virtual Edges or Nodes that need addressed.


Virtual Edges and Virtual Edge Nodes Tabs

Below the summary, you'll find tabs for Virtual Edges and Virtual Edge Nodes. These tabs provide detailed lists of all configured VEs and VENs, respectively. Here you can see total counts of VEs witin each VE Group and the total number of Standalone VEs.

Each entry includes crucial information such as the Virtual Edge Name, IP Address, Status, Number of Virtual Edge Nodes (VENs), Status Duration, Site Label, Software Version, number of connected Virtual Edge Nodes (for VEs), Distribution Zone, and available Actions. You can customize these table views by adding, removing, and rearranging the columns. For more in-depth information about each VE and VEN, you can open details about each Virtual Edge or Virtual Edge Node. 

 

Actions for Virtual Edges

Clicking on the actions button to the far right of a Virtual Edge within the tabl reveals available actions for the Virtual Edge. These actions include the following:

View Virtual Edge: Opens the details view for the selected Virtual Edge. This action performs the same function as clicking on the Virtual Edge name or IP Address in the table.

Edit Virtual Edge: Change the Virtual Edge Host Name or Description.

Change Group: Enables moving the Virtual Edge to a different Virtual Edge Group. Because Site Label and Distribution Zone is configured at the group level, the VE will inherit the configurations of the new group. Any Virtual Edge Nodes managed by the given VE will be redistributed to other VEs in the original VE Group. If a Virtual Edge is alone in a VE Group, it cannot be moved.

Delete Virtual Edge: Deletes the Virtual Edge if acceptable conditions are met (ie. no dependent VENs)

 

Actions for Virtual Edge Nodes

Clicking on the actions button to the far right of a Virtual Edge within the tabl reveals available actions for the Virtual Edge. These actions include the following:

View Virtual Edge Node: Opens the details view for the selected Virtual Edge. This action performs the same function as clicking on the Virtual Edge name or IP Address in the table.

Edit Virtual Edge Node: Change the Virtual Edge Node Description, Flow Exporter, Login Credentials, Site Label or Distribution Zone.

Port Configuration: Details about the port configurations can be viewed and managed by selecting this option. For more information about these port configurations and what they do, read Port Configurations on Virtual Edge Nodes.

Decommission/Delete Virtual Edge Node: Decommissioning VENs temporarily removes them from active duty without deleting their configurations. This is useful for maintenance, troubleshooting, or reallocating resources. Decommissioned nodes can be recommissioned later as needed. The Delete option replaces the Decommission option if the VEN is Decommissioned.

Change Group: Allows you to move VENs to another VE Group. Be sure that the VEs in the new group have connectivity to the VEN when changing VE Groups.

 

Site Label Filtering 

The Select Site Label feature allows for efficient filtering of VEs/VENs based on Site Labels. This feature enhances your ability to manage large-scale deployments by allowing you to view VEs and VENs associated with specific site labels.

Here's how to use this feature effectively:

Multi-Select Dropdown: The site label filter provides a multi-select dropdown, enabling you to choose multiple site labels simultaneously. This flexibility allows for a customized view that matches your specific monitoring or management needs.

Searchable Labels: Begin typing within the dropdown to quickly search and select from the available site labels, making it easier to narrow down to the relevant devices.

Persistent Selections: Your filter selections remain in place even when navigating away from and back to the Virtual Edges page, ensuring continuity in your monitoring activities.

Impact on Dashboard Display: Upon applying one or more site label filters, the dashboard dynamically updates to only display the VEs and VENs associated with the selected labels. This filtering extends to charts and tables, providing a focused view that simplifies management tasks.


Utilizing site label filtering is especially valuable in environments with numerous VEs and VENs, enabling network admins to quickly isolate and manage devices relevant to specific locations or functions.
By integrating these features into your network management routines, you can enhance the efficiency and effectiveness of your monitoring and management activities within the Elisity platform​​.

Bulk Actions for Managing VEs and VENs

The Elisity platform provides a range of actions that administrators can perform on Virtual Edges, including editing configurations, downloading configurations, and deleting VEs. Each action is designed to offer control over the deployment and management of VEs within the network. With that, the platform supports bulk actions for VEs and VENs, allowing administrators to perform tasks such as restarting Restconf, redeploying, and decommissioning/deleting VENs in a streamlined manner. These actions ae contextual based on the types of VEs/VENs selected and what actions are available for the state of each VE/VEN.


Virtual Edges

 

Change Group: The Change Group option enables moving selected Virtual Edges to a different Virtual Edge Group. Because Site Label and Distribution Zone is configured at the group level, the Virtual Edge(s) will inherit the configurations of the new group. Any Virtual Edge Nodes managed by the given VE(s) will be redistributed to other VEs in the original VE Group. If a Virtual Edge is alone in a VE Group, it cannot be moved.

Delete: This bulk action permits the deletion of multiple VEs at once. It is crucial for efficiently managing the lifecycle of VEs, especially when decommissioning or reorganizing network infrastructure. The delete action should be used with caution to avoid unintentionally removing critical network components.

The Delete option is available as a bulk edit option for both Standalone VEs and Group-associated VEs.

Standalone Virtual Edge Options

Download Configuration: This action enables the download of switch-hosted Virtual Edge configuration files. It's specifically designed for switch-hosted VEs, allowing administrators to obtain the configuration file(s) in bulk. These files can be edited offline and then re-uploaded to apply changes to the VEs.

Download Docker File: Similar to the configuration file download for switch-hosted VEs, this action pertains to hypervisor-hosted VEs. It allows the download of Docker files (in .yml format) that contain the configurations for the docker container running the VE. Administrators can download these files, modify them as needed to adjust the configuration, and then re-upload them to update the VE settings.

 

Virtual Edge Nodes

Restart Restconf: This action restarts the Restconf process on selected Virtual Edge Nodes. Restarting Restconf can be necessary for applying new configurations or troubleshooting connectivity issues, ensuring that VENs are properly synchronized with the Elisity management platform.

Recommission: Recommissioning VENs is a critical step in re-integrating previously decommissioned nodes back into the network. This action reactivates VENs, making them active participants in the network's segmentation and policy enforcement mechanisms.

Decommission: Decommissioning VENs temporarily removes them from active duty without deleting their configurations. This is useful for maintenance, troubleshooting, or reallocating resources. Decommissioned nodes can be recommissioned later as needed.

Change Group: Allows you to move VENs to another VE Group. This requires decommissioning your VENs. You can skip selected VENs that have not been decommissioned in the bulk action.

Delete: This option allows for the removal of selected Virtual Edge Nodes from the network. Deletion is permanent and typically used when a node is no longer required or is being replaced. It's essential to ensure that decommissioning and data backup procedures are followed before deletion to prevent unintended data loss or network disruptions.

 

Viewing Virtual Edge and Virtual Edge Node Details

Click on the Virtual Edge Name or Virtual Edge Node Name from the list. This action takes you to a dedicated details page for the selected VE or VEN, where comprehensive information is presented.

Virtual Edge Details

Overview Section: The top of the Virtual Edge (VE) details page displays essential information, including the VE name, status (e.g., Online, Offline), type (such as Hypervisor Hosted), and associated VE Group. Key identifiers like IP address, Site Label, and Distribution Zone are also shown for context within the network architecture.

Operational Metrics: Resource usage statistics, including real-time Memory and CPU usage, provide insights into the VE’s performance, enabling proactive monitoring and troubleshooting. This data helps in assessing resource allocation and identifying potential overloads or inefficiencies.

Top-Level Actions:

  • Edit: Modify VE configurations such as network settings, Site Label, and Distribution Zone assignments, allowing updates to reflect evolving network needs and policies.
  • Delete: This option allows deletion of the VE, which is only possible after decommissioning or deleting associated Virtual Edge Nodes (VENs) to ensure network continuity and security.
  • View Configuration (Switch-hosted VE Only): View and copy the VE App configurations required for switch-hosted Virtual Edge deployments.


Virtual Edge Nodes (VENs) Section

Listing of VENs: Below the Virtual Edge information, there's a section dedicated to the VENs associated with the VE. It lists each VEN's name, IP address, status, status duration, vendor, and the site label and software version if applicable. This consolidated view enables quick monitoring of all nodes connected to the VE.

Client Type: This field indicates whether the Virtual Edge Node is an Active Client of the selected Virtual Edge, or a Candidate Client. Active Client indicates that the selected Virtual Edge is actively managing the Virtual Edge Node, while Candidate Client indicates that the Virtual Edge is a candidate for managing the Virtual Edge Node in the event that the Active Virtual Edge goes offline. See the Virtual Edge Groups article for more information on failover mechanisms within VE Groups.

Clickability for More Details: Each VEN's name is clickable, allowing administrators to drill down into more detailed views of individual nodes. This feature facilitates easier navigation and in-depth monitoring of specific VENs.

Actionable Options for VENs: For each node, actions such as editing settings, downloading configurations, or managing the VEN's operational status are accessible through the Actions menu. This provides convenient control over each VEN's configuration and state directly from the VE's detailed view.

Add Virtual Edge Node: Administrators have the capability to add new VENs to the VE from this window. This supports scalable network growth by allowing the straightforward integration of additional nodes as network demands evolve. For more information on onboarding your access or aggregation layer infrastructure as a Virtual Edge Node for policy enforcement, read our article on Onboarding Catalyst 9000/3850/3650 as a Virtual Edge Node.

Bulk Onboarding Virtual Edges and Nodes: The Elisity Platform enables the bulk creation of Virtual Edges and Nodes using spreadsheet uploads. Read our guide on Bulk Onboarding Virtual Edges and Virtual Edge Nodes for a walkthrough on how to use this feature.

 

Virtual Edge Node Details

Accessing VEN Details
Clicking on the name of a VEN from any menu in the Virtual Edge dashboard menu brings you to this detailed view. This action-centric approach ensures that network administrators have immediate access to all necessary information and management capabilities for each VEN, supporting effective and efficient network management and troubleshooting practices. Here is a summary of the information and options available for viewing and managing Virtual Edge Nodes from this menu.

Overview: At the top, you'll see an overview that includes the VEN's name, the model of the device (e.g., C9300-48P for Cisco devices), and the vendor. It also shows the current online status, providing a quick indicator of the VEN's operational state.

VEN Specifics: This section provides specific details about the Virtual Edge Node, including the associated Virtual Edge (VE) name, IP address, Site Label, Software Version, and the number of devices connected to this VEN.

Resource Usage: Displays current memory and CPU usage metrics. These insights are vital for monitoring the performance and ensuring that the VEN operates within its capacity, avoiding potential bottlenecks or performance issues.

Model, Vendor, and Device Count: Detailed information about the VEN's hardware model, the vendor, and the total number of devices connected, enabling administrators to assess the VEN's capacity and vendor-specific attributes.

Hardware and Firmware Versions: Shows the hardware version and the current firmware version running on the VEN, information that's essential for compatibility checks and upgrade planning.


Port Configurations

Details about the port configurations can be viewed and managed from this menu, providing administrators with the ability to tailor network connectivity and traffic flow according to specific requirements. For more information about these port configurations and what they do, read Port Configurations on Virtual Edge Nodes.

 

Top-Level Actions

Edit: Allows for the modification of the VEN's configuration settings, including configured flow exporters, descriptions, and associated labels.
Decommission: This option facilitates the safe removal of the VEN from active service, a necessary step before deletion or when the node needs to be temporarily taken offline for maintenance or troubleshooting.

Distribution Zones and Site Labels

Elisity’s microsegmentation solution leverages Distribution Zones and Site Labels to streamline the process of managing network segments and applying policies based on the geographical or logical grouping of resources. This approach enables precise control over how policies are distributed and enforced across the network. Both of these constructs are managed in the Virtual Edge dashboard, but before we get into how to create and assign them to VEs, lets quickly review the concepts.

The interplay between Distribution Zones and Site Labels provides a layered approach to policy management, where Distribution Zones handle the distribution scope of device identity tags while Site Labels facilitate the granular application of policies based on site-specific requirements.

 

Distribution Zones are conceptual areas within the network that facilitate the efficient distribution of identity tags and policies. They are pivotal in large-scale environments, helping to overcome the limitations posed by hardware diversity and scale. Each Distribution Zone can support a varying number of devices, depending on the specific hardware used within the zone, and is linked to Virtual Edges, ensuring all nodes of a Virtual Edge belong to the same Distribution Zone. The dynamic nature of Distribution Zones allows for their reassignment to different Virtual Edges as needed, enhancing flexibility in network management.

Site Labels offer a method to both organize and classify VEs/VENs and any devices attached to these Policy Enforcement Points based on their physical or logical location. This allows policies to be applied more contextually, and enhances the visibility and analytics data by utilizing site labels as both a filtering mechanism and a policy enforcement mechanism. 

 

Below is an example of how Site Labels are used to assign groups of Virtual Edges and Virtual Edge Nodes to different Policy Sets. In this example, we onboarded our VEs into a Simulation (staging) Policy Set with all simulated policies to ensure a safe, non-disruptive deployment where we can analyze the behavior of our simulated policies and how they would impact our production environment. Then, with one simple action, we can move our Virtual Edges to a new Policy Set by either (1) Assigning a new Site Label to our VEs or (2) moving our original site label to a new Policy Set.

 

Inheritance of Site Labels and the "Default" Site Label

Site Labels can be assigned to both VEs and VENs, as previously mentioned. In the case that a VEN does not have a Site Label explicitly assigned, the VEN inherits the Site Label of the parent VE, if it exists. If no Site Label has been explicitly assigned to a VE, the VE and its VENs are automatically assigned the "Default" Site Label. If you have Policy Sets enabled, this "Default" Site Label is assigned to the "Core" Policy Set by default. The "Default" Site Label is reassignable to other Policy Sets just like any other Site Label, allowing flexibility into how you manage VEs that have not explicitly been assigned a Site Label.

 

Creating and Assigning Site Labels and Distribution Zones

Creating Site Labels

To create Site Labels and Assign them to your Virtual Edges and Virtual Edge Nodes, start in the Virtual Edge dashboard and navigate to Settings in the top right.

Next, stay on the Site Labels tab and click + Create Site Label

 

Give your Site Labels a unique name, and create as many as you need by clicking + Create Another Site Label. Once you have added your Site Labels, click Create.

 

Afterwards, your Site Labels will appear in the Site Labels list, where you can filter and manage Site Labels, performing actions such as editing and deleting. Note that you can also create new Site Labels on the fly while assigning them to VEs, which will be covered in the next section.

 

Creating Distribution Zones

The process for creating Distribution Zones is nearly identical to creating Site Labels. Start in the Virtual Edge dashboard and navigate to Settings in the top right.

 

Next, click on the Distribution Zones tab and click + Create Distribution Zone

 

Give your DZs a unique name, and create as many as you need by clicking + Create Another Distribution Zone. Once you have added your Site Labels, click Create.

 

Afterwards, your Distribution Zones will appear in the list of DZs, where you can filter and manage them, performing actions such as editing and deleting. Note that you can also create new Distribution Zones on the fly while assigning them to VEs, which will be covered in the next section.

 

Assigning Site Labels and Distribution Zones
Both Site Labels and Distribution Zones are assignable to each individual Virtual Edge in the same manner. To assign these labels to a Virtual Edge, click on the name of the Virtual Edge you would like to add labels to.
Assigning these labels is as simple as clicking on the respective fields and selecting the Site Label or Distribution Zone that you want to assign to the VE. You can also create new labels as you add them to the VE, if the label you need does not yet exist. When you are done adding Site Labels and Distribution Zones, click Save Changes for these assignments to take effect.

Be sure that you are aware of the implications for assigning new Site Labels and Distribution Zones. You should be aware of what Policy Sets are associated with your Site Labels, as this defines what policies will be applied to all the endpoints attached to the current VE. An error here can result in unintended policies being distributed to this network segment, which could cause unintended connectivity issues between devices, causing disruption.

 

 

Assigning Site Labels to Virtual Edge Nodes
Site Labels can also be applied to each individual Virtual Edge Node, effectively overwriting the Site Label of the parent Virtual Edge, or adding a Site Label if one does not exist at the VE level. This offers a flexible approach to policy management by giving control of Policy Distribution down to each individual Policy Enforcement Point at the edge of your network. 

To assign a specific Site Label to a Virtual Edge Node, find the VEN and click Edit Virtual Edge Node from anywhere in the Virtual Edge dashboard. 

In the VEN editing window, we can see our current configuration for this Virtual Edge Node. We can also see some information about the parent Virtual Edge, particularly the Site Label of the VE. In this case, our Virtual Edge has the Default Site Label.


Towards the bottom of the window, click on the Site Label field and add any available Site Label, or create a new one. Remember, any time you create a new Site Label, it will be associated with the Core Policy Set, if Policy Sets are enabled. When you are done, click Save Changes.


The same caution applies here. Be sure that you are aware of the implications for assigning new Site Labels and Distribution Zones. You should be aware of what Policy Sets are associated with your Site Labels, as this defines what policies will be applied to all the endpoints attached to the current VE. An error here can result in unintended policies being distributed to this network segment, which could cause unintended connectivity issues between devices, causing disruption.

Remember, assigning site labels to your VENs gives you the ability to sort and filter your VEN and attached devices using this site label. If Local Policy Groups are in place for the selected Site Label which you are assigning to a VEN, you will effectively enable Local Policy Group classification for all attached devices.

 

Global Switch Credentials

The process of setting up global switch credentials within the Elisity platform is designed to provide a streamlined method for authenticating Virtual Edges (VEs) and Virtual Edge Nodes (VENs) across the network. Global credentials serve as a unified authentication mechanism that can be applied to multiple VEs and VENs, facilitating easier management and deployment of these entities.

Steps to Set Up Global Credentials:

Navigate to the Settings section within the Virtual Edge dashboard.
Select the Global Credentials tab and fill in the Switch Admin Username and Password fields. Click Save.

This centralized approach to credential management ensures that changes to authentication details need only be made once and can be automatically applied to all associated devices, significantly reducing administrative overhead. 

 

Configuring and Assigning Custom NetFlow Exporters

Custom flow exporters allow organizations to integrate Elisity's flow telemetry with existing network monitoring solutions. For customers who already rely on third-party tools for network analytics and traffic visibility, this feature provides a way to direct flow data from Virtual Edge Nodes (VENs) to an external monitoring system. This setup enables seamless continuation of existing monitoring workflows, consolidating network insights in a single tool and enhancing visibility across both Elisity-managed and legacy infrastructure.

 

Administrators can configure custom NetFlow exporters within the Flow Telemetry settings under Virtual Edges > Settings in Cloud Control Center. This feature supports integration with external network monitoring tools, allowing flow telemetry data to be directed to the IP address of an additional flow collector.

 

Configuring a Custom Netflow Exporter in CCC

  1. Location: Go to Virtual Edges > Settings > Flow Telemetry.
  2. Exporter Configuration: Use the Add Exporter button to configure a new NetFlow exporter with the following details:
    • Name: A unique identifier for the exporter.
    • Description: (Optional) Context or notes for the exporter’s usage.
    • IP Address: The IP address of the additional flow collector to which flow data will be sent.

Once configured, these exporters can be selected within each Virtual Edge Node’s (VEN) settings to direct the node’s flow telemetry data to the specified destination.

 

Assigning a Custom Netflow Exporter to a VEN

On the Virtual Edge Node configuration page, administrators can associate a VEN with a specific NetFlow exporter using a dropdown in the "Flow Telemetry" section. Each VEN can be linked to one custom exporter at a time, which will direct its flow telemetry data to the selected exporter.

 

Configuration Details and Considerations

  • Single Exporter Limitation: Each VEN can be linked to only one third-party NetFlow exporter.
  • Validation: IP address inputs are validated to reduce configuration errors.
  • Arista Compatibility: For VENs using Arista switches, only a single VE IP is supported as an exporter. When an Arista VEN is detected, the exporter selection is disabled on the configuration page.
  • ENV VARIABLE

 

Example Flow Exporter Configurations

The following example shows the process of enabling a custom flow exporter, particularly if netflow configurations already exist on the switch

Customer Flow Exporter Configuration Examples

Here is an example of a customers Flow Monitor configurations before enabling Flow Telemetry for a Virtual Edge Node, if they exist. These NetFlow configs will be replaced by Elisity Flow Telemetry configurations by leveraging the secondary custom flow exporter discussed above.

 

With Flow Telemetry enabled for the VEN, Elisity's flow exporter is added to the switch configuration. The customer's existing netflow configuration (flow record, flow exporter, and flow monitor configuration) is retained, but is no longer referenced on any switchports and takes no effect, as these are overwritten by the Elisity Port Configurations. 

Note: The flow record ElisityNetFlowRecord configuration can be modified with a Virtual Edge environment variable to support Application Visibility and Control (AVC) with Flexible Netflow, which provides support for customers using NBAR. Enabling this environment variable on the Virtual Edge is covered in the next step.

Elisity Netflow Configuration with Retained Customer Netflow Config


 

Optionally, add the environment variable to the parent Virtual Edge that enables AVC FNF (NBAR support), follow these steps:

  1. Login to the Virtual Edge
  2. Run the command config settings
    • Running this command will show the current config file contents where all environment variables are stored.
    • You can also see the current config settings by running the command show settings.
  3. Enter the new contents for the config file. The variable to enable AVC configurations in the Elisity Flow Record config is:
    HAL_CISCO_NETFLOW_AVC=true

Important note: These contents will overwrite any existing configuration, so the current file content should be copied when adding the new variable before typing END. Clearing the current file content is accomplished by only entering END.

The environment variable HAL_CISCO_NETFLOW_AVC=true should only be used for Virtual Edges that are managing Cisco Catalyst 9000 series switches, as some of the fields added to the Elisity netflow configuration are not compatible with Catalyst 3000 series switches.

When adding this environment variable, the Elisity Netflow Configurations must be reapplied. It's recommended to disable Flow Telemetry in the VEN Port Configurations, add the environment variable to the parent Virtual Edge, wait 90 seconds, and renable Flow Telemetry on the VEN.

Again, you can confirm which environment variables are active by running the command

show settings

Elisity Netflow Configuration with AVC network variable enabled

The Elisity Netflow Configuration on your Virtual Edge will look like this after enabling the environment variable and reapplying the Netflow Port Configuration in Cloud Control Center.

 

If the AVC Environment Variable is enabled, the following fields are added to the configuration:


Matched Fields Added:

match ipv4 version

match application name

match connection client ipv4 address

match connection server ipv4 address

match connection server transport port

match flow observation point

match flow direction


Collected Fields Added:

collect flow direction

collect connection initiator

collect connection client counter packets long

collect connection client counter bytes network long

collect connection server counter packets long

collect connection server counter bytes network long

collect connection new-connections



 

 

Netflow Configuration with Custom Flow Exporter and AVC Variable enabled

This example shows Elisity's Netflow configuration enabled with a Secondary Flow Exporter added in Cloud Control Center. In this example, the customer's original netflow configuration has been retained but is inactive. The secondary flow exporter is handling the forwarding of traffic flows that was previously handled by the customer's original configuration. Elisity Flow Telemetry configurations overwrite any existing flow exporter configurations on switchports to use Elisity's flow monitor configuration.

 

This setup enables telemetry data from VENs to be exported to external systems as configured, supporting detailed traffic analysis and monitoring across third-party tools.

 

 

 

Was this article helpful?
0 out of 0 found this helpful