Onboarding Arista 720XP as a Virtual Edge Node

This article summarizes how to onboard your Arista 720XP access layer switches as Virtual Edge Nodes for policy enforcement. This can only be done after deploying a Virtual Edge.

NOTE:

As of Cloud Control Center release 15.5, Arista support is in beta. Enhancements to Arista support will come in subsequent releases. Some limitations exist and are noted below:

  • The following 720XP models have been tested however similar models may also work
    • CCS-720XP-48Y6-F
    • CCS-720XP-48ZC2-F
  • Minimum EOS code: 4.30.3M
  • Layer 4 policy is not supported, only the final policy action of Permit All or Deny All will take effect
  • Arista supports a maximum of 60 MSS Groups (Elisity Policy Groups) can be configured across all VRFs
  • Arista supports a maximum of 8000 IP to MSS-Group mappings
  • MSS Group and URPF feature interaction is not supported
  • Arista EAPI is leveraged for integration. A Z level Arista license is required for EAPI. 
  • ICMP cannot be collected during flow export
  • Arista can only support a single Flow Tracker and such cannot co-exist with a customer configured Flow Tracker
  • Policy Logging is not supported
  • Traffic disruption during prefix and policy configuration is expected. Arista does not support atomicity during segment and prefix configuration.
  • Traffic to and from VLANs with no SVI configured are considered part of the default VRF and are subject to the policies defined in the default VRF.​
  • ICMP and SSH must be allowed between the Virtual Edge and the Arista switch
  • The Arista management interface must be enabled to accept ICMP, SSH and HTTPS

Onboarding Steps 

Step 1: Make sure the access switches you wish to onboard with the newly deployed Virtual Edge have the following commands configured.

ip routing

management api http-commands​
no shutdown

aaa authorization exec default local

 

Step 2:  You should either have a user account with privilege 15 configured or TACACS login configured to provide privilege 15 level access. This is needed for the Virtual Edge to authenticate with the switch. Execute the following command under global configuration mode if a local account is being used and is not already configured:

switch(config)# username <username> privilege 15 secret <password>

 

You can start onboarding Virtual Edge Nodes in two ways.

Method 1: Select your Virtual Edge and Add a VEN
Go to the Virtual Edge dashboard in Cloud Control Center, select the Virtual Edge you would like to use as the parent for the Virtual Edge Node you are about to onboard. 

After clicking on the VE, you can click on Add Virtual Edge Node and select Add Single Virtual Edge Node.

 

Method 2: Onboard VENs Directly from the Virtual Edge Node panel.

Select the Virtual Edge Node tab in the bottom menu, and select Add Virtual Edge Node then select Add Single Virtual Edge Node. Note that adding a VEN from this screen still requires you to select a Virtual Edge as a parent.

If creating a Virtual Edge Node from this screen, you will need to select the parent Virtual Edge. You can search for a VE, sort by site label, and apply custom filters to find the exact Virtual Edge you would like to onboard nodes to. 

After selecting a Virtual Edge, we need to fill out the details for the Virtual Edge Node. Here is a summary of both the required and optional fields.

The following chart provides details about each field in the VEN onboarding workflow.

Switch Management IP

This is the management IP of the switch you wish to onboard as a Virtual Edge Node for policy enforcement. This can be an IP as long as it is reachable by the previously deployed Virtual Edge container. This field is mandatory.

Description

This allows a user-defined description to be configured for the VEN. This field is optional.

**Enable Enhanced Endpoint Discovery

Selecting this option enables the active collection of identifying data for endpoints discovered behind a VEN, gleaned from access switch telemetry. This feature actively tracks assets for updates in identifying data. (Recommended)

This setting is autoconfigured per switchport if enabled during this onboarding. You can choose to enable autoconfiguration or manually configure after onboarding by leaving this box unchecked. The logic for this autoconfiguration is discussed later in this article.

**Enable Flow Telemetry

Selecting this option enables the collection of flow data and network traffic analytics that are sent to Cloud Control Center. (Recommended)

This setting is autoconfigured per switchport if enabled during this onboarding. You can choose to enable autoconfiguration or manually configure after onboarding by leaving this box unchecked. The logic for this autoconfiguration is discussed later in this article.

**Enable Passive Endpoint Discovery

Selecting this option enables the passive collection of identifying data using data plane telemetry about endpoints discovered behind a VEN. This is a global setting per VEN. (Recommended)

You can choose to enable this setting later by leaving this box unchecked.

Site Label

Site labels can be applied to Virtual Edge Nodes for policy distribution and for analytics purposes. Site labels are used to assign Virtual Edges and Virtual Edge Nodes to Policy Sets.

If this field is left blank, the site label from the parent Virtual Edge is inherited, if it exists.

Distribution Zone

Here we can select to inherit the Distribution Zone from the parent Virtual Edge, or we can assign a Distribution Zone manually. If you are unfamiliar with the concept of Distribution Zones, read here.

Switch Admin Username

If not using global admin credentials, this is the admin username of the switch you wish to onboard as a Virtual Edge Node for policy enforcement. This can either be local or TACACS/RADIUS. Privilege 15 is required. This field is mandatory. 

Username should be alphanumerical and may contain only permitted special characters (_, +, \\\\, /, -).'}

Switch Admin Password

If not using global admin credentials, this is the admin password of the switch you wish to onboard as a Virtual Edge Node for policy enforcement. This can either be local or TACACS/RADIUS.
Privilege 15 is required. This field is mandatory.

Password cannot contain whitespaces

 

**NOTE: If you would prefer to manually configure switchport configurations, or enable autoconfiguration at a later time, leave these settings disabled.

 

After filling out all the required fields, click Add. The Virtual Edge Node onboarding process will begin immediately.

NOTE:
If the switch fails to onboard as a VEN, it will not automatically retry. To resolve this, delete the VEN, make the necessary configuration adjustments, and attempt the onboarding process again.

 

Checking the Status of a VEN Onboarding

In the top right of your Cloud Control Center dashboard, you will see a notification icon. After beginning the VEN onboarding, a blue dot will indicate that the status of your VEN onboarding has an update. 


 

Clicking on this icon will reveal the status of your VEN onboarding. As each step of the onboarding is completed successfully, that item is marked with a green check mark and a "Success" status.

If any errors are encounter during onboarding, a red error indicator will appear on that item, with a brief description of the issue. In this case, we can surmise that the reason this onboarding has failed is because the switch is unreachable. We need to then check for errors and confirm that our Virtual Edge Node can reach both CCC and our VE.

Once the onboarding is complete, your VEN will show green in Cloud Control Center and information about the switch is now visible such as hostname, switch model, number of discovered devices, and more. 

You are now ready to review port configurations for this VEN in the next step.

 

Port Configurations on Virtual Edge Nodes

Port configurations for endpoint discovery and analytics can be manually configured or automated based on the following logic.

Elisity offers the ability to automate the configuration process for switch ports to selectively enable or disable the collection of device and analytics data. This automation is enabled during Virtual Edge Node onboarding where administrators have the option to enable Enhanced Endpoint Discovery, Flow Telemetry, and Passive Endpoint Discovery upon onboarding. This automation is designed to enhance network security and operational efficiency by focusing on relevant data collection and minimizing unnecessary endpoint discovery and telemetry on specific ports. This prevents discovery and analytics of devices that are not in the scope of an organizations microsegmentation efforts, such as upstream networking equipment or daisy chained access switch designs.  

Screenshot 2024-03-05 120339.png

 

Endpoint Discovery and Telemetry Mechanisms

Enhanced Endpoint Discovery
Enhanced Endpoint Discovery is key for identifying and managing devices on your network. However, Elisity now provides the ability to automatically exclude certain port types (as listed above) from this discovery process to optimize network performance and security. This is configured at the port level on each VEN.

Passive Endpoint Discovery
Passive Endpoint Discovery remains a global configuration within Elisity and is not subject to automatic enablement or disablement based on port types. This ensures consistent passive monitoring across the network. This is a global setting per VEN, but only collects data for devices discovered through one of the other mechanisms.

Flow Telemetry
Flow Telemetry, Elisity's equivalent of NetFlow, provides valuable insights into your network's traffic patterns. With automatic configuration, Flow Telemetry will be disabled on the specified port types but can still be enabled or disabled manually per switchport, or globally on a per-VEN basis as required.

 

Criteria for Automatic Configuration

Elisity automatically disables Active Endpoint Discovery and Flow Telemetry on the following types of switch ports:

100Gig and 40Gig Interfaces

Due to their high capacity, these interfaces are typically used for backbone connections or high-traffic areas where endpoint discovery and flow telemetry is typically not desired. Commonly these interfaces are used as uplinks to other switching infrastructure. 


AppGig Interfaces

These application-specific interfaces are excluded from automatic discovery to prioritize more critical network traffic and devices. These interfaces are not typically in scope for policy enforcement and discovery.


VLAN Interfaces & Port Channel Members

Switch Virtual Interfaces (SVIs) or interfaces that are a member of a Port Channel are also excluded from discovery to avoid redundancy and focus on individual device connectivity.

 

Utilizing CDP/LLDP for Uplink Detection
Elisity leverages CDP (Cisco Discovery Protocol) and LLDP (Link Layer Discovery Protocol) to identify switch and router uplinks. The system periodically checks (every 5 minutes) LLDP/CDP neighbors to update configurations based on network topology changes, ensuring accurate and up-to-date discovery and telemetry data. If a switch or router is identified on the other end of a switchport, that port will have Endpoint Discovery and Telemetry disabled.

 

If a switchport meets any of these criteria, the Endpoint Discovery and Telemetry Mechanisms are excluded on those ports.

Modifying Port Configurations for a VEN

After onboarding, you can review the port configurations in Cloud Control Center for each port and modify them according to your network design and the scope of your microsegmentation efforts. If you chose to leave these options disabled during onboarding, now is the time to either enable autoconfiguration or manually configure each switchport for each setting.

To do this, select your VEN, navigate to Port Configurations, and click Edit Port Configuration. This will take you to the port configuration editor for all three settings, regardless of which port configuration setting you are currently viewing.

If you have not yet configured any port configurations, simply click on Add Port Configuration as seen below.

The port configuration editor is very straightforward. For each setting, you can globally enable or disable for the selected VEN. Just below the global setting, you can choose automatic or manual port configurations for the selected setting. For manual configuration, you can select specific ports or select all ports by clicking the top check box. After selecting ports, use the arrows between the two columns to move ports into the Disabled Ports or Enabled Ports tables. 

Screenshot 2024-03-05 132737.png
Selecting Automatic Configuration will overwrite any manually configured ports, and will disable the ability to select switchports for each table as this process will be handled according to the logic defined earlier in this article.

Screenshot 2024-03-05 131907.png

After reviewing these port configs and making any adjustments, click submit and your configurations will be immediately pushed to the VEN. Within 24 hours you should begin to see discovery data and analytics.

port-configs-gif.gif

Decommissioning and Deleting a Virtual Edge Node

Step 1: Open the details view of your Virtual Edge Node and then select Decommission in the top right. The Virtual Edge Node status will say Decommissioned.

You can also decommission from the main VEN dashboard by clicking the three dots to the right and selecting Decommission Virtual Edge Node

Screenshot 2024-03-05 135422.png

If you want to decommission multiple VENs simultaneously, select the VENs using the check boxes on the left and click Bulk Actions. Here you can perform various bulk actions such as restart Restonf, Decommission, and Delete. 
Screenshot 2024-03-05 135535.png

In any case, you will be presented with a confirmation request to finalize the decommission action with warnings or errors where applicable.

mceclip8.png


Step 2:
Wait 60 seconds after decommissioning the Virtual Edge Node. Select the more options icon to the right of the Virtual Edge Node and then select Delete Virtual Edge Node. Refer to the previous image. 

Was this article helpful?
0 out of 0 found this helpful