This article summarizes how to onboard your Arista access layer switches as Virtual Edge Nodes for policy enforcement. This can only be done after deploying a Virtual Edge.
Prerequisites
Before onboarding Arista switches as Virtual Edge Nodes with Elisity, the following requirements must be met:
Supported Switch Platforms
Many switches in the 720XP and 7050X lines have been validated, with many other switches which are supportable.
Please refer to the Hardware Compatibility Matrix for the complete list of validated and supportable switch models and minimum recommended code versions.
Licensing Requirements
- EOS V2 add-on license – Required for MSS policy enforcement
- Z-level EOS license – Required to enable eAPI access for switch onboarding and policy orchestration
Platform Limits and Capabilities
-
MSS Group scale varies by platform:
- CCS and 7050 series: Up to 60 groups
- DCS-7280R3: Limited to 15 groups
- Maximum 8000 IP-to-MSS Group mappings per switch
- Only one Flow Tracker is supported per device and must be reserved for Elisity
- ICMP traffic is not exported and cannot be used for flow analytics
- Policy Logging and Mirroring actions are not supported on most platforms
- Traffic disruption is expected during prefix or policy configuration due to the lack of atomic commit
Connectivity Requirements
- uRPF must be disabled – This feature is not compatible with MSS Group tagging
- VLANs without an SVI are treated as part of the default VRF and are subject to the default VRF's policy set
- ICMP and SSH must be allowed between each Arista switch and its associated Virtual Edge
- The switch management interface must accept ICMP, SSH, and HTTPS to enable onboarding and API-driven configuration
Use the primary IP address of the switch's management interface. Do not use VRRP virtual IP addresses or any secondary IP address. Using a non-primary or virtual address will result in onboarding errors and unexpected Virtual Edge Node behavior.
| Direction | Required Traffic |
|---|---|
| Virtual Edge to Virtual Edge Node | SSH (TCP/22) |
| Virtual Edge Node to Virtual Edge |
ERSPAN (GRE/UDP 4754)
IPFIX Flow Data (UDP/9996)
|
Onboarding Steps
Make sure the access switches you wish to onboard with the newly deployed Virtual Edge have the following commands configured.
ip routing
aaa authorization exec default local
You should either have a user account with privilege 15 configured or TACACS login configured to provide privilege 15 level access. This is needed for the Virtual Edge to authenticate with the switch. Execute the following command under global configuration mode if a local account is being used and is not already configured:
switch(config)# username <username> privilege 15 secret <password>
Adding Virtual Edge Nodes in Cloud Control Center
Select the Virtual Edge Node tab in the bottom menu, and select Add Virtual Edge Node then select Add Single Virtual Edge Node. Note that adding a VEN from this screen requires you to select a Virtual Edge or VE Group as a parent.
When deploying new Virtual Edge Nodes, you can select standalone Virtual Edges or VE Groups to manage the Nodes you are onboarding. Click + Add Virtual Edge Node as normal.
Virtual Edge Node Deployment Wizard
After clicking the Add Single Virtual Edge Node option, you will being the Virtual Edge Node Deployment Wizard.
Step 1 - Choose a Virtual Edge
First, a selection pane will appear with options for selecting a VE Group, Standalone VE, Switch-hosted VE, or Cloud-hosted VE (ie. Juniper VE) for managing the VEN or VENs that you are attempting to deploy. Note that Standalone Virtual Edges are not currently supported when onboarding multiple VENs.
Step 2 - Choose the Virtual Edge Node Type
After selecting your VE or VE Group and clicking save, you will be directed to select the Virtual Edge Type. Select Switch as the Virtual Edge Node type. See the following guides for onboarding Palo Alto Firewalls or Panorama, and Onboarding Wireless LAN controllers.
- Palo Alto Networks Firewall Integration - Policy Group Derived Dynamic Address Groups (DAG)
- Palo Alto Networks Panorama Integration - Policy Group Derived Dynamic Address Groups (DAG)
- Onboarding Catalyst 9800 Wireless Controller
Step 3 - Virtual Edge Node Configuration
Provide basic configuations for the switch in this section.
| Field | Description |
|---|---|
| Switch Management IP | This is the management IP of the switch you wish to onboard as a Virtual Edge Node for policy enforcement. This IP must be reachable by the previously deployed Virtual Edge container. Use only the primary IP address of the switch's management interface. Do not use HSRP, VRRP, GLBP, or any secondary/virtual IP address. |
| Description | This allows a user-defined description to be configured for the VEN. This field is optional. |
| Switch Credentials | Administrators can use Global Credentials to securely store and reuse switch credential sets for deployments. Global credentials can be created on the fly during VEN onboarding with the appropriate permissions, or created centrally in Settings > Global Credentials here. If not using global credentials, the admin username of the switch you wish to onboard as a Virtual Edge Node can either be local or TACACS/RADIUS. Privilege 15 is required. This field is mandatory. Username should be alphanumerical and may contain only permitted special characters (_, +, \, /, -). If not using global credentials, the admin password of the switch you wish to onboard as a Virtual Edge Node can either be local or TACACS/RADIUS. Privilege 15 is required. Password cannot contain whitespaces. This field is mandatory. |
Less commonly used Advanced Settings are available in the dropdown menu.
The following chart provides details about each field in this step.
| Field | Description |
|---|---|
| Enable Endpoint Discovery | Selecting this option enables the active collection of identifying data for endpoints discovered behind a VEN, gleaned from access switch telemetry. This feature actively tracks assets for updates in identifying data. (Recommended) This setting is autoconfigured per switchport if enabled during this onboarding. You can choose to enable autoconfiguration or manually configure after onboarding by leaving this box unchecked. The logic for this autoconfiguration is discussed later in this article. |
| Enable Flow Telemetry | Selecting this option enables the collection of flow data and network traffic analytics that are sent to Cloud Control Center. (Recommended) This setting is autoconfigured per switchport if enabled during this onboarding. You can choose to enable autoconfiguration or manually configure after onboarding by leaving this box unchecked. The logic for this autoconfiguration is discussed later in this article. If the switch is already leveraging AVC FNF configuration via DNAC, please contact your Elisity technical contact before enabling this feature. |
| Enable Policy Enforcement | When enabled, the Virtual Edge Node receives configuration to support policy enforcement, including IP and tag mappings, policy ACLs, CTS commands, and SXP peering. This setting is enabled by default during onboarding. Disable this option to remove policy enforcement configuration from the VEN. When disabled, no policy elements are programmed on the switch, allowing the VEN to operate in a discovery-only mode. The Virtual Edge Node must be decommissioned before policy enforcement can be disabled. This setting is mutually exclusive with Enable SXP Peer-Only Mode. Only one of these options can be active at a time. |
| Enable SXP Peer-Only Mode | Configure this Virtual Edge Node to function only as an SXP peer for identity exchange, without CTS enablement or policy enforcement. When enabled, the Virtual Edge only programs the required SXP peer statement on the switch. No other CTS commands are added or removed during normal operation. This setting is disabled by default and is intended for environments where the switch is already peering with ISE through SXP and only requires identity-based IP-to-SGT mappings from Elisity. Disabling SXP Peer-Only Mode does not automatically remove the existing SXP configuration; it must be manually removed from the device. This setting is only applied for Cisco Switch and Cisco WLC Virtual Edge Node types. This setting is mutually exclusive with Enable Policy Enforcement. Only one of these options can be active at a time. |
| Enable Aggregation Role | Enables the Virtual Edge Node to act as an aggregation role for any downstream Cisco IOS switches which will be leveraged as Visibility-Only Virtual Edge Nodes. This includes the automatic discovery of compatible downstream switches for device visibility and enrichment functionality which are presented in Cloud Control Center for adoption. |
| Enable NAT Support | Enables the configuration of an inside and outside management IP for NAT Support. Read the Virtual Edge Node NAT Support article to learn more about this configuration. |
| Select Exporter | Custom flow exporters allow organizations to integrate Elisity's flow telemetry with existing network monitoring solutions. For customers who already rely on third-party tools for network analytics and traffic visibility, this feature provides a way to direct flow data from Virtual Edge Nodes (VENs) to an external monitoring system. Read here for more information on configuring flow exporters for Virtual Edge Nodes. |
**NOTE: If you would prefer to manually configure switchport configurations, or enable autoconfiguration at a later time, leave Endpoint Discovery and Flow Telemetry settings disabled.
Step 4 - Site Label and Distribution Zone
In this step, you can choose to inherit Site Label and Distribution Zones from the parent Virtual Edge, or you can choose to assign a Site Label and Distribution Zone directly to each indivual Virtual Edge Node. Virtual Edge Nodes managed by a single Virtual Edge can belong to various Distribution Zones with varying Site Labels. You can also choose to structure your VE/VEN relationships so that you never have to assign a Site Label or Distribution Zone to a switch. This is primarily decided by how you decide to structure Virtual Edges and which switches they will manage.
| Field | Description |
|---|---|
| Site Label | Site labels can be applied to Virtual Edge Nodes for policy distribution and for analytics purposes. Site labels are used to assign Virtual Edges and Virtual Edge Nodes to Policy Sets. Read more about Site Labels and Policy Sets here. |
| Distribution Zone | Here we can select to inherit the Distribution Zone from the parent Virtual Edge, or we can assign an Access Distribution Zone or create an Isolated Distribution Zone. For more information on creating and assigning Access/Isolated DZs or to learn about DZs as a concept, click on one of the following links. Creating and Assigning Distribution Zones to Virtual Edge Nodes Click here to learn more about Distribution Zones |
Step 5 - Review the Summary
After filling out all the required fields, click Next to go to the summary page. Here you can review and edit all configurations made in the wizard. Clicking Edit on any section will take you back to that section, where you can then modify the configuration. Once you have reviewed the configuration summary, click finish. The Virtual Edge Node onboarding process will begin immediately.
NOTE:
If the switch fails to onboard as a VEN, it will not automatically retry. To resolve this, delete the VEN, make the necessary configuration adjustments, and attempt the onboarding process again.
Creating and Assigning Access Distribution Zones
When deploying or editing a Virtual Edge Node, you can assign an Access Distribution Zone directly to the node for granular control over tag distribution and policy enforcement. This assignment occurs in the Site Label and Distribution Zone step of the onboarding workflow.
If a Site Label is inherited from the parent Virtual Edge, the DZ assignment can also be inherited. To override this, select Access or Core Distribution Zone under the Distribution Zone section.
Choose from available Access DZs tied to the selected or inherited Site Label. To create a new DZ inline, click + Create Distribution Zone.
First, select the Distribution Zone type and fill out the following fields:
Core Type Distribution Zone
| Distribution Zone Name | This is the name of the Distribution Zone being created. The name should be unique and descriptive, typically representing a site, business unit, or function (e.g., "DAL-MFG" for a Dallas-based manufacturing site). |
| Import Group Tags From All Zones | Toggle which enables the import of Group Tags from ALL Distribution Zones - this includes all current DZs and any DZs created in the future. |
| Import Group Tags From Specific Zones | If the above toggle is DISABLED, allows the selection of specific Distribution Zones to import. |
| Distribution Zone Limit | Specifies the maximum number of devices that the Distribution Zone should support.
|
| Description (Optional) | Allows administrators to enter additional context about the Distribution Zone. Can include details such as site location, purpose, or any relevant notes (e.g., "Manufacturing Site in Dallas"). Maximum character limit: 255 characters. |
| Enable Intelligent Tag Distribution (ITD) | Toggle to enable Intelligent Tag Distribution within the new Distribution Zone. Learn more about Intelligent Tag Distribution here. |
Access Type Distribution Zone
| Distribution Zone Name | This is the name of the Distribution Zone being created. The name should be unique and descriptive, typically representing a site, business unit, or function (e.g., "IND-DZ3" for a Distribution Zone associated with a large site IND). |
| Distribution Zone Limit | Specifies the maximum number of devices that the Distribution Zone should support.
|
| Description (Optional) | Allows administrators to enter additional context about the Distribution Zone. Can include details such as site location, purpose, or any relevant notes (e.g., "Manufacturing Site in Dallas"). Maximum character limit: 255 characters. |
| Enable Intelligent Tag Distribution (ITD) | Toggle to enable Intelligent Tag Distribution within the new Distribution Zone. Learn more about Intelligent Tag Distribution here. |
After clicking Create, the new Access DZ will automatically populate the selection field and be assigned to the node upon completion of onboarding.
You may also assign or create a DZ for an existing Virtual Edge Node by navigating to Virtual Edge Nodes, selecting Edit Virtual Edge Node from the Actions menu, and repeating the same process.
Any changes made during the edit flow are applied immediately upon saving. Distribution Zones assigned directly to a VEN will override inherited group-level assignments.
Note: For details on Distribution Zones, the various types and how they function, and how best to utilize them, see the Distribution Zones article.
Creating and Assigning Isolated Distribution Zones
Isolated Distribution Zones (IDZs) are assigned only to Virtual Edge Nodes and are strictly tied to a specific Site Label. They are used to enforce policy within environments that contain overlapping IP address spaces by preventing IP-to-Policy Group mapping propagation outside the zone.
This workflow can be accessed during the onboarding of a new Virtual Edge Node or by editing an existing one.
Select Site Label and Distribution Zone Type
Within the Site Label and Distribution Zone step of the deployment wizard, begin by selecting a Site Label:
- Inherit from VE or
- Assign Manually
Next, choose Isolated Distribution Zone under the Distribution Zone options.
The list of available Isolated DZs is filtered based on the selected Site Label. You can also see the list of associated Virtual Edge Nodes by clicking the drop-down arrow.
Create a New Isolated Distribution Zone
If no suitable IDZ exists for the selected Site Label, click Create Isolated Distribution Zone.
- The name of the new IDZ is automatically generated using the format:
SITE-IDZ#(e.g.,IND-idz2). - No additional fields are required to configure an IDZ.
After creation, the new IDZ appears in the list and can be immediately selected.
Editing a Virtual Edge Node to Assign an Isolated Distribution Zone
To update the Distribution Zone assignment after initial deployment:
- Navigate to the Virtual Edge Nodes tab.
- From the Actions menu for the desired VEN, click Edit Virtual Edge Node.
- You will be returned to the same Site Label and Distribution Zone step of the wizard.
Changes can now be made to assign or create an IDZ.
Additional Notes
- Isolated DZs do not participate in ITD (Intelligent Tag Distribution).
- Policy enforcement is restricted to devices within the same Isolated DZ.
- The selected Site Label determines which Isolated DZs are visible and where new ones can be created.
For more information on Distribution Zone types and behavior, see the Distribution Zones article.
Checking the Status of a VEN Onboarding
In the top right of your Cloud Control Center dashboard, you will see a notification icon. After beginning the VEN onboarding, a blue dot will indicate that the status of your VEN onboarding has an update.
Clicking on this icon will reveal the status of your VEN onboarding. As each step of the onboarding is completed successfully, that item is marked with a green check mark and a "Success" status.
If any errors are encounter during onboarding, a red error indicator will appear on that item, with a brief description of the issue. In this case, we can surmise that the reason this onboarding has failed is because the switch is unreachable. We need to then check for errors and confirm that our Virtual Edge Node can reach both CCC and our VE.
Once the onboarding is complete, your VEN will show green in Cloud Control Center and information about the switch is now visible such as hostname, switch model, number of discovered devices, and more.
Port Configurations on Virtual Edge Nodes
Port configurations define how each switch port on a Virtual Edge Node (VEN) participates in Endpoint Discovery and Flow Telemetry. These configurations control where Elisity collects device identity and traffic flow data and ensure that discovery and telemetry are applied only to the appropriate interfaces within the access layer.
By default, Elisity applies Automatic configuration to all switch ports. In this mode, Elisity evaluates each port using discovery protocol data, interface type, and topology to determine whether the port should included in device discovery and traffic analytics collection. This classification process is described in detail in the Criteria for Automatic Port Configuration section.
Automatic configuration ensures that Endpoint Discovery and Flow Telemetry operate only where appropriate. Enabling these features on NNI interfaces - such as uplinks, distribution links, or management ports - can result in the discovery of upstream infrastructure devices and the collection of unrelated traffic flows. Elisity’s automatic port evaluation prevents these conditions by disabling discovery and telemetry on NNI interfaces while maintaining visibility on UNI interfaces.
Administrators can change any port from Automatic to Manual configuration at any time to explicitly enable or disable Endpoint Discovery and Flow Telemetry for that specific port. Manual configuration is typically used in environments where certain interfaces require behavior different from Elisity’s automatic classification logic. Ports can also be switched back to Automatic configuration if Elisity should resume management of their behavior.
During onboarding, the checkboxes for Endpoint Discovery and Flow Telemetry enable or disable each feature globally for the VEN. These global toggles determine whether Elisity activates each feature at the VEN level and for all applicable switchports; they do not change how ports are classified or configured. The same global enable and disable controls are available later from the Port Configuration view in Cloud Control Center. For step-by-step instructions on editing port configurations after onboarding, including switching between Automatic and Manual configuration modes, see Modifying Port Configurations for a VEN.
Endpoint Discovery and Flow Telemetry
Endpoint Discovery leverages embedded switch functionality to learn and track devices connected to the switch directly or through a trunk to a downstream switch. With automatic configuration, Flow Telemetry will be disabled on the specified port types but can still be enabled or disabled manually per switchport, or globally on a per-VEN basis as required.
Flow Telemetry (Cisco Netflow or equivalent per vendor) provides valuable insights into your network's traffic patterns. With automatic configuration, Flow Telemetry will be disabled on the specified port types but can still be enabled or disabled manually per switchport, or globally on a per-VEN basis as required.
Existing Flow Telemetry Configurations
In order to gather flow telemtry from infrastructure, Elisity configures flow exporters on switches with the Virtual Edge as the destination for flow telemetry, and configures switch interfaces with the Elisity-generated flow configuration.
In some customer environments, existing flow exporter configurations may already be configured both in the global configuration and for each applicible interface. In these scenarios, existing flow exporter configurations and interface configurations are not removed by Elisity. These configurations will not be overwritten, and will remain until the customer removes them manually or via the hardware configuration platform.
The Elisity Flow Exporter global configuration will successfully be programmed by the Virtual Edge in most cases and can exist alongside any customer-configured flow exporter configurations. The VE will attempt to configure interfaces with Flow Telemetry port configuration on a regular interval, however, flow telemetry interface configurations cannot be programmed by the Virtual Edge until existing configurations are removed.
For Flow Telemetry to be enabled, Elisity must leverage the primary flow configuration on each interface where the feature is enabled. You can replace existing flow configurations by leveraging a custom flow exporter, which will send all flow data to a second receipient (alongside the Virtual Edge). This is configured in Cloud Control Center and can be configured for each onboarded Virtual Edge Node. Read this article for details on how custom secondary flow exporters are configured on Cisco, as an example.
Criteria for Automatic Port Configuration
Elisity leverages Cisco Discovery Protocol (CDP) and Link Layer Discovery Protocol (LLDP), along with a set of rules based on interface types and network topology, to classify switch ports as either User Network Interfaces (UNI) or Network-to-Network Interfaces (NNI). This classification determines where Endpoint Discovery and Flow Telemetry are enabled, ensuring accurate network visibility while preventing redundant data collection.
UNI and NNI Port Detection and Endpoint Discovery Configuration
By default, all ports are classified as UNI unless they meet NNI criteria. Elisity evaluates multiple factors, including CDP/LLDP neighbor data, VRF configurations, port descriptions, and interface types, to make this determination.
A port is classified as NNI if:
- It has a CDP/LLDP neighbor that is identified as a router, switch (bridge for LLDP), or IGMP device. Exceptions include WLANs and Hosts, which remain classified as UNI.
- Its interface name contains keywords such as Router, Firewall, or NNI.
- It is listed as an interface in any VRF instance.
- It is administratively down.
- It is not a switchport.
- It is a Stackwise Virtual Link.
- For Port-Channel interfaces: If any of its member interfaces meet NNI criteria, the Port-Channel itself is classified as NNI. However, member interfaces are ignored for Endpoint Discovery.
Ports that do not meet any of the above conditions remain classified as UNI, meaning Endpoint Discovery is enabled to track directly connected devices.
Flow Telemetry Configuration
Flow Telemetry is configured differently from Endpoint Discovery. Unlike Endpoint Discovery, which is disabled on Port-Channel interfaces and their members, Flow Telemetry is enabled on individual Port-Channel members for more granular traffic visibility.
Flow Telemetry is disabled on:
- VLAN, AP, LOOP, TUNNEL, and CHANNEL interfaces.
- Management interfaces such as GigabitEthernet0/0 (most models) and TenGigabitEthernet0/1 (Cisco 9600).
- Stackwise Virtual Links.
CDP/LLDP for Uplink Detection
Elisity periodically scans CDP/LLDP neighbor tables to detect topology changes. If a port connects to another switch or router, Endpoint Discovery and Flow Telemetry are automatically disabled to prevent redundant infrastructure visibility. These updates occur every five minutes, ensuring configurations remain accurate as the network evolves.
Configuring Interface Auto-Detection Using Description Keywords
You can configure UNI and NNI port rules directly for Virtual Edges in the Cloud Control Center by entering keywords that describe each port type.
- Select Virtual Edges>Settings>Advanced Settings.
Toggle Enable Discovery and Telemetry and enter keywords to designate the port as UNI.
- Toggle Disable Discovery and Telemetry and enter keywords to designate the port as NNI.
- Click Save Changes.
Note: If system-level environment variables for UNI and NNI are set, they will override any configuration entered through the Settings page. Check with your Elisity engineer for any configured environment variables in your environment if you are having issues with this feature.
Modifying Port Configurations for a VEN
After onboarding, you can review the port configurations in Cloud Control Center for each port and modify them according to your network design and the scope of your microsegmentation efforts. If you chose to leave these options disabled during onboarding, now is the time to either enable autoconfiguration or manually configure each switchport for each setting. After onboarding, port configurations can be viewed and modified for each Virtual Edge Node directly in Cloud Control Center.
To modify port configurations, select your VEN and navigate to Port Configurations by clicking the more options button on the right.
Click Edit Configuration. This will take you to the port configuration editor.
If you have not yet configured any port configurations, you must first enable Endpoint Discovery or Flow Telemetry before configuring auto or manual configurations per port.
The configurations will not be pushed to infrastructure until you select Save Changes, so there is no risk in pushing configurations to undesired ports.
The port configuration editor is very straightforward. Simply select the configuration type per interface: Automatic or Manual. If you choose Manual, selected Enabled or Disabled. If you choose Automatic (default) the port configuration will be displayed in this place and cannot be changed unless configutation type is changed.
Important Note: Enabling Endpoint Discovery and Flow Telemetry is not supported for Layer 3 interfaces. If using manual port configuration, known L3 interfaces should have Endpoint Discovery and Flow Telemetry disabled.
After reviewing these port configs and making any adjustments, click Submit and your configurations will be immediately pushed to the VEN.
Decommissioning and Deleting a Virtual Edge Node
Decommissioning a VEN takes the enforcement point out of service by removing the configurations from the switch, but retains the configuration in Cloud Control Center so that you can easily put the VEN back in service with a single click.
Open the details view of your Virtual Edge Node and then select Decommission in the top right. The Virtual Edge Node status will say Decommissioned.
You can also decommission from the main VEN dashboard by clicking the three dots to the right and selecting Decommission Virtual Edge Node.
If you want to decommission multiple VENs simultaneously, select the VENs using the check boxes on the left and click Bulk Actions. Here you can perform various bulk actions such as restart Restonf, Decommission, and Delete.
In any case, you will be presented with a confirmation request to finalize the decommission action with warnings or errors where applicable.
After decommissioning, the Activity Panel will show the status of the decommission process. The Activity Panel is accessible through the notification icon in the top right corner of Cloud Control Center.
After completing the decommission process for the VENs, you can then delete them from Cloud Control Center, or leave as decommissioned for easily recommissioning at a later time. Clicking the more options button under the actions panel to the right of the VENs will show the delete or recommission options for each VEN. These options are also available in the bulk actions menu as seen earlier. Deleting a VEN requires no further action.
Virtual Edge Nodes can be recommissioned in th same way that they are decommissioned. Recommissioning a VEN will also provide a status feedback in the activity panel for tracking the step by step recommissioning process.