Virtual Edge Deployment Guide (Virtual Edge 16.0-16.2) Hypervisor Hosted

This article walks through the steps to onboard, configure, and manage a Hypervisor Hosted Virtual Edge 16.0-16.2

For information on how to use the Virtual Edge dashboard, see our VE/VEN management article.

 

As of today, you can onboard all Cisco Catalyst 3850/3650, Catalyst 9000 series switches and Catalyst IE3400 series switches as Virtual Edge Nodes for policy enforcement using Elisity Virtual Edge VM. Cisco StackWise© switch stacking technology is also supported. Additional switch models will be supported in future releases. Please see the switch compatibility matrix for more details. 

 

NOTE:

The recommended requirements to run Virtual Edge VM on a hypervisor

  • VMware ESXi 7.x or later. VMware vCenter is supported.
  • 4 vCPU with hyper-threading)
  • 4 GB RAM
  • 40 GB Storage
  • 1 x Virtual Network Adapter 

NOTE:

  • Catalyst IE3400 series switches require a minimum of IPBase licensing to be onboarded as Virtual Edge Nodes. 
  • Catalyst IE3400 switches require a Cisco SD Card (P/N SD-IE-4GB)
  • All Catalyst 9000 series switches require DNA Advantage licensing. This requirement is not unique to the Elisity Virtual Edge container. It is a requirement imposed by Cisco on the application hosting environment within IOS-XE.
  • The Elisity Virtual Edge VM has been developed to work with switches running these minimum IOS versions. While it may work with earlier versions of IOS-XE we cannot guarantee that it will operate correctly.
  • All switches being onboarded must have their clocks synchronized with the Active Directory server so that attachment events are displayed accurately. You can use your own NTP server or a public one such as time.google.com. 
  • It is recommended to use a static IP when addressing the Virtual Edge interface. If the IP address field is left blank, DHCP will be used instead and you must create a static DHCP entry in your DHCP server configuration.

The following chart describes the terminology used in this document

Cloud Control Center Elisity's cloud native and cloud delivered control, policy and management plane.
Virtual Edge VM The Elisity software running as a docker container on a hypervisor such as VMware ESXi.
Virtual Edge Node An access switch onboarded to a Virtual Edge to be leveraged as an enforcement point in the network.


Deploying Elisity Virtual Edge VM (Hypervisor Hosted)

The Elisity Virtual Edge VM has a single virtual interface used to communicate with Cloud Control Center as well as with Virtual Edge Nodes. In more detail, the Virtual Edge VM virtual interface is used to maintain a persistent control plane connection to Cloud Control Center in order to receive identity based policies as well as to send identity metadata and analytics to Cloud Control Center. This same interface is used to glean identity metadata, traffic analytics and other switch information from the Virtual Edge Nodes and to read the Catalyst configuration and configure security policies, traffic filters and other switch functions. 

Elisity Virtual Edge VM allows you to onboard any type of switch on the compatibility matrix as Virtual Edge Nodes for policy enforcement. The Virtual Edge VM model is depicted below:

 

Deploying the OVA


Step 1.
To deploy Elisity Virtual Edge VM on a hypervisor you will need to acquire the Virtual Edge VM OVA file from your Elisity SE. In this example we will be using VMware ESXi but the steps are identical for VMware vCenter. Once you have the OVA log into your ESXi instance and select Create / Register VM.



 

Step 2. Select Deploy a Virtual Machine from an OVF or OVA file and then select Next.




Step 3. Enter the name for the virtual machine and upload the OVA and select Next.




Step 4. Select the VM Datastore you wish to use as persistent storage for the VM and select Next.




Step 5. Select the Uplink Port Group that provides the correct access for the Virtual Edge VM to reach the internet as well as the access switches to be onboarded as Virtual Edge Nodes for policy enforcement. Select the Disk Provisioning option of your choice and ensure Power on automatically is enabled. 
 




Step 6. Optionally configure a static IP Address, Netmask, Gateway and DNS server. If left blank, DHCP will be used instead and you must create a static DHCP entry for this appliance in your DHCP server configuration. Set the NTP server and root password then click Next

 

 

Step 7. If everything looks good select Finish and wait for the OVA to complete the deployment.
 





Make sure to enable Autostart so that the Virtual Edge VM starts up automatically after ESXi boots up.


Step 8. Select Console and then select Open Console in new window.




Configuring the VM


Step 9. Log into the Virtual Edge VM using the root credentials set during the OVA deployment.





Step 10. If a static network settings were not configured during the initial OVA deployment, DHCP will be used and you should create a static DHCP entry for this appliance in your DHCP server configuration. Confirm the IP address configured on the VM, ensure it can resolve domain names and has access to the internet. 

ifconfig
ping google.com

To change the network settings of the VM post deployment you can follow the standard linux method found here

NOTE: Currently we do not support changing the IP address of the Virtual Edge after it has been registered with Cloud Control Center. Please redeploy the Virtual Edge if you want to make an IP address change.

Step 11. SSH into the Virtual Edge VM using an SSH client of your choice so that it is easier to copy and paste variables into the command line. 

 

Adding the Virtual Edge in Cloud Control Center

In Cloud Control Center 16.1 with Virtual Edge Groups enabled, the process of deploying Virtual Edges has been updated to enhance Virtual Edge manageability.

See this article for more information on Virtual Edge Groups.


Step 12.
 Log into Cloud Control Center and navigate to Virtual Edges > Add Virtual Edge. To onboard a new VE to a VE Group, select the appropriate VE Group in the left menu pane and click +Add Virtual Edge.

Note: This workflow also applies to deploying Standalone Virtual Edges, just select "Standalone Virtual Edges" from the left pane instead of selecting a VE Group. This is similar to the traditional deployment method that existing customers are familiar with.


Step 13.
Select the Virtual Edge Type of Hypervisor Hosted and fill out all the required fields. Importantly, select a previously created Virtual Edge Group, which contains important Site Label and Distribution Zone assignments. If deploying a Standalone-VE, you can assign a Site Label and Distribution Zone at this point. 



NOTE: For the purposes of graceful migration to Virtual Edge 16.0+, only existing customers will have the option to deploy older Virtual Edge versions.

 

The following chart provides details about each required field

Virtual Edge Group

Assign the Virtual Edge to a pre-configured group, allowing it to inherit Site Labels and Distribution Zones automatically. VE Groups streamline the deployment process by managing multiple VEs together.

IP Address This is the IP assigned to the Virtual Edge VM. This IP needs to be routable and must have access to reach Cloud Control Center. This IP also needs reachability to any Virtual Edge Node management interface you plan to onboard. This IP address must match what was configured on the Virtual Edge VM during deployment. This can be a new network or an existing network. This field is mandatory.

Host Name

This is the host name assigned to the Virtual Edge VM. This is the name you will see in Cloud Control Center.
Description Description of the Virtual Edge for Cloud Control Center display.
Site Label (Standalone VE) You can assign a pre-created Site Label to your Virtual Edge that is inherited by any associated Virtual Edge Node, or you can create a new Site Label on the spot. This allows you to filter and view assets and Virtual Edges using these Site Labels, and apply Policy Sets based on Site Label for selective policy distribution. See our VE/VEN management article for info on how to create and manage your Site Labels effectively.

Distribution Zone

(Standalone VE)

Here you can assign the Virtual Edge to a pre-created Distribution Zone label for selective distribution of device to Policy Group mappings, or create a new DZ label and assign to the VE immediately.
See our VE/VEN management article for info on how to create and manage your Distribution Zone labels effectively.

 


Step 14. After clicking Add, the Virtual Edge will be provisioned in Cloud Control Center and a One Time Password (OTP) will be generated. 

 

 

Select the newly provisioned Virtual Edge and copy the One Time Password (OTP) under the Additional Information section to your clipboard. You must first click SHOW CREDENTIALS to copy the OTP credentials. You can regenerate these credentials after the Virtual Edge has connected to Cloud Control Center.

 

Step 15 (optional). While not typically required, in some scenarios you may want to adjust the Virtual Edge Environment Variables prior to registration with Cloud Control Center. This can be done by first editing the file /etc/init.d/bootstrap_ve and then prepending the bootstrap_ve init command with the environment variables. 

*** /etc/init.d/bootstrap_ve file contents ***

# Specify dependencies (other services that need to start before this one)
depend() {
need localmount
after firewall
}

# Command variables
command="bootstrap_ve"
command_args=""
pidfile="/var/run/bootstrap_ve.pid"
directory="/root"

export REBOOT_ON_UPDATE="true"
export HAL_TTP_ENABLED="true"
export NETFLOW_MANAGER_TTP_ENABLED="true"
export VEN_STATE_TTP_ENABLED="true"

# Start function
start() {
ebegin "Starting bootstrap_ve"
start-stop-daemon --start --background --make-pidfile --pidfile $pidfile --exec $command --chdir $directory -- --exec-dir /root/ start
eend $?
}

# Stop function
stop() {
ebegin "Stopping bootstrap_ve"
start-stop-daemon --stop --chdir $directory --exec $command --pidfile $pidfile
eend $?
}

# Status function
status() {
ebegin "Checking status of ${command}"
if [ -f ${pidfile} ] && kill -0 $(cat ${pidfile}); then
echo "${command} is running"
return 0

 

Step 16. Initiate the Virtual Edge bootstrap process by issuing the following command.

bootstrap_ve init

If additional Environment Variables were set in the /etc/init.d/bootstrap_ve file then prepend them to the bootstrap_ve init command.

REBOOT_ON_UPDATE="true" HAL_TTP_ENABLED="true" bootstrap_ve init

If adding new environment variables after a Virtual Edge has already been provisioned, edit the /etc/init.d/bootstrap_ve file and reboot the VM. 

 

Enter the URL of Cloud Control Center, provide the OTP, and select "Y" to all prompts that follow. 

Within a couple seconds, the Virtual Edge will register with Cloud Control Center and show a status of Online.

 

Now you can onboard your existing access switches as Elisity Virtual Edge Nodes for policy enforcement by following this guide. 

 

Deleting a Virtual Edge

Step 1. Select the more options icon to the right of the Virtual Edge and then select Delete Virtual Edge

NOTE: Before you can delete a Virtual Edge, all Virtual Edge Nodes onboarded with that Virtual Edge must first be deleted.  Follow the guide here to first decommission Virtual Edge Nodes attached to the Virtual Edge you are trying to decommission.

The delete action for the Virtual Edge will appear in the Cloud Control Center audit logs.


Step 2.
 After the Virtual Edge has been deleted in Cloud Control Center, you can delete the VM on your Hypervisor.

 

 

Was this article helpful?
1 out of 1 found this helpful