Virtual Edge Deployment Guide (Virtual Edge 16.0-16.2) Switch Hosted

 

This article walks through the steps to onboard, configure, and manage a Switch Hosted Virtual Edge 16.0-16.2

For information on how to use the Virtual Edge dashboard, see our VE/VEN management article.

This article walks through the steps to onboard, configure, and delete Virtual Edges in the Elisity Platform. Elisity Virtual Edge (Switch Hosted) is a docker container-based implementation of Elisity Microsegmentation software running on a Cisco Catalyst 9000 series switch by leveraging the switch’s integrated application hosting functionality.

As of today, all Cisco Catalyst 9300, 9300L and 9400 models support hosting Elisity Virtual Edge container using Cisco Application Hosting. Cisco StackWise© switch stacking technology is also supported. Additional switch models will be supported in future releases. Please see the switch compatibility matrix for more details. 

  • Switches running Elisity Virtual Edge must be equipped with a supported storage device such as the SSD-120G or C9400-SSD-240GB (M.2)​ module. Front panel USB and internal flash are not supported. Catalyst 9400 series switches require the installation of an M.2 SSD which requires a switch reboot. See the document here for installation instructions and the document here for verification. 
  • Catalyst IE3400 series switches require a minimum of IPBase licensing to be onboarded as Virtual Edge Nodes. 
  • All Catalyst 9000 series switches require DNA Advantage licensing. This requirement is not unique to the Elisity Virtual Edge container. It is a requirement imposed by Cisco on the application hosting environment within IOS-XE.
  • Virtual Edge 16.0+ requires a minimum of Cisco IOS 17.9.4 for application hosting. 
  • All switches running Elisity Virtual Edge must have their clocks synchronized with the Active Directory server so that attachment events are displayed accurately. You can use your own NTP server or a public one such as time.google.com 
  • If your switch is currently hosting another application such as ThousandEyes, please connect with your Elisity account team for assistance on appropriately assigning switch compute resources. 

 

CATALYST 9400 SPECIFIC NOTE:
  • Catalyst 9400 series switches must have application hosting verification disabled by issuing the app-hosting verification disable command.  
  • Catalyst 9410 series switch. When using slot 4 of the 48-port linecard for application hosting, the port must be in the default shutdown mode. If slot 4 of the 48-port linecard is active, application hosting is rejected. If the linecard port is disabled, slot 4 of the 48-port linecard is marked as inactive. If slot 4 of the 48-port linecard is populated, the port 4/0/48 will not come up. If linecard 4 is empty or if it is a 24-port linecard, no ports are disabled. See this document for more information.
  • Catalyst 9410 series switch. To enable the AppGigabitEthernet interface for application hosting, configure the enable command in interface configuration mode. See this document for more information.

The following chart describes the terminology used in this document

Cloud Control Center Elisity's cloud native and cloud delivered control, policy and management plane.
Virtual Edge The Elisity software running as a docker container on an access or aggregation switch that supports Application Hosting functionality.
Virtual Edge Node An access switch onboarded to a Virtual Edge to be leveraged as an enforcement point in the network.

 

Deploying Elisity Virtual Edge (Switch Hosted)

The Elisity Virtual Edge container has a single virtual interface used to communicate with Cloud Control Center as well as with Virtual Edge Nodes. In more detail, the Virtual Edge virtual interface is used to maintain a persistent control plane connection to Cloud Control Center in order to receive identity based policies as well as to send identity metadata and analytics to Cloud Control Center. This same interface is used to glean identity metadata, traffic analytics and other switch information from the Virtual Edge Nodes and to read the Catalyst configuration and configure security policies, traffic filters and other switch functions. 

Elisity Virtual Edge supports a 1:1 and a 1:Many model. In other words, you can deploy a Virtual Edge on every access switch that supports application hosting functionality and onboard that same switch as a Virtual Edge Node or you could deploy a Virtual Edge on an aggregation switch that supports application hosting functionality and onboard many access switches as Virtual Edge Nodes. The 1:Many model would be beneficial in the case where the access switches to onboard do not support application hosting, ie. Catalyst 3850 or Catalyst 9200, but you could really onboard any supported switch. Both models are depicted below:

 

Initial Requirements Check

Step 1: To deploy Elisity Virtual Edge on a Catalyst 9000 series switch first ensure that the switch is running a Network Advantage license with the DNA Advantage add-on. Execute the following commands under global configuration mode

 

switch# show license summary

! check the license level first

switch(config)# license boot level network-advantage addon dna-advantage


Step 2:
If the witch hosting the Virtual Edge container is also going to be onboarded as a Virtual Edge Node you should either have a user account with privilege 15 configured or TACACS/RADIUS login configured to provide privilege 15 level access. This is needed for the Virtual Edge to authenticate with the host switch. Execute the following command under global configuration mode if a local account is being used and is not already configured:

 

switch(config)# username <username> privilege 15 secret 0 <password>

 

Adding the Virtual Edge in Cloud Control Center


Step 3:
 Log into Cloud Control Center and navigate to Virtual Edges > Add Virtual Edge. The drop down menu will give you the option to add a Single Virtual Edge or Add Multiple Virtual Edges. We will select "Add Single Virtual Edge." See our Virtual Edge Bulk Onboarding article to add multiple VEs.

 

Step 4: Select Switch Hosted for the Virtual Edge Type. If a radio button specifying the version exists, select Version 16.x. Fill out the required fields and select Add. Details about each field are provided in the chart below. These details can always be viewed and edited by selecting the more options icon to the right and selecting Edit/Download Virtual Edge Configuration. 



NOTE: For the purposes of graceful migration to Virtual Edge 16.0+, only existing customers will have the option to deploy older Virtual Edge versions.

 

The following chart provides details about each required field

IP Address This is the IP assigned to the Virtual Edge container. This IP needs to be routable and must have access to reach Cloud Control Center. This IP also needs reachability to any Virtual Edge Node management interface you plan to onboard. The network for this IP can be configured locally on the application hosting switch or it can be configured on an aggregation switch upstream. This can be a new network or an existing network. This field is mandatory.
Gateway IP This is the default gateway IP for the network described above. The default gateway for this IP can be configured locally on the application hosting switch or it can be configured on an aggregation switch upstream. This can be a a default gateway IP from a new network or an existing network. This field is mandatory.
Host Name This is the host name assigned to the Virtual Edge container. This will be used by Cloud Control Center when automating the generation of the application hosting configuration to be configured on the application hosting switch. This field is optional.
Domain Name Server (DNS) This is the DNS server IP to be used by the Virtual Edge container. This can be either a public or private DNS server.  This will be used by Cloud Control Center when automating the generation of the application hosting configuration to be configured on the application hosting switch. To specify more than one DNS server use a comma. You should list your private DNS first in your comma-separated list to ensure that hostname entries can be imported from your private DNS during device discovery. 
Uplink VLAN Here you should enter the VLAN info for the uplink interface, commonly the management VLAN for the switch. 
Site Label You can assign a pre-created Site Label to your Virtual Edge that is inherited by any associated Virtual Edge Node, or you can create a new Site Label on the spot. This allows you to filter and view assets and Virtual Edges using these Site Labels, and apply Policy Sets based on Site Label for selective policy distribution. See our VE/VEN management article for info on how to create and manage your Site Labels effectively.
Distribution Zone Here you can assign the Virtual Edge to a pre-created Distribution Zone label for selective distribution of device to Policy Group mappings, or create a new DZ label and assign to the VE immediately.
See our VE/VEN management article for info on how to create and manage your Distribution Zone labels effectively.

 

Step 5: After clicking "Add" a configuration file will appear on the screen that is used to configure the VE Application on your Cisco App-hosting switch. THIS GENERATED CONFIG CONTAINS THE ONE TIME PASSWORD AND ALL CONFIGURATIONS NEEDED TO SUCCESSFULLY ONBOARD THE VIRTUAL EDGE. Copy this configuration to a secure note to be used later.

 

You can edit and view this configuration any time prior to onboarding the Virtual Edge if there was a misconfiguration or if you lose the configuration.

 

Step 6: After clicking "Add" you can also view the One Time Password (OTP) that is used when installing the Virtual Edge application on the hosting switch to register the Virtual Edge. There is no need to copy the OTP into the generated configuration file as it is automatically populated.



 

Installing the Virtual Edge Application

 

Step 7: Copy the Virtual Edge .tar file provided by Elisity to the application hosting switch's SSD usually named usbflash1. Make sure to confirm your switch's USB flash storage name so that it is copied to the correct storage media. You can use any method you wish to transfer the file such as FTP, SCP, TFTP, HTTPS etc.

 

Note: On the Catalyst 9400 platform the SSD is named disk0: rather than usbflash1:

 

Step 8: Create the application by issuing the following commands, replacing the file name with the correct one for the installation. 

iox
...wait 120 seconds

app-hosting install appid VE package usbflash1:<VE FILE NAME>

 

Once it completes the install the status should show Deployed:

switch#show app-hosting list
App id State
---------------------------------------------------------
VE DEPLOYED

 

Step 9: To add any optional environment variables insert additional run-ops in the application config above. For example:

...
run-opts 5 "--env NETFLOW_MANAGER_SEPARATE_PROCESS=0"

 

Step 10: Activate and then start the application:

app-hosting activate appid VE
app-hosting start appid VE

 

Step 11: Confirm that the application was successfully started:

switch#show app-hosting list
App id State
---------------------------------------------------------
VE RUNNING

 

Step 12: Log back into Cloud Control Center and verify that the Virtual Edge has successfully registered and shows online.

 

Step 13: If the switch hosting the Virtual Edge application is a member of a Cisco StackWise™ stack force synchronization of the IOX folders by running the following commands:

no iox
... wait 60 seconds
iox

 

Changing Switch Hosted Virtual Edge Configuration

To change any switch hosted Virtual Edge configuration such as its IP address, DNS, or hostname follow the steps below.

 

Step 1: Log on to the switch hosting the Virtual Edge then stop and deactivate the container

app-hosting stop app-id VE
app-hosting deactivate app-id VE

 

Step 2: Edit the app-hosting configuration on the switch and don't forget to write mem.

Step 3: Re-activate and start the the container.

app-hosting activate app-id VE
app-hosting start app-id VE

 

Deleting a Virtual Edge

Select the more options icon to the right of the Virtual Edge and then select Delete Virtual Edge

 

NOTE: Before you can delete a Virtual Edge, all Virtual Edge Nodes onboarded with that Virtual Edge must first be deleted.  Follow the guide here to first decommission Virtual Edge Nodes attached to the Virtual Edge you are trying to decommission.

 

The delete action for the Virtual Edge will appear in the Cloud Control Center audit logs.




Was this article helpful?
0 out of 0 found this helpful