This article walks through the steps to onboard, configure, and manage a Switch Hosted Virtual Edge 16.0+
For information on how to use the Virtual Edge dashboard, see our VE/VEN management article.
This article walks through the steps to onboard, configure, and delete Virtual Edges in the Elisity Platform. Elisity Virtual Edge (Switch Hosted) is a docker container-based implementation of Elisity Microsegmentation software running on a Cisco Catalyst 9000 series switch by leveraging the switch’s integrated application hosting functionality.
As of today, all Cisco Catalyst 9300, 9300L and 9400 models support hosting Elisity Virtual Edge container using Cisco Application Hosting. Cisco StackWise© switch stacking technology is also supported. Additional switch models will be supported in future releases. Please see the switch compatibility matrix for more details.
- Switches running Elisity Virtual Edge must be equipped with a supported storage device such as the SSD-120G or C9400-SSD-240GB (M.2) module. Front panel USB and internal flash are not supported. Catalyst 9400 series switches require the installation of an M.2 SSD which requires a switch reboot. See the document here for installation instructions and the document here for verification.
- Catalyst IE3400 series switches require a minimum of IPBase licensing to be onboarded as Virtual Edge Nodes.
- All Catalyst 9000 series switches require DNA Advantage licensing. This requirement is not unique to the Elisity Virtual Edge container. It is a requirement imposed by Cisco on the application hosting environment within IOS-XE.
- Virtual Edge 16.0+ requires a minimum of Cisco IOS 17.9.4 for application hosting.
- All switches running Elisity Virtual Edge must have their clocks synchronized with the Active Directory server so that attachment events are displayed accurately. You can use your own NTP server or a public one such as time.google.com
- If your switch is currently hosting another application such as ThousandEyes, please connect with your Elisity account team for assistance on appropriately assigning switch compute resources.
- Catalyst 9400 series switches must have application hosting verification disabled by issuing the app-hosting verification disable command.
- Catalyst 9410 series switch. When using slot 4 of the 48-port linecard for application hosting, the port must be in the default shutdown mode. If slot 4 of the 48-port linecard is active, application hosting is rejected. If the linecard port is disabled, slot 4 of the 48-port linecard is marked as inactive. If slot 4 of the 48-port linecard is populated, the port 4/0/48 will not come up. If linecard 4 is empty or if it is a 24-port linecard, no ports are disabled. See this document for more information.
- Catalyst 9410 series switch. To enable the AppGigabitEthernet interface for application hosting, configure the enable command in interface configuration mode. See this document for more information.
The following chart describes the terminology used in this document
| Cloud Control Center | Elisity's cloud native and cloud delivered control, policy and management plane. |
| Virtual Edge | The Elisity software running as a docker container on an access or aggregation switch that supports Application Hosting functionality. |
| Virtual Edge Node | An access switch onboarded to a Virtual Edge to be leveraged as an enforcement point in the network. |
Deploying Elisity Virtual Edge (Switch Hosted)
The Elisity Virtual Edge container has a single virtual interface used to communicate with Cloud Control Center as well as with Virtual Edge Nodes. In more detail, the Virtual Edge virtual interface is used to maintain a persistent control plane connection to Cloud Control Center in order to receive identity based policies as well as to send identity metadata and analytics to Cloud Control Center. This same interface is used to glean identity metadata, traffic analytics and other switch information from the Virtual Edge Nodes and to read the Catalyst configuration and configure security policies, traffic filters and other switch functions.
Elisity Virtual Edge supports a 1:1 and a 1:Many model. In other words, you can deploy a Virtual Edge on every access switch that supports application hosting functionality and onboard that same switch as a Virtual Edge Node or you could deploy a Virtual Edge on an aggregation switch that supports application hosting functionality and onboard many access switches as Virtual Edge Nodes. The 1:Many model would be beneficial in the case where the access switches to onboard do not support application hosting, ie. Catalyst 3850 or Catalyst 9200, but you could really onboard any supported switch. Both models are depicted below:
Initial Requirements Check
Step 1: To deploy Elisity Virtual Edge on a Catalyst 9000 series switch first ensure that the switch is running a Network Advantage license with the DNA Advantage add-on. Execute the following commands under global configuration mode:
switch# show license summary
! check the license level first
switch(config)# license boot level network-advantage addon dna-advantage
Step 2: If the witch hosting the Virtual Edge container is also going to be onboarded as a Virtual Edge Node you should either have a user account with privilege 15 configured or TACACS/RADIUS login configured to provide privilege 15 level access. This is needed for the Virtual Edge to authenticate with the host switch. Execute the following command under global configuration mode if a local account is being used and is not already configured:
switch(config)# username <username> privilege 15 secret 0 <password>
Adding the Virtual Edge in Cloud Control Center
In Cloud Control Center 16.3 with Virtual Edge Groups enabled, the process of deploying Virtual Edges has been updated.
See this article for more information on Virtual Edge Groups.
Step 3 - Add Virtual Edge
Log into Cloud Control Center and navigate to Virtual Edges > Add Virtual Edge. Virtual Edge Groups are not supported for switch-hosted deployments. Select Standalone Virtual Edges and click +Add Virtual Edge.
Step 4: Configure Virtual Edge Deployment via the Wizard
The Virtual Edge deployment wizard guides you through four steps for deployment:
-
Virtual Edge Type
Select whether the Virtual Edge is hosted on a switch, hypervisor, or cloud platform. -
Virtual Edge Configuration
Provide essential network and system details for the Virtual Edge. -
Site Label and Distribution Zone (if applicable)
Assign optional labels for easier management. -
Summary
Review all selections before deployment.
Step 4.1: Select Virtual Edge Type
On the Virtual Edge Type screen, choose Switch Hosted. If prompted, select Version 16.x.
Click Next to proceed.
Important Note
For a graceful migration to Virtual Edge 16.x, only existing customers will have the option to deploy older Virtual Edge 15.x versions.
Step 4.2: Configure Virtual Edge
Enter the required configuration details in the Virtual Edge Configuration step:
| IP Address | This is the IP assigned to the Virtual Edge container. This IP needs to be routable and must have access to reach Cloud Control Center. This IP also needs reachability to any Virtual Edge Node management interface you plan to onboard. The network for this IP can be configured locally on the application hosting switch or it can be configured on an aggregation switch upstream. This can be a new network or an existing network. This field is mandatory. |
| Gateway IP | This is the default gateway IP for the network described above. The default gateway for this IP can be configured locally on the application hosting switch or it can be configured on an aggregation switch upstream. This can be a a default gateway IP from a new network or an existing network. This field is mandatory. |
| Host Name | This is the host name assigned to the Virtual Edge container. This will be used by Cloud Control Center when automating the generation of the application hosting configuration to be configured on the application hosting switch. This field is optional. |
|
Domain Name Server (DNS) |
This is the DNS server IP to be used by the Virtual Edge container. This can be either a public or private DNS server. This will be used by Cloud Control Center when automating the generation of the application hosting configuration to be configured on the application hosting switch. To specify more than one DNS server use a comma. You should list your private DNS first in your comma-separated list to ensure that hostname entries can be imported from your private DNS during device discovery. |
| Uplink VLAN | Here you should enter the VLAN info for the uplink interface, commonly the management VLAN for the switch. |
Click Next to proceed.
Step 4.3: Assign Site Label and Distribution Zone (If Applicable)
This step may be skipped if your Virtual Edge is part of a Virtual Edge Group, as these attributes are inherited.
If applicable, assign:
| Site Label | You can assign a pre-created Site Label to your Virtual Edge that is inherited by any associated Virtual Edge Node, or you can create a new Site Label on the spot. This allows you to filter and view assets and Virtual Edges using these Site Labels, and apply Policy Sets based on Site Label for selective policy distribution. See our VE/VEN management article for info on how to create and manage your Site Labels effectively. |
| Distribution Zone | Here you can assign the Virtual Edge to a pre-created Distribution Zone label for selective distribution of device to Policy Group mappings, or create a new DZ label and assign to the VE immediately. See our VE/VEN management article for info on how to create and manage your Distribution Zone labels effectively. |
Click Next to proceed.
Step 4.4: Review & Deploy
The Summary screen displays all selected configurations. Review your settings, make any changes if necessary, and click Finish to deploy the Virtual Edge.
Once deployed, you can modify these settings prior to onboarding the Virtual Edge by selecting the Edit option from the Virtual Edge management interface. Certain options such as Site Label, Distribution Zone, Hostname, and Description can be modified even after the Virtual Edge has been onboarded.
Step 5: Copying the VE Configuration
After clicking "Add" a configuration file will appear on the screen that is used to configure the VE Application on your Cisco App-hosting switch. This generated config contains the one-time password and all configurations needed to successfully onboard the Virtual Edge.
Copy the configuration above to a secure note to be used later during the configuration of the application on the switch.
You can edit and view this configuration any time prior to onboarding the Virtual Edge if there was a misconfiguration or if you lose the configuration by clicking EDIT in the Virtual Edge details view.
After clicking "Add" you can also view the One Time Password (OTP) that is used when installing the Virtual Edge application on the hosting switch to register the Virtual Edge. There is no need to copy the OTP into the generated configuration file as it is automatically populated.
Downloading and Installing the Virtual Edge Application
Step 6: Download the Virtual Edge Package
Download the Virtual Edge Package for Switch Hosted deployment model by going to the Virtual Edge dashboard in Cloud Control Center and clicking the DOWNLOAD SOFTWARE button in the top right of the Virtual Edges pane.
Select the appropriate version of the Virtual Edge package from the list, typically the latest available release that has been deployed in your environment.
Step 7: Transfer the Virtual Edge Package to Flash
Copy the Virtual Edge .tar file downloaded or provided by Elisity to the application hosting switch's SSD usually named usbflash1. Make sure to confirm your switch's USB flash storage name so that it is copied to the correct storage media. You can use any method you wish to transfer the file such as FTP, SCP, TFTP, HTTPS etc.
Note: On the Catalyst 9400 platform the SSD is named disk0: rather than usbflash1:
Step 8: Install the Virtual Edge Package
Create the application by issuing the following commands, replacing the file name with the correct one for the installation.
iox
...wait 120 seconds
app-hosting install appid VE package usbflash1:<VE FILE NAME>
Once it completes the install the status should show Deployed:
switch#show app-hosting list
App id State
---------------------------------------------------------
VE DEPLOYED
Step 9: Configure the Virtual Edge Application
Paste the switch configuration generated in Step 5 in the switch CLI from global configuration mode. This is the configuration required for the Virtual Edge application to reach Cloud Control Center.
Step 10 (Optional): Add Environment Variables to the Configuration
To add any optional environment variables insert additional run-ops in the application config above.
For example:
...
run-opts 5 "--env NETFLOW_MANAGER_SEPARATE_PROCESS=0"
These environment variables can be configured for each Virtual Edge from Cloud Control Center with the help of your Elisity SE or CX Engineer at a later time. For questions on environment variables and what purpose they serve, reach out to your Elisity engineer.
Step 11: Activate and then start the application
Run the following commands to activate and start the application after configurations have been written to switch memory.
app-hosting activate appid VE
app-hosting start appid VE
Step 12: Confirm that the application was successfully started
Run the following command to check the status of the Virtual Edge application. We expect to see the status <APPID> RUNNING
switch#show app-hosting list
App id State
---------------------------------------------------------
VE RUNNING
Step 13: Check Registration Status in Cloud Control Center
Log back into Cloud Control Center and verify that the Virtual Edge has successfully registered and shows online.
Step 14: Additional Steps
If the switch hosting the Virtual Edge application is a member of a Cisco StackWise™ stack force synchronization of the IOX folders by running the following commands:
no iox
... wait 60 seconds
iox
Changing Switch Hosted Virtual Edge Configuration
You can replace or modify the Virtual Edge configuration on the switch without needing to reinstall the Virtual Edge package. This is useful in specific circumstances - perhaps you made an error in the VE configuration and didn't realize until after deployment, or you want to reuse a Virtual Edge container for another Virtual Edge. You can create a new Virtual Edge in Cloud Control Center, generate a new VE configuration, and apply in to the VE container following these steps:
Step 1: Log on to the switch hosting the Virtual Edge then stop and deactivate the container
app-hosting stop appid VE
app-hosting deactivate appid VE
Step 2: Replace the App-Hosting Config on the switch
config t
no app-hosting appid VE
<copy VE config from CCC here>
Step 3: Re-activate and start the the container.
app-hosting activate appid VE
app-hosting start appid VE
Note: If in Step 2 you modify the VE config instead of replacing it, those changes will not be reflected in Cloud Control Center.
Deleting a Virtual Edge
Step 1. Select the more options icon to the right of the Virtual Edge and then select Delete Virtual Edge.