This article walks through the steps to onboard, configure, and manage a Hypervisor Hosted Virtual Edge 16.0+
For information on how to use the Virtual Edge dashboard, see our VE/VEN management article.
As of today, you can onboard all Cisco Catalyst 3850/3650, Catalyst 9000 series switches and Catalyst IE3400 series switches as Virtual Edge Nodes for policy enforcement using Elisity Virtual Edge VM. Cisco StackWise© switch stacking technology is also supported. Additional switch models will be supported in future releases. Please see the switch compatibility matrix for more details.
NOTE:
The recommended requirements to run Virtual Edge VM on a hypervisor
- VMware ESXi 7.x or later. VMware vCenter is supported.
- 4 vCPU with hyper-threading)
- 4 GB RAM
- 40 GB Storage
- 1 x Virtual Network Adapter
NOTE:
- Catalyst IE3400 series switches require a minimum of IPBase licensing to be onboarded as Virtual Edge Nodes.
- Catalyst IE3400 switches require a Cisco SD Card (P/N SD-IE-4GB)
- All Catalyst 9000 series switches require DNA Advantage licensing. This requirement is not unique to the Elisity Virtual Edge container. It is a requirement imposed by Cisco on the application hosting environment within IOS-XE.
- The Elisity Virtual Edge VM has been developed to work with switches running these minimum IOS versions. While it may work with earlier versions of IOS-XE we cannot guarantee that it will operate correctly.
- All switches being onboarded must have their clocks synchronized with the Active Directory server so that attachment events are displayed accurately. You can use your own NTP server or a public one such as time.google.com.
- It is mandatory to configure a reachable NTP server on all deployed Virtual Edges.
- It is recommended to use a static IP when addressing the Virtual Edge interface. If the IP address field is left blank, DHCP will be used instead and you must create a static DHCP entry in your DHCP server configuration.
Be sure to review Connectivity Requirements (VE 16.x) article before moving forward with deploying a Virtual Edge.
The following chart describes the terminology used in this document
| Cloud Control Center | Elisity's cloud native and cloud delivered control, policy and management plane. |
| Virtual Edge VM | The Elisity software running as a docker container on a hypervisor such as VMware ESXi. |
| Virtual Edge Node | An access switch onboarded to a Virtual Edge to be leveraged as an enforcement point in the network. |
Deploying Elisity Virtual Edge VM (Hypervisor Hosted)
The Elisity Virtual Edge VM has a single virtual interface used to communicate with Cloud Control Center as well as with Virtual Edge Nodes. In more detail, the Virtual Edge VM virtual interface is used to maintain a persistent control plane connection to Cloud Control Center in order to receive identity based policies as well as to send identity metadata and analytics to Cloud Control Center. This same interface is used to glean identity metadata, traffic analytics and other switch information from the Virtual Edge Nodes and to read the Catalyst configuration and configure security policies, traffic filters and other switch functions.
Elisity Virtual Edge VM allows you to onboard any type of switch on the compatibility matrix as Virtual Edge Nodes for policy enforcement. The Virtual Edge VM model is depicted below:
Downloading and Deploying the OVA
Download the Virtual Edge Package for Switch Hosted deployment model by going to the Virtual Edge dashboard in Cloud Control Center and clicking the DOWNLOAD SOFTWARE button in the top right of the Virtual Edges pane.
Select the appropriate version of the Virtual Edge package from the list, typically the latest available release that has been deployed in your environment.
Step 1. To deploy Elisity Virtual Edge VM on a hypervisor you will need to first download the OVA or acquire the Virtual Edge VM OVA file from your Elisity SE. In this example we will be using VMware ESXi but the steps are identical for VMware vCenter. Once you have the OVA log into your ESXi instance and select Create / Register VM.
Step 2. Select Deploy a Virtual Machine from an OVF or OVA file and then select Next.
Step 3. Enter the name for the virtual machine and upload the OVA and select Next.
Step 4. Select the VM Datastore you wish to use as persistent storage for the VM and select Next.
Step 5. Select the Uplink Port Group that provides the correct access for the Virtual Edge VM to reach the internet as well as the access switches to be onboarded as Virtual Edge Nodes for policy enforcement. Select the Disk Provisioning option of your choice and ensure Power on automatically is enabled.
Step 6. Optionally configure a static IP Address, Netmask, Gateway and DNS server. If left blank, DHCP will be used instead and you must create a static DHCP entry for this appliance in your DHCP server configuration. Set the NTP server and root password then click Next.
NOTE:
Configuring NTP servers during Virtual Edge deployment is mandatory. Do not skip this step. If you forgot to configure an NTP server during deployment, you can use the config ntp command in the Virtual Edge shell to configure it. Then, use the show ntp command to verify that the clock is synchronized.
Step 7. If everything looks good select Finish and wait for the OVA to complete the deployment.
Make sure to enable Autostart so that the Virtual Edge VM starts up automatically after ESXi boots up.
Step 8. Select Console and then select Open Console in new window.
Configuring the VM
Step 9. Log into the Virtual Edge VM using the credentials set during the OVA deployment.
Step 10. Confirm the IP address and other network configurations on the VM by typing show config. Ensure the appliance has access to the internet using the ping command. You can also change the ntp and domain name servers after deployment using the config command. A full list of commands and uses is found in this article.
» ?
commands:
show Show virtual edge commands
config Configure virtual edge commands
quit Exit the shell
help Show this help message
register Initialize the application
restart Restart the virtual edge service
stop Stop the virtual edge service
reboot Reboot the virtual machine
ping Check ICMP or TCP connectivity to an IP address.
» show config
IP Address: 10.100.102.34
DHCP Enabled: false
DNS Servers: 10.100.102.20, 8.8.8.8
NTP Servers: us.pool.ntp.org
CCC URL: https://taylorlab163.us.rnd.elisity.io
»
NOTE: Currently we do not support changing the IP address of the Virtual Edge after it has been registered with Cloud Control Center. Please redeploy the Virtual Edge if you want to make an IP address change.
Adding the Virtual Edge in Cloud Control Center
In Cloud Control Center 16.3 with Virtual Edge Groups enabled, the process of deploying Virtual Edges has been updated.
See this article for more information on Virtual Edge Groups.
Step 11. Log into Cloud Control Center and navigate to Virtual Edges > Add Virtual Edge. To onboard a new VE to a VE Group, select the appropriate VE Group in the left menu pane and click +Add Virtual Edge.
Note: This workflow also applies to deploying Standalone Virtual Edges, just select "Standalone Virtual Edges" from the left pane instead of selecting a VE Group. This is similar to the traditional deployment method that existing customers are familiar with.
Step 12. Select the Virtual Edge Type of Hypervisor Hosted (16.x if present).
NOTE: For the purposes of graceful migration to Virtual Edge 16.0+, only existing customers will have the option to deploy older Virtual Edge versions.
Fill out all the required fields. Importantly, select a previously created Virtual Edge Group, which contains important Site Label and Distribution Zone assignments. If deploying a Standalone-VE, you can assign a Site Label and Distribution Zone.
Double check your selections in the summary page, make any necessary changes by clicking EDIT, and click Submit.
The following chart provides details about each required field
| Virtual Edge Group |
Assign the Virtual Edge to a pre-configured group, allowing it to inherit Site Labels and Distribution Zones automatically. VE Groups streamline the deployment process by managing multiple VEs together. |
| IP Address | This is the IP assigned to the Virtual Edge VM. This IP needs to be routable and must have access to reach Cloud Control Center. This IP also needs reachability to any Virtual Edge Node management interface you plan to onboard. This IP address must match what was configured on the Virtual Edge VM during deployment. This can be a new network or an existing network. This field is mandatory. |
|
Host Name |
This is the host name assigned to the Virtual Edge VM. This is the name you will see in Cloud Control Center. |
| Description | Description of the Virtual Edge for Cloud Control Center display. |
| Site Label (Standalone VE) | You can assign a pre-created Site Label to your Virtual Edge that is inherited by any associated Virtual Edge Node, or you can create a new Site Label on the spot. This allows you to filter and view assets and Virtual Edges using these Site Labels, and apply Policy Sets based on Site Label for selective policy distribution. See our VE/VEN management article for info on how to create and manage your Site Labels effectively. |
|
Distribution Zone (Standalone VE) |
Here you can assign the Virtual Edge to a pre-created Distribution Zone label for selective distribution of device to Policy Group mappings, or create a new DZ label and assign to the VE immediately. See our VE/VEN management article for info on how to create and manage your Distribution Zone labels effectively. |
Step 13. After clicking Add, the Virtual Edge will be provisioned in Cloud Control Center and a One Time Password (OTP) will be generated.
Select the newly provisioned Virtual Edge and copy the One Time Password (OTP) under the Additional Information section to your clipboard. You must first click SHOW CREDENTIALS to copy the OTP credentials. You can regenerate these credentials after the Virtual Edge has connected to Cloud Control Center.
Step 15. Initiate the Virtual Edge bootstrap process by issuing the following command.
register
Enter the URL of Cloud Control Center, provide the OTP, and select "Y" to all prompts that follow.
Within a couple seconds, the Virtual Edge will register with Cloud Control Center and show a status of Online.
Now you can onboard your existing access switches as Elisity Virtual Edge Nodes for policy enforcement by following this guide.
Deleting a Virtual Edge
Step 1. Select the more options icon to the right of the Virtual Edge and then select Delete Virtual Edge.
Step 2. After the Virtual Edge has been deleted in Cloud Control Center, you can delete the VM on your Hypervisor.