This document outlines the key concepts needed to prepare for a successful Elisity deployment. It introduces the core components of the architecture, the supported deployment models and platforms, and the critical access and connectivity requirements. Each section provides a brief summary followed by a table of curated links to detailed technical documentation.
Deployment Models and Requirements
| Topic | Details | Link |
|---|---|---|
| Deployment Models Overview | Comparison of the various Virtual Edge deployment models available. | Virtual Edge and Virtual Edge Node Design Guide |
| Supported Switch Platforms | List of supported switch models and firmware across vendors | Hardware Compatibility Matrix |
| Switch License Requirements |
|
|
| NTP Configuration | Onboarded infrastructure, as well as any Active Directory Domain Controllers being monitored by Elisity, must be synced to an NTP server so that all user and device events are synchronized. | |
| CLI Access to switches | The deployment team will need to have access to the switch in order to configure and deploy the container. | Onboarding-Catalyst-9000-3850-3650 |
Cloud Control Center (CCC)
| Topic | Details | Link |
|---|---|---|
| Role-Based Access Control (RBAC) | Roles required for deployment (User Roles, SSO mappings) - | Setting Up Identity and Access Management (IAM) Using Role-Based Access Control (RBAC) in Cloud Control Center |
| SSO - Ping | Guide for Setting up SSO w/ Ping | Set Up Ping Identity Single Sign On (SSO) |
| SSO - Okta | Guide for Setting up SSO w/ Okta | Set Up Okta Single Sign On (SSO) |
| SSO - Microsoft Entra ID (Azure AD) | Guide for Setting up SSO w/ Azure AD | Set Up Microsoft Entra ID (Azure AD) Single Sign On (SSO) |
| CCC Settings Overview | Overview of SSO, Connectors, and global settings in the CCC UI | Elisity Cloud Control Center User Guide and Initial Configurations |
Virtual Edges
| Topic | Details | Link |
|---|---|---|
| Hypervisor-Hosted VE: Deployment | Instructions and prerequisites for deploying VE as a VM | Virtual Edge Deployment Guide Hypervisor Hosted |
| Switch-Hosted VE: Deployment | SSD, IOS requirements, and provisioning workflow for Switch-hosted VE | Virtual Edge Deployment Guide Switch Hosted |
| Switch-Hosted VE: Pre-Stage the VE software on the switch | The VE software should be pre-staged on the switch prior to onboarding the VE. Recommendation: Install the SSD first, then transfer the VE image directly to the SSD instead of the switch flash |
Virtual Edge Deployment Guide Switch Hosted |
| Switch-Hosted VE: SSD Insertion |
If installed correctly, the LED on the SDD will turn green. |
Cisco Catalyst 9300 Series Switches Hardware Installation Guide - Installing a USB 3.0 SSD [Cisco Catalyst 9300 Series Switches] - Cisco |
| Switch-Hosted VE: Enabling Redundancy with Cisco StackWise | Elisity supports switch-hosted Virtual Edge redundancy if leveraging Cisco Stackwise technology to stack switches together. | |
| VE Connectivity Requirements | Required ports and connectivity for VE to function | Virtual Edge Connectivity Requirements |
Virtual Edge Nodes
| Topic | Description | Link |
|---|---|---|
| Cisco Switch Onboarding | Step-by-step guide for onboarding Cisco Switches | Onboarding Cisco Switches as a Virtual Edge Node |
| Arista Switch Onboarding | Step-by-step guide and caveats for onboarding Arista switching platforms | Onboarding Arista Switches as a Virtual Edge Node |
| Juniper Direct Switch Onboarding | Workflow for onboarding Juniper EX switches via direct API integration | Onboarding Juniper EX 4000-Series Switches as a Virtual Edge Node (Direct Switch Integration) |
| Juniper MIST Switch Onboarding | Workflow for onboarding Juniper EX switches via Juniper MIST integration | Onboarding Juniper Mist-Managed Access Switches as Virtual Edge Nodes |
| HPE Aruba Switch Onboarding | Step-by-step guide and caveats for onboarding Aruba switching platforms | Onboarding HPE Aruba switches as a Virtual Edge Node |
| Cisco WLC Onboarding | Step-by-step guide for onboarding Cisco Wireless Controllers | Onboarding Catalyst 9800 Wireless Controller |
| Port Configuration for VENs | Enabling endpoint discovery, flow telemetry, and uplink exclusions - either manually or automatically via UNI/NNI port detection | Port Configurations for Virtual Edge Nodes (Switches) |
| Topic | Description | Link |
|---|---|---|
| Palo Alto Firewall Integration | Direct integration with individual Palo Alto firewalls using policy DAG mapping | Palo Alto Networks Firewall Integration - Policy Group Derived Dynamic Address Groups (DAG) |
| Palo Alto Panorama Integration | Centralized integration with Panorama to manage DAGs and security rules | Palo Alto Networks Panorama Integration - Policy Group Derived Dynamic Address Groups (DAG) |
Wireless Design
| Topic | Description | Link |
|---|---|---|
| CAPWAP / Tunneled Wireless | Legacy Local Mode where APs send tunneled CAPWAP traffic to a WLC. | Wireless Design Guide |
| Local Mode with WLC Enforcement | Traffic is routed through the WLC where policies are applied on the Ethernet interface. | Wireless Design Guide |
| Local Mode with Switch Enforcement | Wireless traffic is routed through the WLC, then to an upstream switch where Elisity policies are enforced. | Wireless Design Guide |
| Flex Local Mode | Also called FlexConnect. Traffic from APs is forwarded directly to access switches (VENs) for policy enforcement. Intra-VLAN traffic switched locally on the AP bypasses policy. | Wireless Design Guide |
Integrations
| Integration | Description | Link |
|---|---|---|
| Active Directory | User login attribution and user group enrichment via local AD connector | Connect Microsoft Active Directory |
| Microsoft Defender | Device identity enrichment and trust scoring using Defender's API | Connect Microsoft Defender |
| Microsoft Intune | Device attribute enrichment via Intune MDM data | Connect Microsoft Intune |
| CrowdStrike | Risk and classification enrichment via Falcon API | Connect CrowdStrike |
| Armis | IoT/OT identity enrichment via cloud or on-prem deployment | Connect Armis |
| Tenable.SC | Vulnerability and classification data from Tenable Security Center | Connect Tenable Security Center |
| Claroty xDome | IT/IoT/OT asset identity enrichment, firmware and risk enrichment | Connect Claroty xDome |
| Medigate | Deep enrichment across IT, OT, and IoMT assets | Connect Medigate |
| Dragos | OT/ICS device inventory and security posture enrichment | Connect Dragos |
| Nozomi Networks | Passive OT/ICS asset classification and visibility | Connect Nozomi |
| Palo Alto IoT Security | Device attributes from PAN IoT platform for segmentation and risk context | Connect Palo Alto Networks IoT Security |
| ServiceNow CMDB | Use of CMDB asset attributes and trust state in policy definition | Connect ServiceNow CMDB |
| Splunk / Cribl | Export of logs and events to SIEM platforms via HTTP Event Collector | Connect Splunk SIEM |
Policy Architecture
| Topic | Description | Link |
|---|---|---|
| Policy Groups | Building blocks of Elisity microsegmentation—dynamic identity-based groupings of assets used as endpoints for microsegmentation policy | Policy Groups |
| Security Profiles | Reusable sets of L3/L4 traffic rules that define allowed or denied protocols and ports, optionally with logging, for controlling communication between Policy Groups. | Security Profiles |
| Policy Sets and Site Labels | Logical collections of policies scoped to specific sites or business units, allowing tailored segmentation enforcement across different parts of the network. | Policy Sets and Site Labels |
| Distribution Zones | Logical constructs that segment the network into zones for efficient and scalable distribution of identity-based policy. DZs optimize tag propagation, enforce policy within defined boundaries, and support overlapping IP spaces via Isolated DZs. | Distribution Zones |