Skip to main content

Illumio Core 21.5 Install, Configure, Upgrade

NEN Switch Configuration Using REST API

To manage network switches reporting data flows to the NEN and to get the generated ACLs to enforce policies based on what's been defined in the PCE, you need to complete these tasks:

  1. Get the list of switches and their details.

  2. Generate the ACLs for one or all switches.

  3. Print the ACLs in the desired format.

The sections below describe the manual steps, which can be inserted in any script to automate this process.

Get List of Switches and Details

To get the list of all the network switches registered against the NEN, run the following curl command:

curl -u api_xxx:xxx -H "Accept: application/json" -X GET
https://mypce.domain.io:8443/api/v2/orgs/1/network_devices

Result: Returns a list of switches with all the reported endpoints (ports, workloads) to the NEN.

Curl Command of Get List of Switches

curl -u api_1853ebfcb1187acb4:9c2a381773a44e3a609448109278c02c4ec1fe597f9643
af71a832c0a8b0c0d0 
-H "Accept: application/json" -X GET https://mypce.domain.io:8443/api/v2/
orgs/1/network_devices

Response

[
   {
      "network_enforcement_node" : {
         "href" : "/orgs/1/network_enforcement_nodes/
          f64e78b7-2917-409f-9093-9d6ddaa35799"
      },
      "href" : "/orgs/1/network_devices/f07a077a-70ad-4b57-b82a-f1d204fcfd99",
      "configure" : false,
      "network_endpoints" : [
         {
            "href" : "/orgs/1/network_devices/f07a077a-70ad-4b57-b82a-f1d204fcfd99/
             network_endpoints/1ff6f037-d644-438e-ab32-019a45a7d8d5"
         },
         {
            "href" : "/orgs/1/network_devices/f07a077a-70ad-4b57-b82a-f1d204fcfd99/
             network_endpoints/dd687e16-6998-4a39-8bde-a7fb445f18d9"
         },
         {
            "href" : "/orgs/1/network_devices/f07a077a-70ad-4b57-b82a-f1d204fcfd99/
             network_endpoints/7345aed3-1fbd-4596-ada9-f6cbfb361dfe"
         },
         {
            "href" : "/orgs/1/network_devices/f07a077a-70ad-4b57-b82a-f1d204fcfd99/
             network_endpoints/be58f614-7cc7-4132-a409-97ea8334dfeb"
         }
      ],
      "enforcement_instructions_data_timestamp" : "2019-05-06T15:45:02Z",
      "enforcement_instructions_data_href" : "/orgs/1/datafiles/
       49b11cf6-d6f9-4efc-8cb2-c1a444cb9c02",
      "supported_endpoint_type" : "switch_port",
      "config" : {
         "model" : "9000",
         "name" : "cisco-n9k",
         "rules_format" : "cli",
         "ip_address" : "10.1.2.3",
         "device_type" : "switch",
         "manufacturer" : "Cisco"
      },
      "status" : "unmonitored"
   }
]
Generate ACLs for Switches

To generate ACLs for a specific switch registered against the NEN, run the following curl command:

curl -u api_xxx:xxx -H "Content-Type: application/json" -d {} -X POST 
https://mypce.domain.io:8443/api/v2/orgs/1/network_devices/
xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx/enforcement_instructions_request

Note

Replace the xxx-...-xxx value with the value of the switch for which you intend to generate ACLs.

Curl Command Using Generate ACLs

curl -u api_1853ebfcb1187acb4:9c2a381773a44e3a609448109278c02c4ec1fe597f9643af71a832
c0a8b0c0d0 -H "Content-Type: application/json" -d {} -X POST 
https://mypce.domain.io:8443 -d {} -X POST https://mypce.domain.io:8443/api/v2
/orgs/1/network_devices/f07a077a-70ad-4b57-b82a-f1d204fcfd99/
enforcement_instructions_request

Result: Response with a 202 status code = Accepted.

The ACLs are generated on the NEN and are ready for use in a few minutes.

Important

API POST Requirements

While sending a POST request, you must include the header (-H) flag and the data (-d) flag. Even if you do not have any data to send, you must insert an empty data flag, as shown in the above example.

Note

Illumio recommends that you insert a pause in any script to allow the NEN to generate the new ACLs for the specific switch. It takes approximately 30 seconds to generate all the ACLs.

The PCE will not send any update or acknowledgment to the REST client once it is finished generating the new ACLs for the switch.

Alternatively, you might want to generate ACLs for all the switches in your inventory to deliver them to your network team, by using the all_devices: true key-value pair in your JSON payload while sending the POST request.

To generate ACLs for all the switches registered against the NEN, run the following curl command:

curl -u api_xxx:xxx -H "Content-Type: application/json" -d '{"all_devices": true}' 
-X POST https://mypce.domain.io:8443/api/v2/orgs/1/network_devices/
multi_enforcement_instructions_request
Get List of ACLs

To download ACLs for a specific switch registered against the NEN, get the updated value of the enforcement_instructions_data_href key. This value keeps changing because each time the NEN generates new ACLs for a switch, it is considered to be a new datafile.

  1. To get the updated enforcement_instructions_data_href value for a network switch, run the following curl command:

    curl -u api_xxx:xxx -H "Accept: application/json" 
-X GET https://mypce.domain.io:8443/api/v2/orgs/1/network_devices/
enforcement_instructions_data_href'

    The above command returns a list of switches. You have to then parse the JSON output and filter on the enforcement_instructions_data_href key to get the updated value. You can use the JQ tool to filter outputs on any JSON file.

  2. After you retrieve the updated value, use it in the following curl command to get the generated ACLs:

    curl -u api_xxx:xxx -H "Accept: application/json" 
-X GET https://mypce.domain.io:8443/api/v2/orgs/1/datafiles/
xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx

    Replace the xxx-...-xxx value with the value of the enforcement_instructions_data_href key that you got by running the previous GET request.

Example of Get List of ACLs
curl -u api_1853ebfcb1187acb4:9c2a381773a44e3a609448109278c02c4ec1fe597f9643af71a
832c0a8b0c0d0 -H "Accept: application/json" 
-X GET https://mypce.domain.io:8443/api/v2/orgs/1/network_devices/
enforcement_instructions_data_href' "/orgs/1/datafiles/
d1bdbb23-60c4-439e-bd74-ca0d03d959a7"

Output:

no ip access-list ILLUMIO_ACLS-Ethernet1-21-Inbound
p access-list ILLUMIO_ACLS-Ethernet1-21-Inbound
!---Inbound ACL Rules ---
	permit ip host 10.10.100.201 host 10.10.100.202
	permit ip host 10.10.100.201 host 10.10.100.203
	permit ip host 10.10.100.201 host 10.10.100.204
	permit tcp any any established
	permit udp any eq 68 any eq 67
	permit udp any range 1024 65535 any eq 53
	exit
			...
no ip access-list ILLUMIO_ACLS-VLAN-20-Outbound
ip access-list ILLUMIO_ACLS-VLAN-20-Outbound
!---Outbound ACL Rules ---
	permit ip host 10.10.100.201 host 10.10.100.204
	permit ip host 10.10.100.202 host 10.10.100.204
	permit ip host 10.10.100.203 host 10.10.100.204
	permit tcp any any established
	permit udp any eq 67 any eq 68
	permit udp any eq 53 any range 1024 65535
	exit