Skip to main content

Illumio Core 21.5 Install, Configure, Upgrade

Overview of the NEN

This section describes the situations where installing an agent (the Illumio VEN) on a device is not possible and how to workaround it by using the NEN.

When Installing a VEN Isn’t Possible

Visibility of communication across applications is critical for segmentation. The optimal method of getting visibility is to use a lightweight agent or a VEN, to report all inbound and outbound communications for each workload.

However, in certain cases a VEN cannot be installed on special purpose systems that provide services to application workloads; for example, IBM Mainframes, NetAPP Filers, legacy Windows machines, or appliances. In other cases, the VEN could be installed on a workload but customers choose not to; for example, installing a VEN might void the vendor’s support agreement or the workload is sensitive to latency because it is a high transaction server.

How the NEN Integrates with Network Devices

In cases where a VEN cannot be installed, the NEN extends visualization capabilities to agentless workloads via the network. The NEN is installed as part of an Illumio Core deployment and paired with a PCE. Every IP address associated with the network endpoints managed by the NEN has one workload or virtual server associated with it. The NEN can manage multiple endpoints and enforce policy for those endpoints.

This guide describes how to integrate the NEN with supported load balancers (SLBs) and switches.

nen-overview-SLB-only.png

Using the NEN, Illumio Core enforces policy on the nearest point to the workload, either:

  • A virtual server on a load balancer in front of the workload

  • A switch port on a router in front of a workload

The NEN receives generic policy from PCE and generates policy appropriate to the managed network devices:

  • SLBs: Firewall policy; for example, the F5 load balancer has two variants of applying policy: AFM and LTM

  • Switches: ACLs

Until a NEN is paired to the PCE, the switch and load balancer features are deactivated. Using the PCE web console, Illumio users associate unmanaged workloads to the network device endpoints. The NEN syncs its configuration with the PCE every 1 minute. For switch devices, the NEN can be configured to receive traffic flow information from the managed network devices and provide illumination data to the PCE.

Currently, the NEN does not configure network devices automatically. Network device management has to be done by the user. This process includes applying generated policy by using the Illumio REST API. For information about applying policy to switches, see Apply Policy for Switches and NEN Switch Configuration Using REST API. For information about applying policy for SLBs, see Write SLB Policy.