Supported switches and configurations
Note
In the NEN Guide, the term "switch" refers to both switches and routers.
Note
This topic has been updated to include information about the Cisco IOS XR router, the NetFlow and IPFIX flow data monitoring protocols, and IPv6 address support. Illumio's support for these items began in NEN release 2.7.0 (Requires PCE 25.3 SaaS and later).
The following switches are supported in this release:
Cisco Nexus 9200 and 9300 series
Cisco IOS XR series routers (requires NEN release 2.7.0 or later and PCE release 25.3 SaaS or later)
Arista 7000 series
Switch configuration
The following ACL and interface configurations are supported for the Illumio NEN integration:
ACL Implementation | Switch Interfaces | ACL Type |
|---|---|---|
Router ACL (RACL) RACLs support both inbound and outbound enforcement. |
|
|
Important
Unsupported interface and ACL configurations
Note
Refer to your vendor-provided documentation for information about where port and protocol addresses can be applied.
NEN 2.6.4 and earlier does not support:
VLAN ACL (VACL) or Virtual Teletype (VTY) ACL as the ACL implementation
VLAN trunk port (switchport mode trunk) or sub-interface as the switch interface
MAC ACL type
IPv6 ACL type
PACLs for Layer 2 interfaces
NEN 2.7.0 and later does not support:
MAC ACL type
PACLs for Layer 2 interfaces
Administrative access to the switch
You or your network administrators need administrative access to your switches to configure them and load the NEN-generated ACLs.
Note
The PCE and the NEN do not send any communication to the switch and never log into the switch. The PCE and the NEN do not require root or admin privileges on the switch.
Sufficient TCAM
Your switch's ternary content-addressable memory (TCAM) must be sufficient to store the IPv4 RACLs generated by the NEN.
Note
Illumio does not provide a mechanism to check the TCAM depth or available memory for each platform. Your network or security administrators need to check whether the generated IP ACLs can be handled by the switch.
Enable network flow monitoring protocol
In order for the NEN to provide network traffic flow data to the PCE for Illumination, your switch must be configured to work with a network flow monitoring protocol such as sFlow, NetFlow, and IPFIX. See your vendor documentation for information.
Note
If you are using either the IPFIX or NetFlow flow data monitoring protocols, configure the protocol to send one of the following fields along with the flow data information (see the IBM document IPFIX Information Elements):
interfaceName(ElementID 82), which will be matched against the interface name for the switch specified in the NENingressInterface(ElementID 10) which is matched against theifindexof the interfaceegressInterface(ElementID 14) which is matched against theifindexof the interface
Configure ports for flow output
The flow output from the switch must be sent to the PCE so it can be monitored. The standard ports for supported flow monitoring protocols are:
sFlow: 6343
NetFlow: 2055 (Illumio's support began in NEN release 2.7.0)
IPFIX: 4739 (Illumio's support began in NEN release 2.7.0)
See Configure Switches for NEN for information.
Network connectivity between switches and the NEN
The NEN listens for sFlow, NetFlow, and IPFIX from the switches.
Important
Ensure that your network is configured to allow communication between your switches and the NEN.
Switch information
You need to enter information about the switch in the PCE web console. See the table listed in Add Unmanaged Workloads and Switch Definitions in the PCE Web Console for information.