Configure Switches for the NEN
sFlow on the switch must be configured to send its output to the NEN. In addition, the sFlow-monitored interfaces on the switch must be configured in the NEN service via the PCE web console. If the NEN service receives sFlow information from an unrecognized or undefined network endpoint (or interface), it will reject that information. The NEN service continually aggregates the sFlow traffic and sends the aggregated information to the PCE traffic collector every 10 minutes.
Note
sFlow is only a sampling protocol, so all the flows might not be recorded. If the default sampling rate is not sufficient for your use case, see your vendor documentation.
Configure sFlow on Cisco Switch
Use the following (config)# commands to configure sFlow on a Cisco 9000 series switch:
Enable sFlow:
(config)# feature sflow
In the following command, the NEN_ip_address variable is the IP address of the NEN primary node:
(config)# sflow collector-ip NEN_ip_address vrf default
In the following command, the switch_IP_address variable is the IP address of the switch, which you will also use in the PCE web console. switch_IP is a management IP address.
(config)# sflow agent-ip switch_IP_address
In the following command, the interface_name_to_monitor variable is a mnemonic name that you have already defined on the switch for the interface, which you will also use in the PCE web console.
(config)# sflow data-source interface interface_name_to_monitor
Repeat the above sflow data-source interface command for all interfaces on the switch that you want to secure.
See Add Unmanaged Workloads and Switch Definitions in the PCE Web Console for information.
Example of sFlow Configuration for Cisco
nexus9000(config)# show run sflow !Command: show running-config sflow feature sflow sflow collector-ip 10.10.10.1 vrf default sflow agent-ip 10.20.20.1 sflow data-source interface Ethernet1/7
In this example:
The IP address on the switch that can communicate with the PCE is 10.20.20.1.
The PCE/NEN IP address (sFlow collector) is 10.10.10.1.
A workload is directly attached to interface Ethernet 1/7.
Collect SNMP ifIndex Value for Cisco
When the switch reports sFlow to the NEN, it includes interface index details in the flow records. When the NEN receives sFlow, it parses the records and retains the records only for the interfaces you specify in the NEN configuration. You need to collect the ifindex IDs and add them to the NEN configuration later. You can determine your switches' SNMP ifIndex values using the following command:
# show interface snmp-ifindex
Manufacturer/Model | Command | Notes |
|---|---|---|
Cisco 9000 | In privileged mode: show interface snmp-ifindex | This command outputs the IFMIB (decimal) and the ifIndex (hex) values. You need the IFMIB (decimal) value later. This value is required to configure Monitor Traffic for the NEN. |
Example of Command Output
nexus9000# show interface snmp-ifindex -------------------------------------------------------------------------------- Port IFMIB Ifindex (hex) -------------------------------------------------------------------------------- mgmt0 83886080 (0x5000000) Eth1/1 436207616 (0x1a000000) Eth1/2 436208128 (0x1a000200) Eth1/3 436208640 (0x1a000400) Eth1/4 436209152 (0x1a000600) Eth1/5 436209664 (0x1a000800) Eth1/6 436210176 (0x1a000a00) Eth1/7 436210688 (0x1a000c00) Eth1/8 436211200 (0x1a000e00)
This example uses Ethernet 1/7 interface as an sFlow source interface. To enter the interface information in the PCE, collect the decimal value of the ifIndex. In case of the Cisco Nexus 9000, this value is in the IFMIB column of the command output. The command output above shows 436210688 as the IFMIB value for Ethernet 1/7 interface. This value is required to configure the Monitor Traffic field in the PCE configuration page.
Configure sFlow on Arista Switch
Use the following commands to configure sFlow on an Arista 7000 series switch:
Run sFlow (this command is similar to enabling sFlow on a Cisco switch):
sflow run
In the following command, the IP address is the destination PCE IP to which the sFlow information should be sent:
sflow destination 10.6.1.158
In the following command, the IP address is the source IP from where the sFlow information is sent:
sflow source 10.21.6.1
On an Arista switch, the list of sFlow command options are:
Command | Description |
|---|---|
| Set sFlow collector destination. |
| Configure sFlow extension settings. |
| Set polling interval (secs) for sFlow. |
| Configure QoS parameters. |
| Run sFlow globally. |
| Set sample characteristics for sFlow. |
| Set the source IP address. |
| Configure the source interface for sFlow datagrams. |
| Configure VRFs. |
Collect SNMP ifIndex Value for Arista
You can determine your Arista switches' SNMP ifIndex values using the following command:
arista7000# show snmp mib ifmib ifindex Ethernet1: Ifindex = 1 Ethernet2: Ifindex = 2 Ethernet3: Ifindex = 3 Ethernet4: Ifindex = 4 Ethernet5: Ifindex = 5 Ethernet6: Ifindex = 6 Ethernet7: Ifindex = 7 Ethernet8: Ifindex = 8
Add Unmanaged Workloads and Switch Definitions in the PCE Web Console
To create a security policy, the switches and the workloads attached to them should be defined in the PCE web console as follows:
Log into the PCE web console.
Define the unmanaged workloads that are attached to the switch by selecting Workloads and VENs > Workloads > Add > Add Unmanaged Workload. You will associate these unmanaged workloads with their switches later.
See the Security Policy Guide for information on adding unmanaged workloads.
Define the switches and associated workloads, by selecting Infrastructure > Switches.
Click Add.
Enter the details in the displayed fields as described in the table below.
After entering or selecting values for all the required fields, click Save.
Fields in the PCE web console > Infrastructure > Switches > Add Switch page:
Field Name | Description | Required | Notes |
|---|---|---|---|
NEN hostname | FQDN of the NEN that runs the NEN service | Yes | This field is populated with the FQDN of your NEN. You cannot edit this field. |
Description | Description of the NEN service | Yes | This field is populated with "Illumio Network Enforcement Node" and the FQDN of your PCE. You cannot edit this field. |
Switch Name | A free-form, mnemonic name of your choice for the switch | Yes | Make this name easy to remember and distinguishable from other switch names. |
Switch IP | IP address of the switch | Yes | Corresponds to switch_IP_address that you defined in Configure sFlow on Cisco Switch. It is also known as sflow agent-ip in Cisco switches. |
Manufacturer | Name of the switch manufacturer | Yes | Select Cisco. |
Model | Model number of the switch | Yes | Select 9000. |
Interfaces | Defined interfaces on the switch | No | Corresponds to interface_name_to_monitor you defined on the switch and configured in Configure sFlow on Cisco Switch. This can be a custom string. You can also add interfaces that are not monitored by sFlow. |
Workloads | Names of workloads connected to the switch's defined interfaces | No | Only those workloads assigned to the switch interfaces are secured. You can attach one or more workloads to an interface. |
Monitor Traffic | SNMP ifIndex of the switch interface See Collect SNMP ifIndex Value for Cisco and Collect SNMP ifIndex Value for Arista. | Yes/No | If the interface is monitored by sFlow, the Monitor Traffic field is required. |
