Configure Switches for the NEN
Note
In the NEN Guide, the term "switch" refers to both switches and routers.
Note
This topic has been updated to include information about the Cisco IOS XR router, the NetFlow and IPFIX flow data monitoring protocols, and IPv6 address support. Illumio's support for these items began in NEN release 2.7.0 (Requires PCE 25.3 SaaS and later).
You must configure the flow data monitoring protocol on the switch to send it's output to the NEN. Additionally, from the PCE web console you must configure the switch's IP address and monitored-interfaces in the NEN service. If the NEN service receives flow data from an unrecognized or undefined network endpoint (or interface), it will reject that information. The NEN service continually aggregates the flow data and sends the aggregated information to the PCE traffic collector every 10 minutes.
Note
If you are using either the IPFIX or NetFlow flow data monitoring protocols, configure the protocol to send one of the following fields along with the flow data information (see the IBM document IPFIX Information Elements):
interfaceName(ElementID 82), which will be matched against the interface name for the switch specified in the NENingressInterface(ElementID 10) which is matched against theifindexof the interfaceegressInterface(ElementID 14) which is matched against theifindexof the interface
Configure your switch or router
Refer to your switch or router documentation for how to configure your preferred flow data monitoring protocol.
Enable a flow data monitoring protocol on the flow exporter.
Configure the NEN as a flow collector. The flow collector address is the IP address of the NEN primary node.
Configure the flow exporter address as the IP address of the switch, which you will also enter in the PCE web console.
Configure the interfaces that you want to monitor. These should match the name you specified in the PCE web console for the switch.
For more information, see Add Unmanaged Workloads and Switch Definitions in the PCE Web Console.
Collect the SNMP ifindex value for your switch or router
When the switch or router reports flow data to the NEN, it includes interface index (ifindex) details in the flow records. When the NEN receives flow data, it parses the records and retains records only for the interfaces you specify in the NEN configuration. You need to collect the ifindex IDs and add them to the NEN configuration later. See your switch documentation for the ifindex of the interfaces you want to monitor.
Add Unmanaged Workloads and Switch Definitions in the PCE Web Console
To create a security policy, the switches and the workloads attached to them should be defined in the PCE web console as follows:
Log into the PCE web console.
Define the unmanaged workloads that are attached to the switch by going to Servers & Endpoints > Workloads > Add > Add Unmanaged Workload. You will associate these unmanaged workloads with their switches later.
See the Security Policy Guide for information on adding unmanaged workloads.
Define the switches and associated workloads, by selecting Infrastructure > Switches.
Click Add.
Enter the details in the displayed fields as described in the table below.
After entering or selecting values for all the required fields, click Save.
Fields in the PCE web console > Infrastructure > Switches > Add Switch page:
Field Name | Description | Required | Notes |
|---|---|---|---|
NEN hostname | FQDN of the NEN that runs the NEN service | Yes | This field is populated with the FQDN of your NEN. You cannot edit this field. |
Description | Description of the NEN service | Yes | This field is populated with "Illumio Network Enforcement Node" and the FQDN of your NEN. You cannot edit this field. |
Switch Name | A free-form, mnemonic name of your choice for the switch | Yes | Make this name easy to remember and distinguishable from other switch names. |
Switch IP | IP address of the switch | Optional | IP address of the switch that is configured to send flow data to the NEN. |
Manufacturer | Name of the switch manufacturer | Yes | Select the manufacturer. |
Model | Model number of the switch | Yes | Select your model. |
Interfaces | Defined interfaces on the switch | No | If you're monitoring flows, this corresponds to the interface name you defined in the switch flow configuration. That is, it's the name of the interface on the switch which you want to generate ACLs or monitor traffic. You can also add interfaces that are not being flow-monitored. |
Workloads | Names of workloads connected to the switch's defined interfaces | Yes | Only those workloads assigned to the switch interfaces are secured. You can attach one or more workloads to an interface. |
Monitor Traffic | SNMP ifIndex of the switch interface See the documentation for your switch. | Yes/No | This field is required if the interface is being flow-monitored. It is the ifindex of the interface in the switch's configuration. |