Overview of Switch Integration
The Illumio Network Enforcement Node (NEN) is the Illumio Core switch interface, which allows you to get visibility and enforcement on switches. Using the NEN, you can secure workloads that are attached to network switches. You can use the NEN to generate access control lists (ACLs) and load those on your switches to protect the ports to which your workloads are attached.
How the NEN Receives Switch Data
With the NEN, network administrators can configure their switches to send sFlow data to an sFlow collector, such as the NEN. An Illumio Core administrator can configure the NEN to listen for sFlow data from switches and associate workloads to those switches. The NEN receives sFlow data directly from the switches, summarizes it, and uploads it to the PCE. You can view this traffic flow in the Illumination® map and stream it out of the PCE through UDP in Splunk, CEF, or LEEF formats.
Extended Policy Model
The Illumio policy model encompasses workloads with native stateful firewalls built-in, such as Linux iptables or Windows Filtering Platform. Although all systems might not have a firewall built in, they still have segmentation requirements. To solve this use case, Illumio has extended its policy model to switches.
Illumio administrators can use the NEN to convert natural language policies into ACLs, which the switches understand natively. Your organization's teams that use Illumio Core can download ACLs from the PCE and provide them to the networking team for review before applying new policies to the switches.
Limitations for Switch Integration
This release is subject to the following limitations:
You must provide a switch IP address and an interface traffic flow ID for interfaces that need to be monitored for sFlow data.
The NEN discards sFlow data from an interface that it does not monitor.
The Illumio Core generates only IPv4 ACLs that can be applied to either the L3/Routed interfaces or Switch Virtual Interface (SVI) for L2 interfaces when they are a member of a VLAN. Whenever ACLs are applied to the SVI, workloads within the same VLAN can freely communicate regardless of policy.
This is a limitation of IPv4 ACLs on switches. Inter-VLAN or routed traffic will still be filtered by ACLs.
Requirements for Switch Integration
Illumio-provided PCE 20.2.0 or later and NEN 2.1.0 (includes NFC) software packages.
Cisco Nexus 9200 or 9300 or Arista 7000 series switch.
Workloads that are directly attached to the switch on L2 or L3 ports or on port channels.
Note
The NEN targets top-of-rack (TOR) switches that are directly attached to the workload and not the core switches. For example, Cisco Nexus 9200 and 9300 (TOR) switches are supported, but the Cisco 9500 series switches are not supported.
Workflow for Setting up NEN Switch Integration
This following is an overview of the steps required for working with the NEN for switch integration:
In the PCE web console:
Define the switches.
Create unmanaged workloads.
Assign those unmanaged workloads to switch interfaces.
Create security policy rules to protect the workloads attached to the switches.
Use the PCE REST API or the PCE web console to generate switch ACLs based on your organization's security policies.
Copy and paste the generated ACLs to configure the switch via the switch's command line.
Using the PCE REST API or the PCE web console, inform the PCE that the ACLs have been loaded.
Result: The PCE-generated ACLs on the switch will protect the target workloads.