Reassign NENs from One PCE to Another in a Supercluster
When deploying a Supercluster, you might want to “move” Network Enforcement Nodes (NENs) that have been paired to one PCE so that they are managed by a different PCE in the Supercluster. For example, you expand your single standalone PCE into a Supercluster and you want to reassign some of your existing NENs to be managed by the nearest PCE. In this case, you can reconfigure the NENs so that they use a different PCE FQDN to communicate with the proper PCE.
Reassign a NEN in a Supercluster Using a Command Line
You can use a command line to move a NEN from one PCE to another PCE in the same supercluster. When a NEN is moved in this way, associated Server Load Balancers maintain policy for managed virtual servers. After the PCE database is restored, the moved NEN remains connected to the new PCE. The command for moving a NEN is:
illumio-nen-ctl pce-host-update <pce-host-addr>:<port>
Reassign a NEN in a Supercluster Using the IllumioCore REST API
Important
This feature applies only to customers running Illumio Core 22.2.10. If you are running versions 22.2.x or earlier, this feature is unavailable.
Using the Illumio Network Enforcement Node API, you change the target PCE of the NEN to the PCE you want to reassign the NEN to. The PCE that is currently managing the NEN sends the NEN the FQDN of the new target PCE; the NEN begins heartbeating to – and receiving its policy updates from – that PCE. The active PCE of the NEN is now the same as the target PCE.
Note
Manually moving a NEN to a different PCE using the REST API is subject to the object limit active_agents_per_pce. For more information, see Object Limits and Supercluster.
Active and Target PCE
Before reassigning NENs to another PCE, you need to understand these terms: active PCE and target PCE. These terms correspond to two properties that are added to a NEN on pairing.
active_pce_fqdn: The PCE that is currently managing a NEN; namely, the PCE the NEN has last heartbeat to.target_pce_fqdn: The PCE that is configured to manage this NEN or the FQDN of the Supercluster (when you configured thesupercluster.fqdnproperty in yourruntime_env.ymlfile).
NEN Reassignment Workflow
This section assumes you are familiar with the basic concepts and usage of the Illumio Core REST API.
Important
Before reassigning a NEN to a new PCE, make sure that the active and target PCE are fully operational and at runlevel 5. Also, ensure that both nodes of a NEN HA pair are up and running runlevel 5, and running NEN-2.4.0 or later.
The workflow to reassign a NEN to a different PCE includes these general tasks:
GEt network_enforcement_nodes: To find the HREF of the NEN, GET a collection of NENs from the PCE.
Identify NEN HREF: The NENs' GET response includes the NEN HREF and the associated hostname of the NEN.
Identify active PCE FQDN of NEN: The NENs GET schema returns two properties that indicate the FQDN of the PCE that is actively managing the NEN (
active_pce_fqdn) and a second property that allows you to use a different “target” PCE FQDN (target_pce_fqdn) to manage the NEN.Change target PCE FQDN of NEN: Update (PUT) the
target_pce_fqdnproperty so that the NEN can be managed by a different PCE in your Supercluster.
Get NENs
To get the HREF of a NEN, get a collection of NENs. You can GET up to 500 NENs at a time. When you know the HREF of an individual NEN, you can skip this step.
To get a collection of NENs, you use this URI:
GET [api_version][org_href]/network_enforcement_nodes
For example, using curl:
curl -u api_xxxxxxx64fcee809:'xxxxxx5048a6a85ce846a706e134ef1d4bf2ac 1f253b84c1bf8df6b83c70d95' -H "Accept: application/json" -X GET https://my.pce.supercluster:443/api/v1/orgs/7/network_enforcement_nodes
Identify Agent HREF in Response
The JSON response from getting NENs provides information about the NEN when the NEN was paired with the PCE. In this response, you identify the NEN by its HREF.
For example, the section that shows the NEN, its active PCE (active_pce_fqdn), and the target PCE (target _pce_fqdn) are the same. This does not change until you perform the reassignment.
{
"href": "/orgs/3/network_enforcement_nodes/05509c61-19b3-456a-8336-
36a7cf07976b",
"hostname": "nen1.example.com",
"public_ip": "nen1.example.com",
"name": "Illumio Network Enforcement Node - nen1.example.com",
"software_version": "2.4.0",
"last_status_at": "2022-06-19T23:43:52.204Z",
"uptime_seconds": 519237,
"network_devices": [
{
"href": "/orgs/3/network_devices/ffefd599-f169-4f54-9377-
69fb04b0bc84"
}
],
"supported_devices": [
{
"device_type": "slb",
"manufacturers": [
{
"manufacturer": "AVI",
"models": [
{
"model": "Vantage"
}
]
},
{
"manufacturer": "F5",
"models": [
{
"model": "Big-IP AFM"
},
{
"model": "Big-IP LTM"
}
]
}
]
},
{
"device_type": "switch",
"manufacturers": [
{
"manufacturer": "Arista",
"models": [
{
"model": "7000"
}
]
},
{
"manufacturer": "Cisco",
"models": [
{
"model": "9000"
}
]
}
]
}
],
"target_pce_fqdn": "pce1.exmaple.com",
"active_pce_fqdn": "pce1.example.com",
"conditions": []
},
{
"href": "/orgs/3/network_enforcement_nodes/f67d35d5-ea71-42da-b40d-
8dcc3b1420c2",
"hostname": "nen2.example.com",
"public_ip": "nen2.example.com",
"name": "Illumio Network Enforcement Node - nen2.example.com",
"software_version": "2.4.0",
"last_status_at": null,
"uptime_seconds": null,
"network_devices": [],
"supported_devices": [
{
"device_type": "slb",
"manufacturers": [
{
"manufacturer": "AVI",
"models": [
{
"model": "Vantage"
}
]
},
{
"manufacturer": "F5",
"models": [
{
"model": "Big-IP AFM"
},
{
"model": "Big-IP LTM"
}
]
}
]
},
{
"device_type": "switch",
"manufacturers": [
{
"manufacturer": "Arista",
"models": [
{
"model": "7000"
}
]
},
{
"manufacturer": "Cisco",
"models": [
{
"model": "9000"
}
]
}
]
}
],
"target_pce_fqdn": "pce1.example.com",
"active_pce_fqdn": "pce1.example.com",
"conditions": []
}Change Target PCE
When you have the NEN HREF, you can update the the target PCE with the PCE FQDN the NEN will use. In your JSON request body, pass the following data:
{
"target_pce_fqdn": "new-pce-fqdn.example.com"
}The URI for this operation:
PUT [api_version][nen_href]/update
This curl example shows how you can pass the target_pce_fqdn property containing the FQDN of the new PCE:
curl -u api_xxxxxxx64fcee809:'xxxxxxx5048a6a85ce846a706e134ef1d4bf2ac1f
253b84c1bf8df6b83c70d95'
-H "Accept: application/json" -H "Content-Type:application/json"
-X PUT
-d '{"target_pce_fqdn":"new-pce.example.com"}'
https://my.pce.supercluster:443/api/v1/orgs/3/network_enforcement_nodes/
f67d35d5-ea71-42da-b40d-8dcc3b1420c2/updateValidate NEN Reassignment
To validate that the NEN reassignment was successful, verify that the active PCE matches the target PCE. Perform a GET request on the NEN using the associated NEN HREF. The target and active PCE FQDN should be the same. When the operation is successful, the response returns an HTTP 204 code indicating success.
Note
Reassigning a NEN to a different PCE can take up to 5 minutes to complete.
For example:
{
"href": "/orgs/3/network_enforcement_nodes/f67d35d5-ea71-42da-b40d-
8dcc3b1420c2",
"hostname": "nen2.example.com",
"public_ip": "nen2.example.com",
"name": "Illumio Network Enforcement Node - nen2.example.com",
"software_version": "2.4.0",
"last_status_at": null,
"uptime_seconds": null,
"network_devices": [],
"supported_devices": [
{
"device_type": "slb",
"manufacturers": [
{
"manufacturer": "AVI",
"models": [
{
"model": "Vantage"
}
]
},
{
"manufacturer": "F5",
"models": [
{
"model": "Big-IP AFM"
},
{
"model": "Big-IP LTM"
}
]
}
]
},
{
"device_type": "switch",
"manufacturers": [
{
"manufacturer": "Arista",
"models": [
{
"model": "7000"
}
]
},
{
"manufacturer": "Cisco",
"models": [
{
"model": "9000"
}
]
}
]
}
],
"target_pce_fqdn": "new-pce-fqdn.example.com",
"active_pce_fqdn": "new-pce-fqdn.example.com",
"conditions": []
}