Skip to main content

Illumio Install, Configure, and Upgrade Guide 25.4

Overview of Switch Integration

Note

In the NEN Guide, the term "switch" refers to both switches and routers.

The Illumio Network Enforcement Node (NEN) is the Illumio Core switch interface, which allows you to get visibility and enforcement on switches. Using the NEN, you can secure workloads that are attached to network switches. You can use the NEN to generate access control lists (ACLs) and load those on your switches to protect the ports to which your workloads are attached.

How the NEN Receives Switch Data

You can configure your switches to send flow data to a flow data collector, such as the NEN. An Illumio Core administrator can configure the NEN to listen for flow data from switches and associate workloads to those switches. The NEN receives flow data directly from the switches, summarizes it, and uploads it to the PCE. You can view this traffic flow in the Illumination® map and stream it out of the PCE through UDP in Splunk, CEF, or LEEF formats.

image2019-4-30_11-44-14.png
Extended Policy Model

The Illumio policy model encompasses workloads with native stateful firewalls built-in, such as Linux iptables or Windows Filtering Platform. Although all systems might not have a firewall built in, they still have segmentation requirements. To solve this use case, Illumio has extended its policy model to switches.

Illumio administrators can use the NEN to convert natural language policies into ACLs, which the switches understand natively. Your organization's teams that use Illumio Core can download ACLs from the PCE and provide them to the networking team for review before applying new policies to the switches.

image2019-4-30_15-47_55.png
Limitations for Switch Integration

Note

Refer to your vendor-provided documentation for information about where port and protocol addresses can be applied.

This release is subject to the following limitations:

  • You must provide a switch IP address and an interface traffic flow ID for interfaces that need to be monitored for flow data.

  • The NEN discards flow data from an interface that it does not monitor.

  • The Illumio Segmentation for Data Centers generates IPv4 and (beginning in NEN release 2.7.0) IPv6 ACLs that can be applied to either the L3/Routed interfaces or Switch Virtual Interface (SVI) for L2 interfaces when they are a member of a VLAN. Whenever ACLs are applied to the SVI, workloads within the same VLAN can freely communicate regardless of policy.

Requirements for Switch Integration

  • Cisco Nexus 9200 or 9300 or Arista 7000 series switches (requires NEN release 2.1.0 or later and PCE release 20.2.0 or later)

  • Cisco IOS XR series routers (requires NEN release 2.7.0 or later and PCE release 25.3 SaaS or later)

  • Workloads that are directly attached to the switch on L2 or L3 ports or on port channels

Note

NEN releases 2.6.4 and earlier

The NEN targets top-of-rack (TOR) switches that are directly attached to the workload and not the core switches. For example, Cisco Nexus 9200 and 9300 switches are supported, but the Cisco 9500 series switches are not supported.

NEN releases 2.7.0 and later

The NEN targets top-of-rack (TOR) switches. For example, Cisco Nexus 9200 and Cisco 9300 switches and Cisco IOS XR Series routers are supported, but the Cisco 9500 series switches are not supported.

Workflow for Setting up NEN Switch Integration

The following is an overview of the steps required for working with the NEN for switch integration:

  1. In the PCE web console:

    1. Define the switches.

    2. Create unmanaged workloads.

    3. Assign those unmanaged workloads to switch interfaces.

    4. Create security policy rules to protect the workloads attached to the switches.

  2. Use the PCE REST API or the PCE web console to generate switch ACLs based on your organization's security policies.

  3. Get the generated ACLs on to the switch either manually or automatically, depending on your integration method (UI or API) and the switch model:

    • Cisco Nexus 9200 and 9300 series switches; Arista 7000 series switches: Use the switch's command line to manually copy and paste the generated ACLs to configure the switch.

    • Streamlined OVS integration through the PCE API: If you are integrating with OVS via the PCE API, you can enter the IP address and credentials for the OVS switch and the NEN will automatically:

      • Discover the switch configuration

      • Program flow monitoring on the switch

      • Discover and creates workloads in the PCE

      • Program the ACLs on the OVS

  4. Using the PCE REST API or the PCE web console, inform the PCE that the ACLs have been loaded.

Result: The PCE-generated ACLs on the switch will protect the target workloads.