Illumio: Micro-Segmentation via the Endpoint

Peter Welcher
Architect, Operations Technical Advisor

This is one of several blogs about the vendor presentations during Network Field Day 19, which took place November 7-9, 2018. This blog contains a summary of the vendor presentations and (of course) my comments or opinions (I’ll share at least some of them).

If this blog motivates you to greater interest in what the vendor had to say, you can find the cleaned up streaming video of their presentations at the Tech Field Day YouTube channel, specifically the NFD19 playlist, or by clicking on the vendor’s logo on the main #NFD19 web page (linked above).

About Illumio

Let’s talk about Illumio. Illumio perhaps had the best demos of NFD19, and maybe even the best ever!

Presentation by Matt Glenn, Vice President of Product Management, Illumio

Let’s go over the basics of what Illumio does, and then a bit about the demos. So, what does the Illumio product do?

Illumio’s Adaptive Security Platform (ASP) provides a rather different approach to micro-segmentation. ASP does enforcement via a Virtual Enforcement Node (VEN) agent at the workload level, providing host / process, VM, or container-based micro-segmentation and traffic visibility. Each agent acts as a sensor, tracking various KPIs including packets / flows.

The flows are collected by the Policy Compute Engine (PCE). The GUI provides application dependency mapping (ADM) and a multi-level zoomable diagram. You can then use the GUI to create application groups (e.g. web / app / DB tiers, or groupings of micro-services), propose a security policy for them based on observed flows. You may then edit and test or enforce the policy. When you do that, the PCE instantiates the policy in the endpoints.

From their web page, Illumio can also automate ACLs in load balancers and switches, but the #NFD19 presentations and demos didn’t go into that.

The centralized policies built in the ASP Policy Compute Engine (PCE) use labels rather than IP addresses. It is up to you to assign the labels to nodes.

In test mode, the deployed policy in effect ends with “permit any any log” and alerts you to any observed traffic that did not match an ACL rule. You then let the policy “cook” for some period of time to catch quarterly or annual-only application traffic flows, if you so wish. Enforce mode can also alert you to blocked flows.

The actual PCE is typically a cluster of VM’s.

Announced / New!

Illumio announced that they now support a PCE SuperCluster. I’d say, “cluster cluster”, but that might give the wrong idea. Think hierarchical clustering. The idea is to replicate policy between regional PCE clusters to support a global, highly scalable, and highly available policy control mechanism.

Illumio also does vulnerability mapping, ID’ing vulnerabilities on the various workloads. This allows automated mitigation (after review / approval) to block inbound traffic to exploitable ports. Illumio obtains and integrates the vulnerability data for you.

Those Amazing Demos

Illumio spent most of their NFD19 session demonstrating. And what impressive demos!

Illumio had set up 3 regions as literal AWS regions (Virginia, California, Frankfurt), with 75,000 simulated workloads (OS instances) in each. A workload is bare metal, VM, or container. The SuperCluster then managed all of that.

The demos covered:

  1. Global Visibility
  2. Global Policy Portability
  3. Intra Region Resiliency
  4. PCE Disaster Recovery
  5. Vulnerability-Based Segmentation

I’ll refer you to the videos for the details.

Teaser: if you pay close attention, you can see that the presenter, Matt Glenn, introduced each new topic by pulling on a new T-shirt over the existing shirt stack. That made it all hot stuff (at least for Matt)!


This is pretty cool stuff. It is automated leveraging of endpoints, rather than dedicated firewalls, to provide uniform micro-segmentation onsite or in the cloud. The focus is on the segmentation and policy, i.e. omits the connectivity and automation aspects of Cisco ACI and VMware. Put differently: platform vendor neutral.


Comments are welcome, both in agreement or constructive disagreement about the above. I enjoy hearing from readers and carrying on deeper discussion via comments. Thanks in advance!


Hashtags: #CiscoChampion #TheNetCraftsmenWay #Illumio #NFD19 #MicroSegmentation

Twitter: @pjwelcher

Disclosure Statement
Cisco Certified 20 Years

NetCraftsmen Services

Did you know that NetCraftsmen does network /datacenter / security / collaboration design / design review? Or that we have deep UC&C experts on staff, including @ucguerilla? For more information, contact us at

Leave a Reply


Nick Kelly

Cybersecurity Engineer, Cisco

Nick has over 20 years of experience in Security Operations and Security Sales. He is an avid student of cybersecurity and regularly engages with the Infosec community at events like BSides, RVASec, Derbycon and more. The son of an FBI forensics director, Nick holds a B.S. in Criminal Justice and is one of Cisco’s Fire Jumper Elite members. When he’s not working, he writes cyberpunk and punches aliens on his Playstation.


Virgilio “BONG” dela Cruz Jr.

CCDP, CCNA V, CCNP, Cisco IPS Express Security for AM/EE
Field Solutions Architect, Tech Data

Virgilio “Bong” has sixteen years of professional experience in IT industry from academe, technical and customer support, pre-sales, post sales, project management, training and enablement. He has worked in Cisco Technical Assistance Center (TAC) as a member of the WAN and LAN Switching team. Bong now works for Tech Data as the Field Solutions Architect with a focus on Cisco Security and holds a few Cisco certifications including Fire Jumper Elite.


John Cavanaugh

CCIE #1066, CCDE #20070002, CCAr
Chief Technology Officer, Practice Lead Security Services, NetCraftsmen

John is our CTO and the practice lead for a talented team of consultants focused on designing and delivering scalable and secure infrastructure solutions to customers across multiple industry verticals and technologies. Previously he has held several positions including Executive Director/Chief Architect for Global Network Services at JPMorgan Chase. In that capacity, he led a team managing network architecture and services.  Prior to his role at JPMorgan Chase, John was a Distinguished Engineer at Cisco working across a number of verticals including Higher Education, Finance, Retail, Government, and Health Care.

He is an expert in working with groups to identify business needs, and align technology strategies to enable business strategies, building in agility and scalability to allow for future changes. John is experienced in the architecture and design of highly available, secure, network infrastructure and data centers, and has worked on projects worldwide. He has worked in both the business and regulatory environments for the design and deployment of complex IT infrastructures.