Multiple clusters on Cisco ACI connectors
You can include multiple ACI clusters used in availability for external Cisco ACI SDN connector VMs. When creating a Cisco ACI SDN connector, configuring multiple IPs allows the FortiGate to connect to SDN connector VMs in the same ACI cluster in a round-robin fashion. Only one SDN connector VM is active, and the remaining serve as backups if the active one fails. FortiOS 6.4.9 and later versions support this feature.
In this example, two Cisco ACI cluster SDN connectors are configured (aci_robot_238 and aci_robot_239). Each cluster contains two Cisco ACI SDN connector VMs.
To create ACI cluster SDN connectors in the GUI:
-
Go to Security Fabric > External Connectors and click Create New.
-
Select Application Centric Infrastructure (ACI) and configure the following:
Name
aci_robot_238
Type
Set to FortiSDN Connector.
IP
Enter two IP addresses: 10.6.30.38 and 10.6.30.238.
Port
Set to Specify and enter 5671.
Username
Enter the ACI username.
Password
Enter the ACI password.
-
Click OK.
-
Repeat these steps to create another connector with the following settings:
Name
aci_robot_239
Type
Set to FortiSDN Connector.
IP
Enter two IP addresses: 10.6.30.39 and 10.6.30.239.
Port
Set to Specify and enter 5671.
Username
Enter the ACI username.
Password
Enter the ACI password.
To create dynamic addresses associated with the connectors in the GUI:
-
Go to Policy & Objects > Addresses and click Create New > Address.
-
Configure the following:
Name
aci-add-App-238
Type
Dynamic
Sub Type
Fabric Connector Address
SDN Connector
aci_robot_238
Tenant
Fortinet
Endpoint Group Name
App1
-
Click OK.
-
Repeat these steps to create another dynamic address with the following settings:
Name
aci-add-App-239
Type
Dynamic
Sub Type
Fabric Connector Address
SDN Connector
aci_robot_239
Tenant
Fortinet
Endpoint Group Name
App1
To test that firewall addresses can resolve the dynamic addresses based on the SDN connector in the GUI:
-
Go to Policy & Objects > Addresses.
-
Hover the cursor over an address. The tooltip shows the resolved addresses of the dynamic firewall address.
To create ACI cluster SDN connectors in the CLI:
config system sdn-connector
edit "aci_robot_238"
set type aci
set server-list "10.6.30.38" "10.6.30.238"
set server-port 5671
set username "admin"
set password **********
next
edit "aci_robot_239"
set type aci
set server-list "10.6.30.39" "10.6.30.239"
set server-port 5671
set username "admin"
set password **********
next
end
To create dynamic addresses associated with the connectors in the CLI:
config firewall address
edit "aci-add-App-238"
set type dynamic
set sdn "aci_robot_238"
set color 17
set tenant "Fortinet"
set epg-name "App1"
next
edit "aci-add-App-239"
set type dynamic
set sdn "aci_robot_239"
set color 17
set tenant "Fortinet"
set epg-name "App1"
next
end
To test that firewall addresses can resolve the dynamic addresses based on the SDN connector in the CLI:
- Check the aci-add-App-238 address:
# diagnose firewall dynamic address aci-add-App-238 aci_robot_238.aci.Fortinet.App1.*: ID(90) ADDR(244.141.232.3) ADDR(124.37.216.5) ADDR(178.77.227.6) ... ADDR(87.26.255.252) ADDR(31.45.199.254) ADDR(154.149.224.254) Total dynamic list entries: 1. Total dynamic addresses: 150 Total dynamic ranges: 0 - Check the aci-add-App-239 address:
# diagnose firewall dynamic address aci-add-App-239 aci_robot_239.aci.Fortinet.App1.*: ID(91) ADDR(57.244.141.1) ADDR(42.204.249.3) ADDR(113.20.146.15) ... ADDR(21.90.161.213) ADDR(156.8.243.247) ADDR(79.85.64.251) Total dynamic list entries: 1. Total dynamic addresses: 30 Total dynamic ranges: 0