FGCP over FGSP with ACI integration with example
In this example, the configuration is achieved using FortiGate 1101E running FortiOS 6.4.2 and Cisco ACI 5.2.
The following diagram shows the topology for this example configuration, which consists of two pods.
The configuration has the following settings:
- Each pod contains a FGCP cluster with two FortiGate 110Es.
- The pods communicate via their IPNs.
- The clusters share the same HA group ID, 112.
- The clusters share the same VLAN, VLAN801, with IP address 172.16.88.1/24.
- The clusters have different HA passwords.
- Peer IP interfaces are configured as follows. If you do not disable the port that the other cluster is using for its peer IP interface, the peer IP interface connected to the switch will detect the same VMAC over multiple interfaces, due to having the same HA group ID with the same VMAC with interfaces enabled:
- For cluster1, the peer IP interface is under port2. Port5 is disabled on cluster1 FortiGates.
- For cluster2, the peer IP interface is under port5. Port2 is disabled on cluster2 FortiGates.
- There is session synchronization between the two clusters. Session synchronization is configured as follows. If you do not disable the port that the other cluster is using for session synchronization, session synchronization does not work as it is unable to learn the peer FGCP VMAC, due to having the same HA group ID with the same VMAC with interfaces enabled.
- Cluster1 uses port3 for session synchronization. Port6 is disabled on cluster1 FortiGates.
- Cluster2 uses port6 for session synchronization. Port3 is disabled on cluster2 FortiGates.
- Both clusters have the state of the session and the session will not be dropped.
In a production environment, configuring multiple session-sync-dev
interfaces for load balancing session sync packets is recommended.
The following diagram provides a more detailed view of what occurs at the leaf level. Each pod contains a Tenant (here named "Unmanage"), which contains three BDs: Web, App, and FwSvc_OneArm-BD. The Web and App BDs each contain an EPG with a virtual machine. A contract defines communication between the Web and App EPGs. Traffic flow between the Web and APP EPGs uses the PBR policy to flow to the FortiGate for inspection, and to its destination after inspection.
The following steps assume that a tenant is already created.
You must configure the deployment on the Cisco APIC management console, then configure the necessary options in FortiOS.