Fortinet Document Library

Version:


Table of Contents

New Features

6.4.0
Download PDF
Copy Link

Multiple IP addresses on Cisco ACI connectors 6.4.4

Multiple server IP addresses can be included for the Cisco APIC cluster active and standby hosts when configuring a Cisco ACI direct SDN connector. Only one server is active, and the rest serve as backups in case the active server fails. The FortiGate checks the status of the servers, and selects one as the active server according to the order of the IP addresses in the list. If the active server fails, the FortiGate changes to the next one down on the list.

To create an ACI direct SDN connector in the GUI:
  1. Go to Security Fabric > External Connectors and click Create New.

  2. Select Application Centric Infrastructure (ACI) and configure the following:

    Name

    Enter a name for the connector. In this example: aci_direct1

    Type

    Set to Direct Connection.

    IP

    Enter two IP addresses. In this example: 172.18.64.18 and 172.18.64.19

    Username

    The ACI username.

    Password

    The ACI password.

  3. Click OK.

To create a dynamic address associated with the connector in the GUI:
  1. Go to Policy & Objects > Addresses and click Create New > Address.

  2. Configure the address:

    Name

    Enter a name for the address. In this example: aci_add1

    Type

    Dynamic

    Sub Type

    Fabric Connector Address

    SDN Connector

    Select the just created connector: aci_direct1

    Filter

    Enter at least one filter. In this example: Application=lzou-app

  3. Click OK.

To test that the connector is working as expected in the GUI:
  1. Go to Security Fabric > External Connectors and hover the cursor over the aci_direct1 connector to check which server is selected as the active server. The tooltip shows the IP addresses of both servers, highlighting active server in bold. In this case: 172.18.64.18.

  2. Go to Policy & Objects > Addresses and hover the cursor over the aci_add1 address. The tooltip shows the resolved addresses of the dynamic firewall address.

  3. If the current active server fails, the FortiGate will choose the next server as the active server. In this case: 172.18.64.19.

  4. Recheck the resolved addresses (Step 2) to confirm that they still resolve correctly.

To create an ACI direct SDN connector and dynamic address in the CLI:
config system sdn-connector
    edit "aci_direct1"
        set type aci-direct
        set server-list "172.18.64.18" "172.18.64.19"
        set username "lzou"
        set password **********
    next
end
config firewall address
    edit "aci_add1"
        set type dynamic
        set sdn "aci_direct1"
        set color 19
        set filter "Application=lzou-app"
    next
end
To test that the connector is working as expected in the CLI:
  1. Check which server is selected as the active server:

    # diagnose debug enable
    # diagnose debug application acid -1
    Debug messages will be on for 30 minutes.
    
    acid sdn connector aci_direct1 updating
    acid validating server status: 172.18.64.18
    acid confirmed active server: 172.18.64.18
    ...
    acid aci_direct1 sdn connector will retrieve token after 9357 secs
  2. Check the resolved IP addresses of the dynamic firewall address:

    # show firewall address aci_add1
    config firewall address
        edit "aci_add1"
            set uuid c9ea564e-34d5-51eb-35e6-204876510913
            set type dynamic
            set sdn "aci_direct1"
            set color 19
            set filter "Application=lzou-app"
            config list
                edit "10.0.6.11"
                next
                edit "10.0.6.12"
                next
            end
        next
    end
  3. If the current active server fails, the FortiGate will choose the next server as the active server:

    # diagnose debug enable
    # diagnose debug application acid -1
    Debug messages will be on for 30 minutes.
    
    acid sdn connector aci_direct1 updating
    acid validating server status: 172.18.64.18
    acid curl failed, 7
    acid server 172.18.64.18 is down
    acid validating server status: 172.18.64.19
    acid confirmed active server: 172.18.64.19
    ...
    acid aci_direct1 sdn connector will retrieve token after 8259 secs
  4. Recheck the resolved addresses to confirm that they still resolve correctly.

Multiple IP addresses on Cisco ACI connectors 6.4.4

Multiple server IP addresses can be included for the Cisco APIC cluster active and standby hosts when configuring a Cisco ACI direct SDN connector. Only one server is active, and the rest serve as backups in case the active server fails. The FortiGate checks the status of the servers, and selects one as the active server according to the order of the IP addresses in the list. If the active server fails, the FortiGate changes to the next one down on the list.

To create an ACI direct SDN connector in the GUI:
  1. Go to Security Fabric > External Connectors and click Create New.

  2. Select Application Centric Infrastructure (ACI) and configure the following:

    Name

    Enter a name for the connector. In this example: aci_direct1

    Type

    Set to Direct Connection.

    IP

    Enter two IP addresses. In this example: 172.18.64.18 and 172.18.64.19

    Username

    The ACI username.

    Password

    The ACI password.

  3. Click OK.

To create a dynamic address associated with the connector in the GUI:
  1. Go to Policy & Objects > Addresses and click Create New > Address.

  2. Configure the address:

    Name

    Enter a name for the address. In this example: aci_add1

    Type

    Dynamic

    Sub Type

    Fabric Connector Address

    SDN Connector

    Select the just created connector: aci_direct1

    Filter

    Enter at least one filter. In this example: Application=lzou-app

  3. Click OK.

To test that the connector is working as expected in the GUI:
  1. Go to Security Fabric > External Connectors and hover the cursor over the aci_direct1 connector to check which server is selected as the active server. The tooltip shows the IP addresses of both servers, highlighting active server in bold. In this case: 172.18.64.18.

  2. Go to Policy & Objects > Addresses and hover the cursor over the aci_add1 address. The tooltip shows the resolved addresses of the dynamic firewall address.

  3. If the current active server fails, the FortiGate will choose the next server as the active server. In this case: 172.18.64.19.

  4. Recheck the resolved addresses (Step 2) to confirm that they still resolve correctly.

To create an ACI direct SDN connector and dynamic address in the CLI:
config system sdn-connector
    edit "aci_direct1"
        set type aci-direct
        set server-list "172.18.64.18" "172.18.64.19"
        set username "lzou"
        set password **********
    next
end
config firewall address
    edit "aci_add1"
        set type dynamic
        set sdn "aci_direct1"
        set color 19
        set filter "Application=lzou-app"
    next
end
To test that the connector is working as expected in the CLI:
  1. Check which server is selected as the active server:

    # diagnose debug enable
    # diagnose debug application acid -1
    Debug messages will be on for 30 minutes.
    
    acid sdn connector aci_direct1 updating
    acid validating server status: 172.18.64.18
    acid confirmed active server: 172.18.64.18
    ...
    acid aci_direct1 sdn connector will retrieve token after 9357 secs
  2. Check the resolved IP addresses of the dynamic firewall address:

    # show firewall address aci_add1
    config firewall address
        edit "aci_add1"
            set uuid c9ea564e-34d5-51eb-35e6-204876510913
            set type dynamic
            set sdn "aci_direct1"
            set color 19
            set filter "Application=lzou-app"
            config list
                edit "10.0.6.11"
                next
                edit "10.0.6.12"
                next
            end
        next
    end
  3. If the current active server fails, the FortiGate will choose the next server as the active server:

    # diagnose debug enable
    # diagnose debug application acid -1
    Debug messages will be on for 30 minutes.
    
    acid sdn connector aci_direct1 updating
    acid validating server status: 172.18.64.18
    acid curl failed, 7
    acid server 172.18.64.18 is down
    acid validating server status: 172.18.64.19
    acid confirmed active server: 172.18.64.19
    ...
    acid aci_direct1 sdn connector will retrieve token after 8259 secs
  4. Recheck the resolved addresses to confirm that they still resolve correctly.