Fortinet black logo

Administration Guide

Home FortiGate / FortiOS 6.4.4 Administration Guide

Cisco ACI SDN connector with direct connection

6.4.4
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
Copy Link
Copy Doc ID 7d5dfa98-3a77-11eb-96b9-00505692583a:940951
Download PDF

Cisco ACI SDN connector with direct connection

The Cisco ACI (Application Centric Infrastructure) connector can be used for northbound API integration with a direct connection.

Multiple server IP addresses can be included for the Cisco APIC cluster active and standby hosts. One server is active, and the rest serve as backups in case the active server fails. The FortiGate checks the status of the servers, and selects one as the active server according to the order of the IP addresses in the list. If the active server fails, the FortiGate changes to the next one down on the list.

The following address filters are supported:

  • Tenant
  • Application
  • Endpoint group
  • Tag
To configure a Cisco ACI connector in the GUI:
  1. Create the Cisco ACI SDN connector:
    1. Go to Security Fabric > External Connectors and click Create New,.
    2. Select Application Centric Infrastructure (ACI) and configure the following:

      Name

      Enter a name for the connector. In this example: aci_direct1

      Type

      Set to Direct Connection.

      IP

      Enter two IP addresses. In this example: 172.18.64.18 and 172.18.64.19

      Username

      The ACI username.

      Password

      The ACI password.

    3. Configure the remaining settings as needed. The update interval is in seconds.
    4. Click OK.
  2. Create a dynamic firewall address for the connector:
    1. Go to Policy & Objects > Addresses and click Create New > Address and enter a name.
    2. Configure the following settings:

      Name

      Enter a name for the address. In this example: aci-direct-app

      Type

      Dynamic

      Sub Type

      Fabric Connector Address

      SDN Connector

      Select the just created connector: aci_direct1

      Filter

      Enter at least one filter. In this example: Application=lzou-app

    3. Configure the other settings as needed.
    4. Click OK.

  3. Check which server is selected as the active server by the connector:

    1. Go to Security Fabric > External Connectors.

    2. Hover over the connector. The tooltip shows the IP addresses of both servers, with the active server in bold.

  4. Confirm that the connector resolves the dynamic firewall IP addresses:
    1. Go to Policy & Objects > Addresses.
    2. Hover over the address created in step 2 to view the IP addresses that it resolves to:

To configure a Cisco ACI connector in the CLI:
  1. Create the Cisco ACI SDN connector:
    config system sdn-connector
    edit "aci_direct1"
        set status enable
        set type aci-direct
        set server-list "172.18.64.18" "172.18.64.19"
        set username "lzou"
        set password **********
    next
end
  2. Create a dynamic firewall address for the connector:
    config firewall address
    edit "aci-direct-app"
        set type dynamic
        set sdn "aci_direct1"
        set color 17
        set filter "Application=lzou-app"
    next
end

  3. Check which server is selected as the active server by the connector:

    # diagnose debug enable
# diagnose debug application acid -1
Debug messages will be on for 30 minutes.

acid sdn connector aci_direct1 updating
acid validating server status: 172.18.64.18
acid confirmed active server: 172.18.64.18
...
acid aci_direct1 sdn connector will retrieve token after 9357 secs
  4. Confirm that the connector resolves the dynamic firewall IP addresses:
    # show firewall address aci-direct-app
config firewall address
    edit "aci-direct-app"
        set uuid 794aaf20-3e33-51ea-57e1-10b5badf3fc7
        set type dynamic
        set sdn "aci_direct1"
        set color 17
        set filter "Application=lzou-app"
        config list
            edit "10.0.6.11"
            next
            edit "10.0.6.12"
            next
            edit "10.0.6.13"
            next
        end
    next
end
Previous
Next

Cisco ACI SDN connector with direct connection

The Cisco ACI (Application Centric Infrastructure) connector can be used for northbound API integration with a direct connection.

Multiple server IP addresses can be included for the Cisco APIC cluster active and standby hosts. One server is active, and the rest serve as backups in case the active server fails. The FortiGate checks the status of the servers, and selects one as the active server according to the order of the IP addresses in the list. If the active server fails, the FortiGate changes to the next one down on the list.

The following address filters are supported:

  • Tenant
  • Application
  • Endpoint group
  • Tag
To configure a Cisco ACI connector in the GUI:
  1. Create the Cisco ACI SDN connector:
    1. Go to Security Fabric > External Connectors and click Create New,.
    2. Select Application Centric Infrastructure (ACI) and configure the following:

      Name

      Enter a name for the connector. In this example: aci_direct1

      Type

      Set to Direct Connection.

      IP

      Enter two IP addresses. In this example: 172.18.64.18 and 172.18.64.19

      Username

      The ACI username.

      Password

      The ACI password.

    3. Configure the remaining settings as needed. The update interval is in seconds.
    4. Click OK.
  2. Create a dynamic firewall address for the connector:
    1. Go to Policy & Objects > Addresses and click Create New > Address and enter a name.
    2. Configure the following settings:

      Name

      Enter a name for the address. In this example: aci-direct-app

      Type

      Dynamic

      Sub Type

      Fabric Connector Address

      SDN Connector

      Select the just created connector: aci_direct1

      Filter

      Enter at least one filter. In this example: Application=lzou-app

    3. Configure the other settings as needed.
    4. Click OK.

  3. Check which server is selected as the active server by the connector:

    1. Go to Security Fabric > External Connectors.

    2. Hover over the connector. The tooltip shows the IP addresses of both servers, with the active server in bold.

  4. Confirm that the connector resolves the dynamic firewall IP addresses:
    1. Go to Policy & Objects > Addresses.
    2. Hover over the address created in step 2 to view the IP addresses that it resolves to:

To configure a Cisco ACI connector in the CLI:
  1. Create the Cisco ACI SDN connector:
    config system sdn-connector
    edit "aci_direct1"
        set status enable
        set type aci-direct
        set server-list "172.18.64.18" "172.18.64.19"
        set username "lzou"
        set password **********
    next
end
  2. Create a dynamic firewall address for the connector:
    config firewall address
    edit "aci-direct-app"
        set type dynamic
        set sdn "aci_direct1"
        set color 17
        set filter "Application=lzou-app"
    next
end

  3. Check which server is selected as the active server by the connector:

    # diagnose debug enable
# diagnose debug application acid -1
Debug messages will be on for 30 minutes.

acid sdn connector aci_direct1 updating
acid validating server status: 172.18.64.18
acid confirmed active server: 172.18.64.18
...
acid aci_direct1 sdn connector will retrieve token after 9357 secs
  4. Confirm that the connector resolves the dynamic firewall IP addresses:
    # show firewall address aci-direct-app
config firewall address
    edit "aci-direct-app"
        set uuid 794aaf20-3e33-51ea-57e1-10b5badf3fc7
        set type dynamic
        set sdn "aci_direct1"
        set color 17
        set filter "Application=lzou-app"
        config list
            edit "10.0.6.11"
            next
            edit "10.0.6.12"
            next
            edit "10.0.6.13"
            next
        end
    next
end
Previous
Next