Cisco ACI SDN connector with direct connection
The Cisco ACI (Application Centric Infrastructure) connector can be used for northbound API integration with a direct connection.
Multiple server IP addresses can be included for the Cisco APIC cluster active and standby hosts. One server is active, and the rest serve as backups in case the active server fails. The FortiGate checks the status of the servers, and selects one as the active server according to the order of the IP addresses in the list. If the active server fails, the FortiGate changes to the next one down on the list.
The following address filters are supported:
- Tenant
- Application
- Endpoint group
- Tag
To configure a Cisco ACI connector in the GUI:
- Create the Cisco ACI SDN connector:
- Go to Security Fabric > External Connectors and click Create New,.
- Select Application Centric Infrastructure (ACI) and configure the following:
Name
Enter a name for the connector. In this example: aci_direct1
Type
Set to Direct Connection.
IP
Enter two IP addresses. In this example: 172.18.64.18 and 172.18.64.19
Username
The ACI username.
Password
The ACI password.
- Configure the remaining settings as needed. The update interval is in seconds.
- Click OK.
- Create a dynamic firewall address for the connector:
- Go to Policy & Objects > Addresses and click Create New > Address and enter a name.
- Configure the following settings:
Name
Enter a name for the address. In this example: aci-direct-app
Type
Dynamic
Sub Type
Fabric Connector Address
SDN Connector
Select the just created connector: aci_direct1
Filter
Enter at least one filter. In this example: Application=lzou-app
- Configure the other settings as needed.
- Click OK.
-
Check which server is selected as the active server by the connector:
-
Go to Security Fabric > External Connectors.
-
Hover over the connector. The tooltip shows the IP addresses of both servers, with the active server in bold.
-
- Confirm that the connector resolves the dynamic firewall IP addresses:
- Go to Policy & Objects > Addresses.
- Hover over the address created in step 2 to view the IP addresses that it resolves to:
To configure a Cisco ACI connector in the CLI:
- Create the Cisco ACI SDN connector:
config system sdn-connector edit "aci_direct1" set status enable set type aci-direct set server-list "172.18.64.18" "172.18.64.19" set username "lzou" set password ********** next end
- Create a dynamic firewall address for the connector:
config firewall address edit "aci-direct-app" set type dynamic set sdn "aci_direct1" set color 17 set filter "Application=lzou-app" next end
-
Check which server is selected as the active server by the connector:
# diagnose debug enable # diagnose debug application acid -1 Debug messages will be on for 30 minutes. acid sdn connector aci_direct1 updating acid validating server status: 172.18.64.18 acid confirmed active server: 172.18.64.18 ... acid aci_direct1 sdn connector will retrieve token after 9357 secs
- Confirm that the connector resolves the dynamic firewall IP addresses:
# show firewall address aci-direct-app config firewall address edit "aci-direct-app" set uuid 794aaf20-3e33-51ea-57e1-10b5badf3fc7 set type dynamic set sdn "aci_direct1" set color 17 set filter "Application=lzou-app" config list edit "10.0.6.11" next edit "10.0.6.12" next edit "10.0.6.13" next end next end