Fortinet black logo

Deploying SDN Connector with FortiGate (standalone)

Copy Link
Copy Doc ID b2d31294-d72c-11ea-96b9-00505692583a:149230
Download PDF

Deploying SDN Connector with FortiGate (standalone)

Deploying SDN Connector when using FortiGate in standalone mode consists of the following steps:

  1. Create a VDOM.
  2. Create VLAN interfaces.
  3. Create static routes.
  4. Configure a Fabric SDN Connector.
  5. Create dynamic addresses.
  6. Create policies using the dynamic address(es).
To create a VDOM:
  1. In FortiOS, connect to the management VDOM.
  2. Go to Global > System > VDOM and select Create New.
  3. Enter a unique Name. VDOM names have the following restrictions:
    • Only letters, numbers, "-", and "_" are allowed.
    • No more than eleven characters are allowed.
    • No spaces are allowed.
    • VDOMs cannot have the same names as interfaces, zones, switch interfaces, or other VDOMs.
  4. Enter a short and descriptive comment to identify this VDOM.
  5. Select OK.
To create VLAN interfaces:
  1. Go to Network > Interfaces.
  2. Click Create New > Interface.
  3. Configure an interface for each VLAN noted in the last step of Cisco ACI deployment. Ensure that the VLAN mapped to the interface corresponds to the VLAN that ACI assigned during service graph deployment.

To create static routes:
  1. Go to Network > Static Routes.
  2. Click Create New.
  3. Configure two static routes as shown below: one for each VLAN configured in the previous section.

To configure an SDN connector:
  1. Go to Security Fabric > Fabric Connectors.
  2. Click Create New.
  3. Under SDN, select Application Centric Infrastructure (ACI).
  4. Configure the SDN Connector, then click OK. The default port is 5671.

To create dynamic addresses:
  1. Go to Policy & Objects > Addresses.
  2. Click Create New > Address.
  3. Configure a dynamic address for the app EPG. Ensure that the format for the endpoint group name is entered as "Application Profile name|EPG name". This is case-sensitive. In Cisco ACI deployment, the application profile was named "AP", and the EPGs were named "app" and "web". Therefore, the correct format is AP|app and AP|web, as shown below.

  4. Repeat steps 2 and 3 to configure a dynamic address for the web EPG.

    The following shows that the FortiOS and SDN Connector output regarding the web and app EPGs contain corresponding information:

To create policies using the dynamic addresses:
  1. Go to Policy & Objects > IPv4 Policy.
  2. Click Create New.
  3. Create a policy that allows communication from the web EPG to the app EPG as shown:

  4. Create a policy that allows communication from the app EPG to the web EPG as shown:

  5. Ensure that an endpoint in the web EPG and an endpoint in the app EPG can ping each other.

Deploying SDN Connector with FortiGate (standalone)

Deploying SDN Connector when using FortiGate in standalone mode consists of the following steps:

  1. Create a VDOM.
  2. Create VLAN interfaces.
  3. Create static routes.
  4. Configure a Fabric SDN Connector.
  5. Create dynamic addresses.
  6. Create policies using the dynamic address(es).
To create a VDOM:
  1. In FortiOS, connect to the management VDOM.
  2. Go to Global > System > VDOM and select Create New.
  3. Enter a unique Name. VDOM names have the following restrictions:
    • Only letters, numbers, "-", and "_" are allowed.
    • No more than eleven characters are allowed.
    • No spaces are allowed.
    • VDOMs cannot have the same names as interfaces, zones, switch interfaces, or other VDOMs.
  4. Enter a short and descriptive comment to identify this VDOM.
  5. Select OK.
To create VLAN interfaces:
  1. Go to Network > Interfaces.
  2. Click Create New > Interface.
  3. Configure an interface for each VLAN noted in the last step of Cisco ACI deployment. Ensure that the VLAN mapped to the interface corresponds to the VLAN that ACI assigned during service graph deployment.

To create static routes:
  1. Go to Network > Static Routes.
  2. Click Create New.
  3. Configure two static routes as shown below: one for each VLAN configured in the previous section.

To configure an SDN connector:
  1. Go to Security Fabric > Fabric Connectors.
  2. Click Create New.
  3. Under SDN, select Application Centric Infrastructure (ACI).
  4. Configure the SDN Connector, then click OK. The default port is 5671.

To create dynamic addresses:
  1. Go to Policy & Objects > Addresses.
  2. Click Create New > Address.
  3. Configure a dynamic address for the app EPG. Ensure that the format for the endpoint group name is entered as "Application Profile name|EPG name". This is case-sensitive. In Cisco ACI deployment, the application profile was named "AP", and the EPGs were named "app" and "web". Therefore, the correct format is AP|app and AP|web, as shown below.

  4. Repeat steps 2 and 3 to configure a dynamic address for the web EPG.

    The following shows that the FortiOS and SDN Connector output regarding the web and app EPGs contain corresponding information:

To create policies using the dynamic addresses:
  1. Go to Policy & Objects > IPv4 Policy.
  2. Click Create New.
  3. Create a policy that allows communication from the web EPG to the app EPG as shown:

  4. Create a policy that allows communication from the app EPG to the web EPG as shown:

  5. Ensure that an endpoint in the web EPG and an endpoint in the app EPG can ping each other.