Fortinet black logo

Multiple clusters on Cisco ACI connectors

Copy Link
Copy Doc ID b2d31294-d72c-11ea-96b9-00505692583a:330439
Download PDF

Multiple clusters on Cisco ACI connectors

You can include multiple ACI clusters used in availability for external Cisco ACI SDN connector VMs. When creating a Cisco ACI SDN connector, configuring multiple IPs allows the FortiGate to connect to SDN connector VMs in the same ACI cluster in a round-robin fashion. Only one SDN connector VM is active, and the remaining serve as backups if the active one fails. FortiOS 6.4.9 and later versions support this feature.

In this example, two Cisco ACI cluster SDN connectors are configured (aci_robot_238 and aci_robot_239). Each cluster contains two Cisco ACI SDN connector VMs.

To create ACI cluster SDN connectors in the GUI:
  1. Go to Security Fabric > External Connectors and click Create New.

  2. Select Application Centric Infrastructure (ACI) and configure the following:

    Name

    aci_robot_238

    Type

    Set to FortiSDN Connector.

    IP

    Enter two IP addresses: 10.6.30.38 and 10.6.30.238.

    Port

    Set to Specify and enter 5671.

    Username

    Enter the ACI username.

    Password

    Enter the ACI password.

  3. Click OK.

  4. Repeat these steps to create another connector with the following settings:

    Name

    aci_robot_239

    Type

    Set to FortiSDN Connector.

    IP

    Enter two IP addresses: 10.6.30.39 and 10.6.30.239.

    Port

    Set to Specify and enter 5671.

    Username

    Enter the ACI username.

    Password

    Enter the ACI password.

To create dynamic addresses associated with the connectors in the GUI:
  1. Go to Policy & Objects > Addresses and click Create New > Address.

  2. Configure the following:

    Name

    aci-add-App-238

    Type

    Dynamic

    Sub Type

    Fabric Connector Address

    SDN Connector

    aci_robot_238

    Tenant

    Fortinet

    Endpoint Group Name

    App1

  3. Click OK.

  4. Repeat these steps to create another dynamic address with the following settings:

    Name

    aci-add-App-239

    Type

    Dynamic

    Sub Type

    Fabric Connector Address

    SDN Connector

    aci_robot_239

    Tenant

    Fortinet

    Endpoint Group Name

    App1

To test that firewall addresses can resolve the dynamic addresses based on the SDN connector in the GUI:
  1. Go to Policy & Objects > Addresses.

  2. Hover the cursor over an address. The tooltip shows the resolved addresses of the dynamic firewall address.

To create ACI cluster SDN connectors in the CLI:
config system sdn-connector
    edit "aci_robot_238"
        set type aci
        set server-list "10.6.30.38" "10.6.30.238"
        set server-port 5671
        set username "admin"
        set password **********
    next
    edit "aci_robot_239"
        set type aci
        set server-list "10.6.30.39" "10.6.30.239"
        set server-port 5671
        set username "admin"
        set password **********
    next
end
To create dynamic addresses associated with the connectors in the CLI:
config firewall address
    edit "aci-add-App-238"
        set type dynamic
        set sdn "aci_robot_238"
        set color 17
        set tenant "Fortinet"
        set epg-name "App1"
    next
    edit "aci-add-App-239"
        set type dynamic
        set sdn "aci_robot_239"
        set color 17
        set tenant "Fortinet"
        set epg-name "App1"
    next
end
To test that firewall addresses can resolve the dynamic addresses based on the SDN connector in the CLI:
  1. Check the aci-add-App-238 address:
    # diagnose firewall dynamic address aci-add-App-238
    aci_robot_238.aci.Fortinet.App1.*: ID(90)
            ADDR(244.141.232.3)
            ADDR(124.37.216.5)
            ADDR(178.77.227.6)
            ...
            ADDR(87.26.255.252)
            ADDR(31.45.199.254)
            ADDR(154.149.224.254)
    
    Total dynamic list entries: 1.
    Total dynamic addresses: 150
    Total dynamic ranges: 0
  2. Check the aci-add-App-239 address:
    # diagnose firewall dynamic address aci-add-App-239
    aci_robot_239.aci.Fortinet.App1.*: ID(91)
            ADDR(57.244.141.1)
            ADDR(42.204.249.3)
            ADDR(113.20.146.15)
            ...
            ADDR(21.90.161.213)
            ADDR(156.8.243.247)
            ADDR(79.85.64.251)
    
    Total dynamic list entries: 1.
    Total dynamic addresses: 30
    Total dynamic ranges: 0

Multiple clusters on Cisco ACI connectors

You can include multiple ACI clusters used in availability for external Cisco ACI SDN connector VMs. When creating a Cisco ACI SDN connector, configuring multiple IPs allows the FortiGate to connect to SDN connector VMs in the same ACI cluster in a round-robin fashion. Only one SDN connector VM is active, and the remaining serve as backups if the active one fails. FortiOS 6.4.9 and later versions support this feature.

In this example, two Cisco ACI cluster SDN connectors are configured (aci_robot_238 and aci_robot_239). Each cluster contains two Cisco ACI SDN connector VMs.

To create ACI cluster SDN connectors in the GUI:
  1. Go to Security Fabric > External Connectors and click Create New.

  2. Select Application Centric Infrastructure (ACI) and configure the following:

    Name

    aci_robot_238

    Type

    Set to FortiSDN Connector.

    IP

    Enter two IP addresses: 10.6.30.38 and 10.6.30.238.

    Port

    Set to Specify and enter 5671.

    Username

    Enter the ACI username.

    Password

    Enter the ACI password.

  3. Click OK.

  4. Repeat these steps to create another connector with the following settings:

    Name

    aci_robot_239

    Type

    Set to FortiSDN Connector.

    IP

    Enter two IP addresses: 10.6.30.39 and 10.6.30.239.

    Port

    Set to Specify and enter 5671.

    Username

    Enter the ACI username.

    Password

    Enter the ACI password.

To create dynamic addresses associated with the connectors in the GUI:
  1. Go to Policy & Objects > Addresses and click Create New > Address.

  2. Configure the following:

    Name

    aci-add-App-238

    Type

    Dynamic

    Sub Type

    Fabric Connector Address

    SDN Connector

    aci_robot_238

    Tenant

    Fortinet

    Endpoint Group Name

    App1

  3. Click OK.

  4. Repeat these steps to create another dynamic address with the following settings:

    Name

    aci-add-App-239

    Type

    Dynamic

    Sub Type

    Fabric Connector Address

    SDN Connector

    aci_robot_239

    Tenant

    Fortinet

    Endpoint Group Name

    App1

To test that firewall addresses can resolve the dynamic addresses based on the SDN connector in the GUI:
  1. Go to Policy & Objects > Addresses.

  2. Hover the cursor over an address. The tooltip shows the resolved addresses of the dynamic firewall address.

To create ACI cluster SDN connectors in the CLI:
config system sdn-connector
    edit "aci_robot_238"
        set type aci
        set server-list "10.6.30.38" "10.6.30.238"
        set server-port 5671
        set username "admin"
        set password **********
    next
    edit "aci_robot_239"
        set type aci
        set server-list "10.6.30.39" "10.6.30.239"
        set server-port 5671
        set username "admin"
        set password **********
    next
end
To create dynamic addresses associated with the connectors in the CLI:
config firewall address
    edit "aci-add-App-238"
        set type dynamic
        set sdn "aci_robot_238"
        set color 17
        set tenant "Fortinet"
        set epg-name "App1"
    next
    edit "aci-add-App-239"
        set type dynamic
        set sdn "aci_robot_239"
        set color 17
        set tenant "Fortinet"
        set epg-name "App1"
    next
end
To test that firewall addresses can resolve the dynamic addresses based on the SDN connector in the CLI:
  1. Check the aci-add-App-238 address:
    # diagnose firewall dynamic address aci-add-App-238
    aci_robot_238.aci.Fortinet.App1.*: ID(90)
            ADDR(244.141.232.3)
            ADDR(124.37.216.5)
            ADDR(178.77.227.6)
            ...
            ADDR(87.26.255.252)
            ADDR(31.45.199.254)
            ADDR(154.149.224.254)
    
    Total dynamic list entries: 1.
    Total dynamic addresses: 150
    Total dynamic ranges: 0
  2. Check the aci-add-App-239 address:
    # diagnose firewall dynamic address aci-add-App-239
    aci_robot_239.aci.Fortinet.App1.*: ID(91)
            ADDR(57.244.141.1)
            ADDR(42.204.249.3)
            ADDR(113.20.146.15)
            ...
            ADDR(21.90.161.213)
            ADDR(156.8.243.247)
            ADDR(79.85.64.251)
    
    Total dynamic list entries: 1.
    Total dynamic addresses: 30
    Total dynamic ranges: 0