Fortinet black logo

Deploying SDN Connector with FortiGate (standalone)

Copy Link
Copy Doc ID 91841f22-867a-11eb-9995-00505692583a:149230
Download PDF

Deploying SDN Connector with FortiGate (standalone)

Deploying SDN Connector when using FortiGate in standalone mode consists of the following steps:

  1. Create a VDOM.
  2. Create VLAN interfaces.
  3. Create static routes.
  4. Configure a Fabric SDN Connector.
  5. Create dynamic addresses.
  6. Create policies using the dynamic address(es).
To create a VDOM:
  1. In FortiOS, connect to the management VDOM.
  2. Go to Global > System > VDOM and select Create New.
  3. Enter a unique Name. VDOM names have the following restrictions:
    • Only letters, numbers, "-", and "_" are allowed.
    • No more than eleven characters are allowed.
    • No spaces are allowed.
    • VDOMs cannot have the same names as interfaces, zones, switch interfaces, or other VDOMs.
  4. Enter a short and descriptive comment to identify this VDOM.
  5. Select OK.
To create VLAN interfaces:
  1. Go to Network > Interfaces.
  2. Click Create New > Interface.
  3. Configure an interface for each VLAN noted in the last step of Cisco ACI deployment. Ensure that the VLAN mapped to the interface corresponds to the VLAN that ACI assigned during service graph deployment.

To create static routes:
  1. Go to Network > Static Routes.
  2. Click Create New > IPv4 Static Route.
  3. Configure two static routes as shown below: one for each VLAN configured in the previous section.

To configure an SDN connector:
  1. Go to Security Fabric > External Connectors.
  2. Click Create New.
  3. Under Private SDN, select Application Centric Infrastructure (ACI).
  4. Configure the SDN Connector, then click OK. The default port is 5671.

To create dynamic addresses:
  1. Go to Policy & Objects > Addresses.
  2. Click Create New > Address.
  3. Configure a dynamic address for the app EPG:
    1. From the Type dropdown list, select Dynamic.
    2. From the Sub Type dropdown list, select Fabric Connector Address.
    3. From the SDN Connector dropdown list, select the configured SDN connector.
    4. In the Endpoint Group Name field, enter the endpoint group name in the following format: Application Profile name|EPG name. This is case-sensitive. In Cisco ACI deployment, the application profile was named "AP", and the EPGs were named "app" and "web". Therefore, the correct format is AP|app and AP|web.
  4. Repeat steps 2 and 3 to configure a dynamic address for the web EPG.

    The following shows that the FortiOS and SDN Connector output regarding the web and app EPGs contain corresponding information:

To create policies using the dynamic addresses:
  1. Go to Policy & Objects > Firewall Policy.
  2. Click Create New.
  3. Create a policy that allows communication from the web EPG to the app EPG:
    1. In the Incoming Interface field, select the port5_vlan2767 interface.
    2. In the Outgoing Interface field, select the port6_vlan2766 interface.
    3. In the Source field, select the web EPG address.
    4. In the Destination field, select the app EPG address.
    5. Click OK.
  4. Create a policy that allows communication from the app EPG to the web EPG:
    1. In the Incoming Interface field, select the port6_vlan2766 interface.
    2. In the Outgoing Interface field, select the port5_vlan2767 interface.
    3. In the Source field, select the app EPG address.
    4. In the Destination field, select the web EPG address.
    5. Click OK.
  5. Ensure that an endpoint in the web EPG and an endpoint in the app EPG can ping each other.

Deploying SDN Connector with FortiGate (standalone)

Deploying SDN Connector when using FortiGate in standalone mode consists of the following steps:

  1. Create a VDOM.
  2. Create VLAN interfaces.
  3. Create static routes.
  4. Configure a Fabric SDN Connector.
  5. Create dynamic addresses.
  6. Create policies using the dynamic address(es).
To create a VDOM:
  1. In FortiOS, connect to the management VDOM.
  2. Go to Global > System > VDOM and select Create New.
  3. Enter a unique Name. VDOM names have the following restrictions:
    • Only letters, numbers, "-", and "_" are allowed.
    • No more than eleven characters are allowed.
    • No spaces are allowed.
    • VDOMs cannot have the same names as interfaces, zones, switch interfaces, or other VDOMs.
  4. Enter a short and descriptive comment to identify this VDOM.
  5. Select OK.
To create VLAN interfaces:
  1. Go to Network > Interfaces.
  2. Click Create New > Interface.
  3. Configure an interface for each VLAN noted in the last step of Cisco ACI deployment. Ensure that the VLAN mapped to the interface corresponds to the VLAN that ACI assigned during service graph deployment.

To create static routes:
  1. Go to Network > Static Routes.
  2. Click Create New > IPv4 Static Route.
  3. Configure two static routes as shown below: one for each VLAN configured in the previous section.

To configure an SDN connector:
  1. Go to Security Fabric > External Connectors.
  2. Click Create New.
  3. Under Private SDN, select Application Centric Infrastructure (ACI).
  4. Configure the SDN Connector, then click OK. The default port is 5671.

To create dynamic addresses:
  1. Go to Policy & Objects > Addresses.
  2. Click Create New > Address.
  3. Configure a dynamic address for the app EPG:
    1. From the Type dropdown list, select Dynamic.
    2. From the Sub Type dropdown list, select Fabric Connector Address.
    3. From the SDN Connector dropdown list, select the configured SDN connector.
    4. In the Endpoint Group Name field, enter the endpoint group name in the following format: Application Profile name|EPG name. This is case-sensitive. In Cisco ACI deployment, the application profile was named "AP", and the EPGs were named "app" and "web". Therefore, the correct format is AP|app and AP|web.
  4. Repeat steps 2 and 3 to configure a dynamic address for the web EPG.

    The following shows that the FortiOS and SDN Connector output regarding the web and app EPGs contain corresponding information:

To create policies using the dynamic addresses:
  1. Go to Policy & Objects > Firewall Policy.
  2. Click Create New.
  3. Create a policy that allows communication from the web EPG to the app EPG:
    1. In the Incoming Interface field, select the port5_vlan2767 interface.
    2. In the Outgoing Interface field, select the port6_vlan2766 interface.
    3. In the Source field, select the web EPG address.
    4. In the Destination field, select the app EPG address.
    5. Click OK.
  4. Create a policy that allows communication from the app EPG to the web EPG:
    1. In the Incoming Interface field, select the port6_vlan2766 interface.
    2. In the Outgoing Interface field, select the port5_vlan2767 interface.
    3. In the Source field, select the app EPG address.
    4. In the Destination field, select the web EPG address.
    5. Click OK.
  5. Ensure that an endpoint in the web EPG and an endpoint in the app EPG can ping each other.