- Installing the SDN Connector
- Initializing the SDN Connector
- Configuring the SDN Connector
- Logging into RabbitMQ
- Connecting the FortiGate to the SDN Connector
The SDN Connector serves as a gateway bridging SDN controllers and FortiGates. The SDN Connector registers itself to APIC in the Cisco ACI fabric, polls interested objects, and translates them into address objects. The translated address objects and associated endpoints populate to the FortiGate.
FortiGates register to ACI objects through the SDN Connector. The SDN Connector monitors the objects and updates FortiGate dynamic objects.
If you plan to instantiate a large number of VMs in your SDN Connector environment, ensure you size the host VM or server appropriately. The following recommendations represent the minimum sizing numbers:
- Memory: 4 GB
- CPU: 2 vCPU
- Disk: 20-50 GB
- vNICs: 1
Setting up the SDN Connector with FortiGate configuration consists of the following steps:
1. Installing the SDN Connector
Download and install vSphere Client, then download sdn-connector.ovf. In vSphere Client, navigate to File > Deploy OVF Template.
In the Deploy OVF Template dialog, enter the SDN Connector image file path in the Deploy from a file or URL field. Click Next.
The dialog displays the SDN Connector version, download size, and size on disk. Click Next.
Enter the VM name, select the location, then click Next.
Choose the destination storage for the VM files, then click Next.
The dialog displays the datastore name and amount of available space. Select Thin Provision, then click Next.
Networks used in this OVF template should map to networks in your inventory. Choose the destination network for network mapping, then click Next.
The dialog displays all previously configured options. To edit an option, click Back. If ready to deploy, click Finish.
2. Initializing the SDN Connector
Once the OVF template is deployed, turn on the VM and navigate to the Console tab. Once the SDN Connector boots up, the system displays the following GUI dialog for configuration. Press Enter to proceed to the Network Interface Configuration wizard.
The Network Interface Configuration wizard provides DHCP and static IP configuration options.
When the VM receives the IP address from the DHCP server, the system shows this success dialog. The dialog shows the SDN Connector IP address and gateway information.
When the VM is configured with a static IP address, the system shows this success dialog.
To change the network configuration, click OK and return to the wizard to restart the setup flow.
Using a web browser, navigate to https://<SDN connector IP address>.
Log into the system with the default username and password, which are blank and fortinet123, respectively. When you first log in, the GUI prompts you to change the password.
Click Configuration, then enter the SDN controller IP address, username, and password, then click OK. The SDN controller username and password are the Cisco ACI username and password. You can obtain this from the ACI administrator.
Click Running Status to verify the status. When the signal icons are green, this indicates the connection between the SDN controller and SDN connector has been established.
3. Configuring the SDN Connector
The SDN Connector GUI has several web controls. It is a single-page web application.
To restart the service, click Restart Service. The system displays a dialog asking you to restart the connector service.
To change the password, click Change Password.
To change the configuration click Configuration. You can enter and update the SDN Controller login information and SDN Connector login information. The SDN controller username and password are the Cisco ACI username and password. You can obtain this from the ACI administrator. The SDN connector username and password apply to the FortiGate SDN Connector configuration. This is different than the SDN Connector GUI login credentials. The default username and password are admin and fortinet123, respectively.
Running Status indicates the SDN Connector status. Red icons mean that the connection is not established.
Cache Content displays the cache downloaded from the SDN Controller.
To download system logs, click Download Log, then /.
To log out, navigate to the SDN Connector homepage, then click Logout on the banner. The system logs the user out.
To upgrade the service, navigate to the SDN Connector homepage, then click UpgradeService on the banner. A dialog shows the upgrade progress. Once the upgrade is finished, the dialog prompts “Upgraded Successfully! Going to refresh in 10s” and the GUI refreshes automatically.
4. Logging into RabbitMQ
After successful configuration, the SDN Connector service is started. You can log in to check the connection status. The default username and password are admin and fortinet123, respectively.
5. Connecting the FortiGate to the SDN Connector
The following are sample CLI commands to establish a connection between the FortiGate and SDN Connector. The username and password are the SDN Connector username and password, which can be modified on the SDN Connector GUI. The default value are admin and fortinet123, respectively.
config system sdn-connector
edit "aci1"
set status enable
set type aci
set server-ip 10.160.38.141
set server-port 5671
set username "admin"
set password
set next
edit "aci2"
set status enable
set type aci
set server-ip 10.160.13.117
set server-port 5671
set username "admin"
set password fortinet123 next
The two entries in the above example are for redundancy. Only the first available is used based on the configured order.
Another way is to access the FortiOS GUI, navigate to System > SDN Connectors, and click Create New. Here you can configure the SDN Connectors into FortiOS.
To debug the SDN Connector on the FortiGate side, use diagnose test application sdncd
.
FG100D3G14800142 (global) # diagnose test application sdncd
1, Show sdn connector status
2, Show sdn channels
3, Show dynamic objects table
4, Flush all dynamic addresses
5, Purge all unused dynamic addresses
6. Configuring the firewall address and address group
The following shows sample CLI commands to create a dynamic address object.
config firewall address
edit "test-tag"
set type dynamic
set sdn aci
set tenant "TENANT-NAME"
set epg-name "EPG-NAME"
set sdn-tag "TAG-NAME"
next
end
config firewall addrgrp
edit "test-group"
set member "test-tag" "Adobe Login"
next
end
Like a regular firewall address, you can edit the dynamic address on the GUI. Navigate to Policy & Objects > Addresses and create a dynamic address.
To debug the SDN Connector on the FortiGate side, use diagnose firewall dynamic address
. The output lists the entire VDOM dynamic summary. Using diagnose firewall dynamic list
outputs the detailed address on each dynamic address.
FG100D3G14800142 (root) # diagnose firewall dynamic address
Summary of SDN dynamic addresses:
aci.t2.App_6.*(total-addr: 1000): ID(61) REF(2)
nuage.NuageCluster.Trusted.*(total-addr: 2): ID(129) REF(1)
nuage.NuageCluster.*.*(total-addr: 5): ID(192) REF(1)
Total dynamic list entries: 3. Total dynamic addresses: 1007
The below provides information on firewall address mapping:
- Dynamic group tag: The administrator of the tenant or system administrator uses an orchestration script or manually tags those objects in the tag, description, or alias field depending on the SDN Connector.
- Back end process: After system boot-up, dynamic group daemon connects to SDN Connector using the sdn-connector global system setting. It iterates all addresses, such as dynamic-aci, dynamic-nsx, and dynamic-aws. It then sends the request to SDN Connector to get all endpoints or endpoint groups with the SDN filter.
After that, based on the received data, it uses the filter to find the EPGs and use those as members. Then, it updates the IP and kernel.
If any dynamic address creation is in the CMDB, daemon receives the CMDB event and sends all the filters to SDN Connector. SDN Connector retrieves the endpoints or EPGs matching the filters, sends them to the FortiGate, and updates the kernel.
The post FortiGate SDN Connector for Cisco ACI appeared first on Fortinet Cookbook.