Fortinet black logo

HA on Cisco ACI using FGCP over FGSP

Copy Link
Copy Doc ID b2d31294-d72c-11ea-96b9-00505692583a:630214
Download PDF

HA on Cisco ACI using FGCP over FGSP

In Cisco ACI, you can deploy the FortiGate Clustering Protocol (FGCP) over the FortiGate Session Life Support Protocol (FGSP) to achieve high availability (HA). This deployment uses the following Cisco ACI components:

Component

Description

Endpoint group (EPG)

Container for collections of applications that is independent of addressing, VLAN, and other network components.

Contract

Defines communication between EPGs.

Service graph

Provides the capability to insert L4-L7 devices (in this case, the FortiGate) into Cisco ACI. Includes the policy-based redirect (PBR) feature, where the Cisco ACI fabric redirects traffic between security zones to the firewall (the FortiGate in this case) for inspection without requiring the firewall to be configured as the servers' default gateways. This provides increased stability by minimizing network changes.

Leaf and spine switches

Switches in Cisco ACI spine and leaf architecture, where there are two layers of switches: spine and leaf. The spine layer is the backbone of the network and interconnects all leaf switches. Leaf switches are access switches that connect to devices such as servers. See Cisco Data Center Spine-and-Leaf Architecture: Design Overview White Paper.

Pod

Set of interconnected Cisco ACI leaf and spine switches that a specific Cisco Application Policy Infrastructure Controller (APIC) cluster is managing. Pods that the same APIC cluster is managing are considered part of the same Cisco ACI Fabric.

Inter-pod network (IPN)

Connects pods to allow for establishment of pod-to-pod communication (east-west traffic).

Tenant

Highest-level object in the ACI Fabric that contains EPGs and bridge domains (BDs).

Bridge domain

Domain that carries out forwarding and bridging processes.

In this deployment, traffic is redirected to the FortiGate for inspection. After inspection, FortiGate forwards the traffic to the Cisco ACI. The FortiGate is in one-arm mode in this scenario. This configuration supports asymmetric traffic flow, where the original and return traffic are inspected by different FortiGates.

This solution uses Cisco ACI service chaining with PBR and the Anycast feature. The topology for this deployment is as follows:

  • Two FGCP clusters:
    • Each cluster in a different pod
    • Each cluster has two FortiGates
  • FGSP across all pods

This deployment requires the following configurations:

  • Due to the Cisco ACI requirement to have an Anycast IP address and a MAC address, you must configure both FGCP clusters with the same HA group ID.
  • PBR data interface must use the same ports on both clusters.
  • One VLAN is created for traffic processing. It has the same IP and MAC addresses on both clusters.
  • peer-ip and session-sync-device use different ports with different MAC addresses.

As no provisioning configuration is pushed from the APIC to the FortiGate, importing a device package to APIC is not required.

HA on Cisco ACI using FGCP over FGSP

In Cisco ACI, you can deploy the FortiGate Clustering Protocol (FGCP) over the FortiGate Session Life Support Protocol (FGSP) to achieve high availability (HA). This deployment uses the following Cisco ACI components:

Component

Description

Endpoint group (EPG)

Container for collections of applications that is independent of addressing, VLAN, and other network components.

Contract

Defines communication between EPGs.

Service graph

Provides the capability to insert L4-L7 devices (in this case, the FortiGate) into Cisco ACI. Includes the policy-based redirect (PBR) feature, where the Cisco ACI fabric redirects traffic between security zones to the firewall (the FortiGate in this case) for inspection without requiring the firewall to be configured as the servers' default gateways. This provides increased stability by minimizing network changes.

Leaf and spine switches

Switches in Cisco ACI spine and leaf architecture, where there are two layers of switches: spine and leaf. The spine layer is the backbone of the network and interconnects all leaf switches. Leaf switches are access switches that connect to devices such as servers. See Cisco Data Center Spine-and-Leaf Architecture: Design Overview White Paper.

Pod

Set of interconnected Cisco ACI leaf and spine switches that a specific Cisco Application Policy Infrastructure Controller (APIC) cluster is managing. Pods that the same APIC cluster is managing are considered part of the same Cisco ACI Fabric.

Inter-pod network (IPN)

Connects pods to allow for establishment of pod-to-pod communication (east-west traffic).

Tenant

Highest-level object in the ACI Fabric that contains EPGs and bridge domains (BDs).

Bridge domain

Domain that carries out forwarding and bridging processes.

In this deployment, traffic is redirected to the FortiGate for inspection. After inspection, FortiGate forwards the traffic to the Cisco ACI. The FortiGate is in one-arm mode in this scenario. This configuration supports asymmetric traffic flow, where the original and return traffic are inspected by different FortiGates.

This solution uses Cisco ACI service chaining with PBR and the Anycast feature. The topology for this deployment is as follows:

  • Two FGCP clusters:
    • Each cluster in a different pod
    • Each cluster has two FortiGates
  • FGSP across all pods

This deployment requires the following configurations:

  • Due to the Cisco ACI requirement to have an Anycast IP address and a MAC address, you must configure both FGCP clusters with the same HA group ID.
  • PBR data interface must use the same ports on both clusters.
  • One VLAN is created for traffic processing. It has the same IP and MAC addresses on both clusters.
  • peer-ip and session-sync-device use different ports with different MAC addresses.

As no provisioning configuration is pushed from the APIC to the FortiGate, importing a device package to APIC is not required.