Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

FortiGate-6000 Handbook

HA heartbeat VLAN double-tagging

FortiGate-6000 HA supports HA heartbeat double-tagging to be compatible with third-party switches that do not support Fortinet's proprietary triple tagging format. HA heartbeat double-tagging has the following format:

TPID 0x8100 VLAN <vlan-id> (by default 999) + TPID 0x8100 VLAN 10/30 + ethernet packet

You can use the following commands to set the HA VLAN tagging mode to double-tagging, customize the outer TPID, and set the VLAN IDs for HA1 and HA2. Both FortiGates in the cluster must have the same VLAN tagging configuration.

config system ha

set ha-port-dtag-mode double-tagging

set ha-port-outer-tpid {0x8100 | 0x88a8 | 0x9100}

set hbdev-vlan-id <vlan>

set hbdev-second-vlan-id <vlan>

set ha-eth-type <ethertype>

end

Where:

ha-port-dtag-mode is set to double-tagging and the FortiGate-6000 uses the double-tagging format.

ha-port-outer-tipd sets the outer TPID to be compatible with the switch. The default outer TPID of 0x8100 is compatible with most third-party switches.

hbdev-vlan-id sets the outer VLAN ID used by HA1 interface heartbeat packets.

hbdev-second-vlan-id sets the outer VLAN ID used by HA2 interface heartbeat packets. The HA1 and HA2 interfaces must have different outer VLAN IDs if they are connected to the same switch.

ha-eth-type sets the HA heartbeat packet ethertype (default 8890) to be compatible with the switch.

Example double-tagging switch configuration

The following switch configuration is compatible with FortiGate-6000 HA heartbeat double tagging and with the default TPID of 0x8100.

The FortiGate-6000 HA heartbeat configuration is.

config system ha

set ha-port-dtag-mode double-tagging

set hbdev ha1 50 ha2 50

set hbdev-vlan-id 4091

set hbdev-second-vlan-id 4092

end

Example third-party switch configuration:

Switch interfaces 37 and 38 connect to the HA1 interfaces of both FortiGate-6000s.

interface Ethernet37

description **** FGT-6000F HA1 HA HB ****

speed forced 10000full

switchport access vlan 660

switchport trunk native vlan 4091

switchport mode dot1q-tunnel

!

interface Ethernet38

description **** FGT-6000F HA1 HA HB ****

speed forced 10000full

switchport access vlan 660

switchport trunk native vlan 4091

switchport mode dot1q-tunnel

!

 

Switch interfaces 39 and 40 connect to the HA2 interfaces of both FortiGate-6000s.

 

interface Ethernet39

description **** FGT-6000F HA2 HA HB ****

mtu 9214

speed forced 10000full

no error-correction encoding

switchport access vlan 770

switchport trunk native vlan 4092

switchport mode dot1q-tunnel

!

interface Ethernet42

description **** FGT-6000F HA2 HA HB ****

mtu 9214

speed forced 10000full

no error-correction encoding

switchport access vlan 770

switchport trunk native vlan 4092

switchport mode dot1q-tunnel

!

HA heartbeat VLAN double-tagging

FortiGate-6000 HA supports HA heartbeat double-tagging to be compatible with third-party switches that do not support Fortinet's proprietary triple tagging format. HA heartbeat double-tagging has the following format:

TPID 0x8100 VLAN <vlan-id> (by default 999) + TPID 0x8100 VLAN 10/30 + ethernet packet

You can use the following commands to set the HA VLAN tagging mode to double-tagging, customize the outer TPID, and set the VLAN IDs for HA1 and HA2. Both FortiGates in the cluster must have the same VLAN tagging configuration.

config system ha

set ha-port-dtag-mode double-tagging

set ha-port-outer-tpid {0x8100 | 0x88a8 | 0x9100}

set hbdev-vlan-id <vlan>

set hbdev-second-vlan-id <vlan>

set ha-eth-type <ethertype>

end

Where:

ha-port-dtag-mode is set to double-tagging and the FortiGate-6000 uses the double-tagging format.

ha-port-outer-tipd sets the outer TPID to be compatible with the switch. The default outer TPID of 0x8100 is compatible with most third-party switches.

hbdev-vlan-id sets the outer VLAN ID used by HA1 interface heartbeat packets.

hbdev-second-vlan-id sets the outer VLAN ID used by HA2 interface heartbeat packets. The HA1 and HA2 interfaces must have different outer VLAN IDs if they are connected to the same switch.

ha-eth-type sets the HA heartbeat packet ethertype (default 8890) to be compatible with the switch.

Example double-tagging switch configuration

The following switch configuration is compatible with FortiGate-6000 HA heartbeat double tagging and with the default TPID of 0x8100.

The FortiGate-6000 HA heartbeat configuration is.

config system ha

set ha-port-dtag-mode double-tagging

set hbdev ha1 50 ha2 50

set hbdev-vlan-id 4091

set hbdev-second-vlan-id 4092

end

Example third-party switch configuration:

Switch interfaces 37 and 38 connect to the HA1 interfaces of both FortiGate-6000s.

interface Ethernet37

description **** FGT-6000F HA1 HA HB ****

speed forced 10000full

switchport access vlan 660

switchport trunk native vlan 4091

switchport mode dot1q-tunnel

!

interface Ethernet38

description **** FGT-6000F HA1 HA HB ****

speed forced 10000full

switchport access vlan 660

switchport trunk native vlan 4091

switchport mode dot1q-tunnel

!

 

Switch interfaces 39 and 40 connect to the HA2 interfaces of both FortiGate-6000s.

 

interface Ethernet39

description **** FGT-6000F HA2 HA HB ****

mtu 9214

speed forced 10000full

no error-correction encoding

switchport access vlan 770

switchport trunk native vlan 4092

switchport mode dot1q-tunnel

!

interface Ethernet42

description **** FGT-6000F HA2 HA HB ****

mtu 9214

speed forced 10000full

no error-correction encoding

switchport access vlan 770

switchport trunk native vlan 4092

switchport mode dot1q-tunnel

!