Version:

Version:

Version:

Version:

Version:


Table of Contents

FortiGate-7000E Handbook

Default HA heartbeat VLAN triple-tagging

By default, HA heartbeat packets are VLAN packets with VLAN ID 999, an outer TPID of 0x8100, an ethertype of 8890, and an MTU value of 1500. The default proprietary HA heartbeat VLAN tagging uses the following triple tagging format:

TPID 0x8100 VLAN <vlan-id> (by default 999) + TPID 0x88a8 VLAN 10/30 + TPID 0x8100 VLAN 10/30 + ethernet packet

If your switch is compatible with Fortinet's proprietary triple-tagging format then all you need to do is use the following options to give the M1 and M2 interfaces different VLAN tags.

config system ha

set ha-port-dtag-mode proprietary

set hbdev-vlan-id <vlan>

set hbdev-second-vlan-id <vlan>

end

Where:

  • ha-port-dtag-mode is set to proprietary and the FortiGate-7000 uses the default triple-tagging format.
  • hbdev-vlan-id sets the outer VLAN ID used by M1 interface heartbeat packets.
  • hbdev-second-vlan-id sets the outer VLAN ID used by M2 interface heartbeat packets. The M1 and M2 interfaces must have different outer VLAN IDs if they are connected to the same switch.

If your switch is not compatible with Fortinet's proprietary triple-tagging format, you can use the following options to change the outer TPID and ethertype.

config system ha

set ha-port-dtag-mode proprietary

set ha-port-outer-tpid {0x8100 | 0x88a8 | 0x9100}

set ha-eth-type <ethertype>

end

Where:

  • ha-port-dtag-mode is set to proprietary and the FortiGate-7000 uses the default triple-tagging format.
  • ha-port-outer-tipd sets the outer TPID to be compatible with the switch. The default outer TPID of 0x8100, is compatible with most third-party switches.
  • ha-eth-type sets the HA heartbeat packet ethertype (default 8890) to be compatible with the switch.
Note

If your switch doesn't support triple tagging, see HA heartbeat VLAN double-tagging.

Example triple-tagging compatible switch configuration

The switch that you use for connecting HA heartbeat interfaces does not have to support IEEE 802.1ad (also known as Q-in-Q, double-tagging), but the switch should be able to forward the double-tagged frames. Fortinet recommends avoiding switches that strip out the inner tag. FortiSwitch D and E series can correctly forward double-tagged frames.

note icon This configuration is not required for FortiGate-7030E HA configurations if you have set up direct connections between the HA heartbeat interfaces.

This example shows how to configure a FortiGate-7000 to use different VLAN IDs for the M1 and M2 HA heartbeat interfaces and then how to configure two ports on a Cisco switch to allow HA heartbeat packets.

note icon This example sets the native VLAN ID for both switch ports to 777. You can use any VLAN ID as the native VLAN ID as long as the native VLAN ID is not the same as the allowed VLAN ID.
  1. On both FortiGate-7000s in the HA configuration, enter the following command to use different VLAN IDs for the M1 and M2 interfaces. The command sets the M1 VLAN ID to 4086 and the M2 VLAN ID to 4087:

    config system ha

    set ha-port-dtag-mode proprietary

    set hbdev "1-M1" 50 "2-M1" 50 "1-M2" 50 "2-M2" 50

    set hbdev-vlan-id 4086

    set hbdev-second-vlan-id 4087

    end

  2. Use the get system ha or get system ha status command to confirm the VLAN IDs.

    get system ha status
    ...
    HBDEV stats:
     FG74E83E16000015(updated 1 seconds ago):
       1-M1: physical/10000full, up, rx-bytes/packets/dropped/errors=579602089/2290683/0/0, tx=215982465/761929/0/0, vlan-id=4086
       2-M1: physical/10000full, up, rx-bytes/packets/dropped/errors=577890866/2285570/0/0, tx=215966839/761871/0/0, vlan-id=4086
       1-M2: physical/10000full, up, rx-bytes/packets/dropped/errors=579601846/2290682/0/0, tx=215982465/761929/0/0, vlan-id=4087
       2-M2: physical/10000full, up, rx-bytes/packets/dropped/errors=577890651/2285569/0/0, tx=215966811/761871/0/0, vlan-id=4087
     FG74E83E16000016(updated 1 seconds ago):
       1-M1: physical/10000full, up, rx-bytes/packets/dropped/errors=598602425/2290687/0/0, tx=196974887/761899/0/0, vlan-id=4086
       2-M1: physical/10000full, up, rx-bytes/packets/dropped/errors=596895956/2285588/0/0, tx=196965052/761864/0/0, vlan-id=4086
       1-M2: physical/10000full, up, rx-bytes/packets/dropped/errors=598602154/2290686/0/0, tx=196974915/761899/0/0, vlan-id=4087
       2-M2: physical/10000full, up, rx-bytes/packets/dropped/errors=596895685/2285587/0/0, tx=196965080/761864/0/0, vlan-id=4087
    ...
  3. Configure the Cisco switch port that connects the M1 interfaces to allow packets with a VLAN ID of 4086:

    interface <name>

    switchport mode trunk

    switchport trunk native vlan 777

    switchport trunk allowed vlan 4086

     

  4. Configure the Cisco switch port that connects the M2 interfaces to allow packets with a VLAN ID of 4087:

    interface <name>

    switchport mode trunk

    switchport trunk native vlan 777

    switchport trunk allowed vlan 4087

Default HA heartbeat VLAN triple-tagging

By default, HA heartbeat packets are VLAN packets with VLAN ID 999, an outer TPID of 0x8100, an ethertype of 8890, and an MTU value of 1500. The default proprietary HA heartbeat VLAN tagging uses the following triple tagging format:

TPID 0x8100 VLAN <vlan-id> (by default 999) + TPID 0x88a8 VLAN 10/30 + TPID 0x8100 VLAN 10/30 + ethernet packet

If your switch is compatible with Fortinet's proprietary triple-tagging format then all you need to do is use the following options to give the M1 and M2 interfaces different VLAN tags.

config system ha

set ha-port-dtag-mode proprietary

set hbdev-vlan-id <vlan>

set hbdev-second-vlan-id <vlan>

end

Where:

  • ha-port-dtag-mode is set to proprietary and the FortiGate-7000 uses the default triple-tagging format.
  • hbdev-vlan-id sets the outer VLAN ID used by M1 interface heartbeat packets.
  • hbdev-second-vlan-id sets the outer VLAN ID used by M2 interface heartbeat packets. The M1 and M2 interfaces must have different outer VLAN IDs if they are connected to the same switch.

If your switch is not compatible with Fortinet's proprietary triple-tagging format, you can use the following options to change the outer TPID and ethertype.

config system ha

set ha-port-dtag-mode proprietary

set ha-port-outer-tpid {0x8100 | 0x88a8 | 0x9100}

set ha-eth-type <ethertype>

end

Where:

  • ha-port-dtag-mode is set to proprietary and the FortiGate-7000 uses the default triple-tagging format.
  • ha-port-outer-tipd sets the outer TPID to be compatible with the switch. The default outer TPID of 0x8100, is compatible with most third-party switches.
  • ha-eth-type sets the HA heartbeat packet ethertype (default 8890) to be compatible with the switch.
Note

If your switch doesn't support triple tagging, see HA heartbeat VLAN double-tagging.

Example triple-tagging compatible switch configuration

The switch that you use for connecting HA heartbeat interfaces does not have to support IEEE 802.1ad (also known as Q-in-Q, double-tagging), but the switch should be able to forward the double-tagged frames. Fortinet recommends avoiding switches that strip out the inner tag. FortiSwitch D and E series can correctly forward double-tagged frames.

note icon This configuration is not required for FortiGate-7030E HA configurations if you have set up direct connections between the HA heartbeat interfaces.

This example shows how to configure a FortiGate-7000 to use different VLAN IDs for the M1 and M2 HA heartbeat interfaces and then how to configure two ports on a Cisco switch to allow HA heartbeat packets.

note icon This example sets the native VLAN ID for both switch ports to 777. You can use any VLAN ID as the native VLAN ID as long as the native VLAN ID is not the same as the allowed VLAN ID.
  1. On both FortiGate-7000s in the HA configuration, enter the following command to use different VLAN IDs for the M1 and M2 interfaces. The command sets the M1 VLAN ID to 4086 and the M2 VLAN ID to 4087:

    config system ha

    set ha-port-dtag-mode proprietary

    set hbdev "1-M1" 50 "2-M1" 50 "1-M2" 50 "2-M2" 50

    set hbdev-vlan-id 4086

    set hbdev-second-vlan-id 4087

    end

  2. Use the get system ha or get system ha status command to confirm the VLAN IDs.

    get system ha status
    ...
    HBDEV stats:
     FG74E83E16000015(updated 1 seconds ago):
       1-M1: physical/10000full, up, rx-bytes/packets/dropped/errors=579602089/2290683/0/0, tx=215982465/761929/0/0, vlan-id=4086
       2-M1: physical/10000full, up, rx-bytes/packets/dropped/errors=577890866/2285570/0/0, tx=215966839/761871/0/0, vlan-id=4086
       1-M2: physical/10000full, up, rx-bytes/packets/dropped/errors=579601846/2290682/0/0, tx=215982465/761929/0/0, vlan-id=4087
       2-M2: physical/10000full, up, rx-bytes/packets/dropped/errors=577890651/2285569/0/0, tx=215966811/761871/0/0, vlan-id=4087
     FG74E83E16000016(updated 1 seconds ago):
       1-M1: physical/10000full, up, rx-bytes/packets/dropped/errors=598602425/2290687/0/0, tx=196974887/761899/0/0, vlan-id=4086
       2-M1: physical/10000full, up, rx-bytes/packets/dropped/errors=596895956/2285588/0/0, tx=196965052/761864/0/0, vlan-id=4086
       1-M2: physical/10000full, up, rx-bytes/packets/dropped/errors=598602154/2290686/0/0, tx=196974915/761899/0/0, vlan-id=4087
       2-M2: physical/10000full, up, rx-bytes/packets/dropped/errors=596895685/2285587/0/0, tx=196965080/761864/0/0, vlan-id=4087
    ...
  3. Configure the Cisco switch port that connects the M1 interfaces to allow packets with a VLAN ID of 4086:

    interface <name>

    switchport mode trunk

    switchport trunk native vlan 777

    switchport trunk allowed vlan 4086

     

  4. Configure the Cisco switch port that connects the M2 interfaces to allow packets with a VLAN ID of 4087:

    interface <name>

    switchport mode trunk

    switchport trunk native vlan 777

    switchport trunk allowed vlan 4087