Version:

Version:

Version:

Version:

Version:


Table of Contents

FortiGate-7000E Handbook

HA heartbeat VLAN double-tagging

FortiGate-7000E HA supports HA heartbeat double-tagging to be compatible with third-party switches that do not support Fortinet's proprietary triple tagging format. HA heartbeat double-tagging has the following format:

TPID 0x8100 VLAN <vlan-id> (by default 999) + TPID 0x8100 VLAN 10/30 + ethernet packet

You can use the following commands to set the HA VLAN tagging mode to double-tagging, customize the outer TPID, and set the VLAN IDs for M1 and M2. Both FortiGates in the cluster must have the same VLAN tagging configuration.

config system ha

set ha-port-dtag-mode double-tagging

set ha-port-outer-tpid {0x8100 | 0x88a8 | 0x9100}

set hbdev-vlan-id <vlan>

set hbdev-second-vlan-id <vlan>

set ha-eth-type <ethertype>

end

Where:

ha-port-dtag-mode is set to double-tagging and the FortiGate-7000E uses the double-tagging format.

ha-port-outer-tipd sets the outer TPID to be compatible with the switch. The default outer TPID of 0x8100 is compatible with most third-party switches.

hbdev-vlan-id sets the outer VLAN ID used by M1 interface heartbeat packets.

hbdev-second-vlan-id sets the outer VLAN ID used by M2 interface heartbeat packets. The M1 and M2 interfaces must have different outer VLAN IDs if they are connected to the same switch.

ha-eth-type sets the HA heartbeat packet ethertype (default 8890) to be compatible with the switch.

Example double-tagging switch configuration

The following switch configuration is compatible with FortiGate-7040E HA heartbeat double tagging and with the default TPID of 0x8100.

The FortiGate-7040E HA heartbeat configuration is.

config system ha

set ha-port-dtag-mode double-tagging

set hbdev "1-M1" 50 "2-M1" 50 "1-M2" 50 "2-M2" 50

set hbdev-vlan-id 4086

set hbdev-second-vlan-id 4087

end

Example third-party switch configuration:

Switch interfaces 37 to 40 connect to the M1 interfaces of the FIMs in both FortiGate-7040E chassis.

interface Ethernet37

description **** FGT-7000E M1 HA HB ****

speed forced 10000full

switchport access vlan 660

switchport trunk native vlan 4086

switchport mode dot1q-tunnel

!

interface Ethernet38

description **** FGT-7000E M1 HA HB ****

speed forced 10000full

switchport access vlan 660

switchport trunk native vlan 4086

switchport mode dot1q-tunnel

!

interface Ethernet39

description **** FGT-7000E M1 HA HB ****

speed forced 10000full

switchport access vlan 660

switchport trunk native vlan 4086

switchport mode dot1q-tunnel

!

interface Ethernet40

description **** FGT-7000E M1 HA HB ****

speed forced 10000full

switchport access vlan 660

switchport trunk native vlan 4086

switchport mode dot1q-tunnel

!

 

Switch interfaces 41 to 44 connect to the M2 interfaces of the FIMs in both FortiGate-7040E chassis.

 

interface Ethernet41

description **** FGT-7000E M2 HA HB ****

mtu 9214

speed forced 10000full

no error-correction encoding

switchport access vlan 770

switchport trunk native vlan 4087

switchport mode dot1q-tunnel

!

interface Ethernet42

description **** FGT-7000E M2 HA HB ****

mtu 9214

speed forced 10000full

no error-correction encoding

switchport access vlan 770

switchport trunk native vlan 4087

switchport mode dot1q-tunnel

!

interface Ethernet43

description **** FGT-7000E M2 HA HB ****

mtu 9214

speed forced 10000full

no error-correction encoding

switchport access vlan 770

switchport trunk native vlan 4087

switchport mode dot1q-tunnel

!

interface Ethernet44

description **** FGT-7000E M2 HA HB ****

mtu 9214

speed forced 10000full

no error-correction encoding

switchport access vlan 770

switchport trunk native vlan 4087

switchport mode dot1q-tunnel

HA heartbeat VLAN double-tagging

FortiGate-7000E HA supports HA heartbeat double-tagging to be compatible with third-party switches that do not support Fortinet's proprietary triple tagging format. HA heartbeat double-tagging has the following format:

TPID 0x8100 VLAN <vlan-id> (by default 999) + TPID 0x8100 VLAN 10/30 + ethernet packet

You can use the following commands to set the HA VLAN tagging mode to double-tagging, customize the outer TPID, and set the VLAN IDs for M1 and M2. Both FortiGates in the cluster must have the same VLAN tagging configuration.

config system ha

set ha-port-dtag-mode double-tagging

set ha-port-outer-tpid {0x8100 | 0x88a8 | 0x9100}

set hbdev-vlan-id <vlan>

set hbdev-second-vlan-id <vlan>

set ha-eth-type <ethertype>

end

Where:

ha-port-dtag-mode is set to double-tagging and the FortiGate-7000E uses the double-tagging format.

ha-port-outer-tipd sets the outer TPID to be compatible with the switch. The default outer TPID of 0x8100 is compatible with most third-party switches.

hbdev-vlan-id sets the outer VLAN ID used by M1 interface heartbeat packets.

hbdev-second-vlan-id sets the outer VLAN ID used by M2 interface heartbeat packets. The M1 and M2 interfaces must have different outer VLAN IDs if they are connected to the same switch.

ha-eth-type sets the HA heartbeat packet ethertype (default 8890) to be compatible with the switch.

Example double-tagging switch configuration

The following switch configuration is compatible with FortiGate-7040E HA heartbeat double tagging and with the default TPID of 0x8100.

The FortiGate-7040E HA heartbeat configuration is.

config system ha

set ha-port-dtag-mode double-tagging

set hbdev "1-M1" 50 "2-M1" 50 "1-M2" 50 "2-M2" 50

set hbdev-vlan-id 4086

set hbdev-second-vlan-id 4087

end

Example third-party switch configuration:

Switch interfaces 37 to 40 connect to the M1 interfaces of the FIMs in both FortiGate-7040E chassis.

interface Ethernet37

description **** FGT-7000E M1 HA HB ****

speed forced 10000full

switchport access vlan 660

switchport trunk native vlan 4086

switchport mode dot1q-tunnel

!

interface Ethernet38

description **** FGT-7000E M1 HA HB ****

speed forced 10000full

switchport access vlan 660

switchport trunk native vlan 4086

switchport mode dot1q-tunnel

!

interface Ethernet39

description **** FGT-7000E M1 HA HB ****

speed forced 10000full

switchport access vlan 660

switchport trunk native vlan 4086

switchport mode dot1q-tunnel

!

interface Ethernet40

description **** FGT-7000E M1 HA HB ****

speed forced 10000full

switchport access vlan 660

switchport trunk native vlan 4086

switchport mode dot1q-tunnel

!

 

Switch interfaces 41 to 44 connect to the M2 interfaces of the FIMs in both FortiGate-7040E chassis.

 

interface Ethernet41

description **** FGT-7000E M2 HA HB ****

mtu 9214

speed forced 10000full

no error-correction encoding

switchport access vlan 770

switchport trunk native vlan 4087

switchport mode dot1q-tunnel

!

interface Ethernet42

description **** FGT-7000E M2 HA HB ****

mtu 9214

speed forced 10000full

no error-correction encoding

switchport access vlan 770

switchport trunk native vlan 4087

switchport mode dot1q-tunnel

!

interface Ethernet43

description **** FGT-7000E M2 HA HB ****

mtu 9214

speed forced 10000full

no error-correction encoding

switchport access vlan 770

switchport trunk native vlan 4087

switchport mode dot1q-tunnel

!

interface Ethernet44

description **** FGT-7000E M2 HA HB ****

mtu 9214

speed forced 10000full

no error-correction encoding

switchport access vlan 770

switchport trunk native vlan 4087

switchport mode dot1q-tunnel