Fortinet black logo

FortiGate-6000 and FortiGate-7000 Release Notes

Example FortiGate-6000 HA heartbeat switch configurations

Example FortiGate-6000 HA heartbeat switch configurations

FortiGate-6000 for FortiOS 6.2.12 allows you use proprietary triple-tagging or double-tagging for HA heartbeat packets.

Example triple-tagging compatible switch configuration

The switch that you use for connecting HA heartbeat interfaces does not have to support IEEE 802.1ad (also known as Q-in-Q, double-tagging). But the switch should be able to forward the double-tagged frames. Some switches will strip out the inner tag and Fortinet recommends avoiding these switches. FortiSwitch D and E series can correctly forward double-tagged frames.

Note This configuration is not required for FortiGate-6000 HA configurations if you have set up direct connections between the HA heartbeat interfaces.

This example shows how to configure a FortiGate-6000 to use different VLAN IDs for the HA1 and HA2 HA heartbeat interfaces and then how to configure two interfaces on a Cisco switch to allow HA heartbeat packets.

Note This example sets the native VLAN ID for both switch ports to 777. You can use any VLAN ID as the native VLAN ID as long as the native VLAN ID is not the same as the allowed VLAN ID.
  1. On both FortiGate-6000s, enter the following command to use different VLAN IDs for the HA1 and HA2 interfaces. The command sets the ha1 VLAN ID to 4091 and the ha2 VLAN ID to 4092:

    config system ha

    set ha-port-dtag-mode proprietary

    set hbdev ha1 50 ha2 100

    set hbdev-vlan-id 4091

    set hbdev-second-vlan-id 4092

    end

  2. Use the get system ha or get system ha status command to confirm the VLAN IDs.

    get system ha status
    ...
    HBDEV stats:
     F6KF51T018900026(updated 4 seconds ago):
      ha1: physical/10000full, up, rx-bytes/packets/dropped/errors=54995955/230020/0/0, tx=63988049/225267/0/0, vlan-id=4091
      ha2: physical/10000full, up, rx-bytes/packets/dropped/errors=54995955/230020/0/0, tx=63988021/225267/0/0, vlan-id=4092
     F6KF51T018900022(updated 3 seconds ago):
      ha1: physical/10000full, up, rx-bytes/packets/dropped/errors=61237440/230023/0/0, tx=57746989/225271/0/0, vlan-id=4091
      ha2: physical/10000full, up, rx-bytes/packets/dropped/errors=61238907/230023/0/0, tx=57746989/225271/0/0, vlan-id=4092
    ...
  3. Configure the Cisco switch interface that connects the HA1 interfaces to allow packets with a VLAN ID of 4091:

    interface <name>

    switchport mode trunk

    switchport trunk native vlan 777

    switchport trunk allowed vlan 4091

  4. Configure the Cisco switch port that connects the HA2 interfaces to allow packets with a VLAN ID of 4092:

    interface <name>

    switchport mode trunk

    switchport trunk native vlan 777

    switchport trunk allowed vlan 4092

Example double-tagging compatible switch configuration

The following switch configuration is compatible with FortiGate-6000 HA heartbeat double tagging and with the default TPID of 0x8100.

The FortiGate-6000 HA heartbeat configuration is.

config system ha

set ha-port-dtag-mode double-tagging

set hbdev ha1 50 ha2 50

set hbdev-vlan-id 4091

set hbdev-second-vlan-id 4092

end

Example third-party switch configuration:

Switch interfaces 37 and 38 connect to the HA1 interfaces of both FortiGate-6000s.

interface Ethernet37

description **** FGT-6000F HA1 HA HB ****

speed forced 10000full

switchport access vlan 660

switchport trunk native vlan 4091

switchport mode dot1q-tunnel

!

interface Ethernet38

description **** FGT-6000F HA1 HA HB ****

speed forced 10000full

switchport access vlan 660

switchport trunk native vlan 4091

switchport mode dot1q-tunnel

!

Switch interfaces 39 and 40 connect to the HA2 interfaces of both FortiGate-6000s.

interface Ethernet39

description **** FGT-6000F HA2 HA HB ****

mtu 9214

speed forced 10000full

no error-correction encoding

switchport access vlan 770

switchport trunk native vlan 4092

switchport mode dot1q-tunnel

!

interface Ethernet42

description **** FGT-6000F HA2 HA HB ****

mtu 9214

speed forced 10000full

no error-correction encoding

switchport access vlan 770

switchport trunk native vlan 4092

switchport mode dot1q-tunnel

!

Example FortiGate-6000 HA heartbeat switch configurations

FortiGate-6000 for FortiOS 6.2.12 allows you use proprietary triple-tagging or double-tagging for HA heartbeat packets.

Example triple-tagging compatible switch configuration

The switch that you use for connecting HA heartbeat interfaces does not have to support IEEE 802.1ad (also known as Q-in-Q, double-tagging). But the switch should be able to forward the double-tagged frames. Some switches will strip out the inner tag and Fortinet recommends avoiding these switches. FortiSwitch D and E series can correctly forward double-tagged frames.

Note This configuration is not required for FortiGate-6000 HA configurations if you have set up direct connections between the HA heartbeat interfaces.

This example shows how to configure a FortiGate-6000 to use different VLAN IDs for the HA1 and HA2 HA heartbeat interfaces and then how to configure two interfaces on a Cisco switch to allow HA heartbeat packets.

Note This example sets the native VLAN ID for both switch ports to 777. You can use any VLAN ID as the native VLAN ID as long as the native VLAN ID is not the same as the allowed VLAN ID.
  1. On both FortiGate-6000s, enter the following command to use different VLAN IDs for the HA1 and HA2 interfaces. The command sets the ha1 VLAN ID to 4091 and the ha2 VLAN ID to 4092:

    config system ha

    set ha-port-dtag-mode proprietary

    set hbdev ha1 50 ha2 100

    set hbdev-vlan-id 4091

    set hbdev-second-vlan-id 4092

    end

  2. Use the get system ha or get system ha status command to confirm the VLAN IDs.

    get system ha status
    ...
    HBDEV stats:
     F6KF51T018900026(updated 4 seconds ago):
      ha1: physical/10000full, up, rx-bytes/packets/dropped/errors=54995955/230020/0/0, tx=63988049/225267/0/0, vlan-id=4091
      ha2: physical/10000full, up, rx-bytes/packets/dropped/errors=54995955/230020/0/0, tx=63988021/225267/0/0, vlan-id=4092
     F6KF51T018900022(updated 3 seconds ago):
      ha1: physical/10000full, up, rx-bytes/packets/dropped/errors=61237440/230023/0/0, tx=57746989/225271/0/0, vlan-id=4091
      ha2: physical/10000full, up, rx-bytes/packets/dropped/errors=61238907/230023/0/0, tx=57746989/225271/0/0, vlan-id=4092
    ...
  3. Configure the Cisco switch interface that connects the HA1 interfaces to allow packets with a VLAN ID of 4091:

    interface <name>

    switchport mode trunk

    switchport trunk native vlan 777

    switchport trunk allowed vlan 4091

  4. Configure the Cisco switch port that connects the HA2 interfaces to allow packets with a VLAN ID of 4092:

    interface <name>

    switchport mode trunk

    switchport trunk native vlan 777

    switchport trunk allowed vlan 4092

Example double-tagging compatible switch configuration

The following switch configuration is compatible with FortiGate-6000 HA heartbeat double tagging and with the default TPID of 0x8100.

The FortiGate-6000 HA heartbeat configuration is.

config system ha

set ha-port-dtag-mode double-tagging

set hbdev ha1 50 ha2 50

set hbdev-vlan-id 4091

set hbdev-second-vlan-id 4092

end

Example third-party switch configuration:

Switch interfaces 37 and 38 connect to the HA1 interfaces of both FortiGate-6000s.

interface Ethernet37

description **** FGT-6000F HA1 HA HB ****

speed forced 10000full

switchport access vlan 660

switchport trunk native vlan 4091

switchport mode dot1q-tunnel

!

interface Ethernet38

description **** FGT-6000F HA1 HA HB ****

speed forced 10000full

switchport access vlan 660

switchport trunk native vlan 4091

switchport mode dot1q-tunnel

!

Switch interfaces 39 and 40 connect to the HA2 interfaces of both FortiGate-6000s.

interface Ethernet39

description **** FGT-6000F HA2 HA HB ****

mtu 9214

speed forced 10000full

no error-correction encoding

switchport access vlan 770

switchport trunk native vlan 4092

switchport mode dot1q-tunnel

!

interface Ethernet42

description **** FGT-6000F HA2 HA HB ****

mtu 9214

speed forced 10000full

no error-correction encoding

switchport access vlan 770

switchport trunk native vlan 4092

switchport mode dot1q-tunnel

!