Appendix B: Configuring HSR and PRP with FortiLink
Starting in FortiSwitchOS 7.2.4, High-Availability Seamless Redundancy (HSR) and Parallel Redundancy Protocol (PRP) are supported. Refer to the FortiSwitchOS feature matrix to see which FortiSwitch models support HSR and PRP.
This section covers the following topics:
Configuring HSR with FortiLink
HSR is defined in the international standard IEC 62439-3-2016 clause 5. HSR provides seamless communication with fault tolerance by duplicating every unicast frame sent in HSR networks. Although HSR can be used in different topologies such as ring, bus, and mesh, the most commonly used topology is a single ring topology. This document focuses on the HSR ring topology. A simple HSR network consists of doubly attached bridging nodes, each having two ring ports, interconnected by full-duplex links. The simplest HSR topology contains two switches with two links between them; the ports connected to these two links serve as the HSR ring ports.
The following figure shows HSR being used with FortiLink.
|
You need to first configure HSR and the static-isl trunks on the physical loopbacks on the FortiSwitch units before authorizing and managing them on the FortiGate device. |
In the preceding figure, the HSR ring ports (port5-port6) belong to the hsr-internal-vlan 4000. The hsr-internal-vlan cannot be same as the FortiLink management VLAN 4094 because the loopback static-isl trunk cannot have the native VLAN 4094 configured if the hsr-internal-vlan is set to 4094.
The switch management VLAN 4094 uses port26 for output with the native VLAN set to 4094 in all switches (port26 is the static ISL trunk with a native VLAN of 4094, which allows other normal data VLANs except for hsr-internal-vlan 4000). The native control packets in VLAN 4094 are sent to the port25 interlink port (VLAN 4000) through the physical loopback connection. Therefore, the native control packets go through the HSR ring to reach the tier-1 switch.
In the tier-1 switch, the native control packets are forwarded from the HSR ring to port28 (the interlink port of the FortiLink trunk) and then to the FortiLink interface. Therefore, the FortiGate device can manage all switches.
NOTE: The switch control plane (VLAN 4094) and intelligent electronic device (IED) data plane (hsr-internal-vlan 4000) are in same layer-2 broadcast domain.
All IED hosts in the VLAN 4000 go out of port28 (FortiLink trunk) of the tier-1 switch with native packets. The FortiLink interface in the FortiGate device receives these packets from all IED hosts. Therefore, the traffic of all IED hosts are in the FortiLink management VLAN on the FortiGate device (the management VLAN is 4094).
NOTE: The data traffic in VLAN 4000 will use the FortiLink interface as a gateway.
FortiLink can manage other normal data VLANs as usual.
Configuration example
To configure FGR-70F:
config system interface
edit "fortilink"
set vdom "root"
set fortilink enable
set ip 10.255.1.1 255.255.255.0
set allowaccess ping fabric
set type aggregate
set member "port3"
set lldp-reception enable
set lldp-transmission enable
set lacp-mode static
next
end
To configure FSR-424F-POE-1:
config switch hsr ring
edit 1
set status enable
set ring-port-pair port5-port6
set hsr-internal-vlan 4000
next
end
config switch trunk
edit "HSR1" // automatically created
set mode prp-hsr
set static-isl enable
set static-isl-auto-vlan disable
set members "port5" "port6"
next
edit "trunk11"
set auto-isl 1
set static-isl enable
set static-isl-auto-vlan disable
set members "port11"
next
edit "trunk1"
set auto-isl 1
set static-isl enable
set static-isl-auto-vlan disable
set members "port1"
next
edit "trunk2"
set auto-isl 1
set static-isl enable
set static-isl-auto-vlan disable
set members "port2"
next
end
config switch interface
edit "trunk11"
set native-vlan 4000
set dhcp-snooping trusted
set edge-port disabled
next
end
config switch interface
edit "trunk1"
set native-vlan 4000
set dhcp-snooping trusted
set stp-state disabled
set edge-port disabled
next
end
config switch interface
edit "trunk2"
set native-vlan 4094
set allowed-vlans 1-3999,4001-4094
set dhcp-snooping trusted
set edge-port disabled
next
end
config switch interface
edit "HSR1" // automatically created
set native-vlan 4000
set dhcp-snooping trusted
set stp-state disabled
set edge-port disabled
next
end
To configure FSR-424F-POE-2:
config switch hsr ring
edit 1
set status enable
set ring-port-pair port5-port6
set hsr-internal-vlan 4000
next
end
config switch trunk
edit "trunk1"
set auto-isl 1
set static-isl enable
set static-isl-auto-vlan disable
set members "port1"
next
edit "trunk2"
set auto-isl 1
set static-isl enable
set static-isl-auto-vlan disable
set members "port2"
next
edit "HSR1" // automatically created
set mode prp-hsr
set static-isl enable
set static-isl-auto-vlan disable
set members "port5" "port6"
next
end
config switch interface
edit "trunk1"
set native-vlan 4000
set dhcp-snooping trusted
set stp-state disabled
set edge-port disabled
set snmp-index 49
next
end
config switch interface
edit "trunk2"
set native-vlan 4094
set allowed-vlans 1-3999,4001-4094
set dhcp-snooping trusted
set edge-port disabled
next
end
config switch interface
edit "HSR1" // automatically created
set native-vlan 4000
set dhcp-snooping trusted
set stp-state disabled
set edge-port disabled
next
end
To configure FSR-424F-POE-3:
config switch hsr ring
edit 1
set status enable
set ring-port-pair port5-port6
set hsr-internal-vlan 4000
next
end
config switch trunk
edit "trunk1"
set auto-isl 1
set static-isl enable
set static-isl-auto-vlan disable
set members "port1"
next
edit "trunk2"
set auto-isl 1
set static-isl enable
set static-isl-auto-vlan disable
set members "port2"
next
edit "HSR1" // automatically created
set mode prp-hsr
set static-isl enable
set static-isl-auto-vlan disable
set members "port5" "port6"
next
end
config switch interface
edit "trunk1"
set native-vlan 4000
set dhcp-snooping trusted
set stp-state disabled
set edge-port disabled
next
end
config switch interface
edit "trunk2"
set native-vlan 4094
set allowed-vlans 1-3999,4001-4094
set dhcp-snooping trusted
set edge-port disabled
next
end
config switch interface
edit "HSR1" // automatically created
set native-vlan 4000
set dhcp-snooping trusted
set stp-state disabled
set edge-port disabled
next
end
Configuring HSR and PRP with FortiLink
The PRP is defined in the international standard IEC 62439-3-2016 clause 4. PRP provides seamless communication with fault tolerance by duplicating every unicast frame sent in PRP networks. You can use PRP in different topologies such as ring, bus, or meshed.
A doubly attached node with PRP (DANP) is attached to two independent local area networks (LANs) with similar topologies, named LAN_A and LAN_B, which operate in parallel. A source DANP sends the same frame over both LANs, and a destination DANP receives it from both LANs within a certain time, consumes the first frame, and discards the duplicate. If a LAN fails, a DANP destination continues to operate with the frames from the other LAN.
Uncritical nodes, such as laptops or printers, are usually attached to just one LAN as single attached nodes (SANs). SANs that need to communicate with each other must be on the same LAN. If a critical node without PRP capability needs to communicate with all other nodes, it can be attached to a redundancy box (RedBox). The RedBox allows the single interface node to be attached to both networks and communicate with all other nodes. Because a node behind a RedBox appears to be a doubly attached node (DAN) to the other nodes, it is called a virtual DAN (VDAN). The RedBox itself is a DANP and acts as a proxy on behalf of its VDANs. Because both LAN A and LAB B must be independent, any connections among DANs and RedBoxes are not allowed.
The simplest PRP topology configuration is two switches with two links between them; the ports connected to these two links serve as PRP channel ports. PRP channel ports are always a pair of an odd-numbered switch port and an even-numbered switch port. The pair of switch ports are hard coded, for example, port1-port2, port3-port4,…port27-port28.
The following figure shows HSR and PRP being used with FortiLink.
|
|
You need to first configure HSR and PRP and the static-isl trunks on the physical loopbacks on the FortiSwitch units before authorizing and managing them on the FortiGate device. |
NOTE:
-
The IEDs and the GPS clock are PRP cable stations. The hosts are normal hosts without PRP support.
-
All hosts receive packets with the PRP trailer, so the host applications need to ignore the PRP trailer in the packets to make the applications work.
Configuration example
To configure FSR-424F-POE-1:
config switch prp channel
edit 1
set status enable
set channel-port-pair port17-port18
set prp-internal-vlan 4000
next
end
config switch trunk
edit "trunk11"
set auto-isl 1
set static-isl enable
set static-isl-auto-vlan disable
set members "port11"
next
edit "trunk1"
set auto-isl 1
set static-isl enable
set static-isl-auto-vlan disable
set members "port25"
next
edit "trunk2"
set auto-isl 1
set static-isl enable
set static-isl-auto-vlan disable
set members "port26"
next
edit "PRP1"
set mode prp-hsr
set static-isl enable
set static-isl-auto-vlan disable
set members "port17" "port18"
next
end
config switch interface
edit "trunk11"
set native-vlan 4000
set dhcp-snooping trusted
set edge-port disabled
next
end
config switch interface
edit "trunk1"
set native-vlan 4000
set dhcp-snooping trusted
set stp-state disabled
set edge-port disabled
next
end
config switch interface
edit "trunk2"
set native-vlan 4094
set allowed-vlans 1-3999,4001-4094
set dhcp-snooping trusted
set edge-port disabled
next
end
config switch interface
edit "PRP1"
set native-vlan 4000
set stp-state disabled
set snmp-index 50
next
end
To configure FSR-424F-POE-2:
config switch hsr ring
edit 1
set status enable
set ring-port-pair port5-port6
set hsr-internal-vlan 4000
next
end
config switch trunk
edit "trunk1"
set auto-isl 1
set static-isl enable
set static-isl-auto-vlan disable
set members "port25"
next
edit "trunk2"
set auto-isl 1
set static-isl enable
set static-isl-auto-vlan disable
set members "port26"
next
edit "trunk10"
set auto-isl 1
set static-isl enable
set static-isl-auto-vlan disable
set members "port10"
next
edit "HSR1"
set mode prp-hsr
set static-isl enable
set static-isl-auto-vlan disable
set members "port5" "port6"
next
end
config switch interface
edit "trunk1"
set native-vlan 4000
set dhcp-snooping trusted
set stp-state disabled
set edge-port disabled
next
end
config switch interface
edit "trunk2"
set native-vlan 4094
set allowed-vlans 1-3999,4001-4094
set dhcp-snooping trusted
set edge-port disabled
next
end
config switch interface
edit "trunk10"
set native-vlan 4000
set dhcp-snooping trusted
set edge-port disabled
next
end
config switch interface
edit "HSR1"
set native-vlan 4000
set dhcp-snooping trusted
set stp-state disabled
set edge-port disabled
next
end
To configure FSR-424F-POE-3:
config switch hsr ring
edit 1
set status enable
set ring-port-pair port5-port6
set hsr-internal-vlan 4000
next
end
config switch trunk
edit "trunk1"
set auto-isl 1
set static-isl enable
set static-isl-auto-vlan disable
set members "port25"
next
edit "trunk2"
set auto-isl 1
set static-isl enable
set static-isl-auto-vlan disable
set members "port26"
next
edit "HSR1"
set mode prp-hsr
set static-isl enable
set static-isl-auto-vlan disable
set members "port5" "port6"
next
end
config switch interface
edit "trunk1"
set native-vlan 4000
set dhcp-snooping trusted
set stp-state disabled
set edge-port disabled
next
end
config switch interface
edit "trunk2"
set native-vlan 4094
set allowed-vlans 1-3999,4001-4094
set dhcp-snooping trusted
set edge-port disabled
next
end
config switch interface
edit "HSR1"
set native-vlan 4000
set stp-state disabled
next
end
To configure FSR-424F-POE-4:
config switch hsr ring
edit 1
set status enable
set ring-port-pair port5-port6
set hsr-internal-vlan 4000
next
end
config switch trunk
edit "trunk1"
set auto-isl 1
set static-isl enable
set static-isl-auto-vlan disable
set members "port25"
next
edit "trunk2"
set auto-isl 1
set static-isl enable
set static-isl-auto-vlan disable
set members "port26"
next
edit "trunk10"
set auto-isl 1
set static-isl enable
set static-isl-auto-vlan disable
set members "port10"
next
edit "HSR1"
set mode prp-hsr
set static-isl enable
set static-isl-auto-vlan disable
set members "port5" "port6"
next
end
config switch interface
edit "trunk1"
set native-vlan 4000
set dhcp-snooping trusted
set stp-state disabled
set edge-port disabled
next
end
config switch interface
edit "trunk2"
set native-vlan 4094
set allowed-vlans 1-3999,4001-4094
set dhcp-snooping trusted
set edge-port disabled
next
end
config switch interface
edit "trunk10"
set native-vlan 4000
set dhcp-snooping trusted
set edge-port disabled
next
end
config switch interface
edit "HSR1"
set native-vlan 4000
set dhcp-snooping trusted
set stp-state disabled
set edge-port disabled
next
end
To configure FSR-424F-POE-5:
config switch hsr ring
edit 1
set status enable
set ring-port-pair port5-port6
set hsr-internal-vlan 4000
next
end
config switch trunk
edit "trunk1"
set auto-isl 1
set static-isl enable
set static-isl-auto-vlan disable
set members "port25"
next
edit "trunk2"
set auto-isl 1
set static-isl enable
set static-isl-auto-vlan disable
set members "port26"
next
edit "HSR1"
set mode prp-hsr
set static-isl enable
set static-isl-auto-vlan disable
set members "port5" "port6"
next
end
config switch interface
edit "trunk1"
set native-vlan 4000
set dhcp-snooping trusted
set stp-state disabled
set edge-port disabled
next
end
config switch interface
edit "trunk2"
set native-vlan 4094
set allowed-vlans 1-3999,4001-4094
set dhcp-snooping trusted
set edge-port disabled
next
end
config switch interface
edit "HSR1"
set native-vlan 4000
set stp-state disabled
next
end
Limitations for HSR and PRP with FortiLink
-
You have to configure the static-isl trunk on the loopback trunk and the interlink port connected to the loopback trunk, and you have to set
static-isl-auto-vlantodisable. -
The HSR and PRP internal VLANs must be defined on the FortiGate device with the default options and without an IP address. This VLAN can be assigned as the native VLAN on those HSR and PRP interlink ports.
In the following example, VLAN 4000 is the
hsr-internal-vlanandprp-internal-vlan:-
Configure VLAN 4000 in the FortiGate system interface:
config system interface
edit "vlan4000"
set vdom "root"
set allowaccess ping https ssh http
set device-identification enable
set role lan
set snmp-index 109
set interface "fortilink1"
set vlanid 4000
next
end
-
Configure VLAN 4000 in the FortiGate switch controller:
config switch-controller managed-switch
edit SR24FPTF21000005
config ports
edit port8
set vlan vlan4000
unset allowed-vlans
unset untagged-vlans
end
end
-