Fortinet black logo

FortiGate-7000 Handbook

Home FortiGate-7000 5.4.9 FortiGate-7000 Handbook
5.4.9
6.2.3
6.0.10
6.0.9
6.0.8
6.0.6
6.0.4
5.6.14
5.6.12
5.6.11
5.6.7
5.4.9

Connect the M1 and M2 interfaces for HA heartbeat communication

Connect the M1 and M2 interfaces for HA heartbeat communication

HA heartbeat communication between FortiGate-7000s happens over the 10Gbit M1 and M2 interfaces of the FIMs in each chassis. To set up HA heartbeat connections:

  • Connect the M1 interfaces of all FIMs together using a switch.
  • Connect the M2 interfaces of all FIMs together using another switch.

All of the M1 interfaces must be connected together with a switch and all of the M2 interfaces must be connected together with another switch. Connecting M1 interfaces or M2 interfaces directly is not supported as each FIM needs to communicate with all other FIMs.

Note Connect the M1 and M2 interfaces before enabling HA. Enabling HA moves heartbeat communication between the FIMs in the same chassis to the M1 and M2 interfaces. So if these interfaces are not connected before you enable HA, FIMs in the same chassis will not be able to communicate with each other.

Heartbeat packets are VLAN packets with VLAN ID 999 and ethertype 9890. The MTU value for the M1 and M2 interfaces is 1500.

You can use the following command to change the HA heartbeat packet VLAN ID and ethertype values if required for your switches. You must change these settings on each FIM interface module. By default the M1 and M2 interface heartbeat packets use the same VLAN IDs. The following example changes the M1 VLAN ID to 991 and the M2 VLAN ID to 992.

config system ha

set hbdev M1/M2

set hbdev-vlan-id 991

set hbdev-second-vlan-id 992

set ha-eth-type <eth-type>

end

For this configuration to work, you must configure both VLAN IDs. You cannot use the default value of 999.

Recommended HA heartbeat interface configuration

For redundancy, Fortinet recommends using separate switches for the M1 and M2 connections.These switches should be dedicated to HA heartbeat communication and not used for other traffic.

If you use the same switch for the M1 and M2 interfaces, separate the M1 and M2 traffic on the switch and set the heartbeat traffic on the M1 and M2 interfaces to have different VLAN IDs.

If you don't set different VLAN IDs for the M1 and M2 heartbeat packets, you must enable q-in-q on the switch.

Sample switch configuration

Sample switch configuration for a Cisco Catalyst switch. This configuration sets the interface speeds, configures the switch to allow vlan 999, and enables trunk mode:

##interface config

interface TenGigabitEthernet1/0/5

description Chassis1 FIM1 M1

switchport trunk allowed vlan 999

switchport mode trunk

If you are using one switch for both M1 and M2 connections, the configuration would be the same except you would add q-in-q support and two different VLANs, one for M1 traffic and one for M2 traffic.

For the M1 connections:

interface Ethernet1/5

description QinQ Test

switchportmode dot1q-tunnel

switchport access vlan 777

spanning-tree port type edge

For the M2 connections:

interface Ethernet1/5

description QinQ Test

switchport mode dot1q-tunnel

switchport access vlan 888

spanning-tree port type edge

HA packets must have the configured VLAN tag. If the switch removes or changes this tag, HA heartbeat communication will not work and network traffic will be disrupted.

Previous
Next

Connect the M1 and M2 interfaces for HA heartbeat communication

HA heartbeat communication between FortiGate-7000s happens over the 10Gbit M1 and M2 interfaces of the FIMs in each chassis. To set up HA heartbeat connections:

  • Connect the M1 interfaces of all FIMs together using a switch.
  • Connect the M2 interfaces of all FIMs together using another switch.

All of the M1 interfaces must be connected together with a switch and all of the M2 interfaces must be connected together with another switch. Connecting M1 interfaces or M2 interfaces directly is not supported as each FIM needs to communicate with all other FIMs.

Note Connect the M1 and M2 interfaces before enabling HA. Enabling HA moves heartbeat communication between the FIMs in the same chassis to the M1 and M2 interfaces. So if these interfaces are not connected before you enable HA, FIMs in the same chassis will not be able to communicate with each other.

Heartbeat packets are VLAN packets with VLAN ID 999 and ethertype 9890. The MTU value for the M1 and M2 interfaces is 1500.

You can use the following command to change the HA heartbeat packet VLAN ID and ethertype values if required for your switches. You must change these settings on each FIM interface module. By default the M1 and M2 interface heartbeat packets use the same VLAN IDs. The following example changes the M1 VLAN ID to 991 and the M2 VLAN ID to 992.

config system ha

set hbdev M1/M2

set hbdev-vlan-id 991

set hbdev-second-vlan-id 992

set ha-eth-type <eth-type>

end

For this configuration to work, you must configure both VLAN IDs. You cannot use the default value of 999.

Recommended HA heartbeat interface configuration

For redundancy, Fortinet recommends using separate switches for the M1 and M2 connections.These switches should be dedicated to HA heartbeat communication and not used for other traffic.

If you use the same switch for the M1 and M2 interfaces, separate the M1 and M2 traffic on the switch and set the heartbeat traffic on the M1 and M2 interfaces to have different VLAN IDs.

If you don't set different VLAN IDs for the M1 and M2 heartbeat packets, you must enable q-in-q on the switch.

Sample switch configuration

Sample switch configuration for a Cisco Catalyst switch. This configuration sets the interface speeds, configures the switch to allow vlan 999, and enables trunk mode:

##interface config

interface TenGigabitEthernet1/0/5

description Chassis1 FIM1 M1

switchport trunk allowed vlan 999

switchport mode trunk

If you are using one switch for both M1 and M2 connections, the configuration would be the same except you would add q-in-q support and two different VLANs, one for M1 traffic and one for M2 traffic.

For the M1 connections:

interface Ethernet1/5

description QinQ Test

switchportmode dot1q-tunnel

switchport access vlan 777

spanning-tree port type edge

For the M2 connections:

interface Ethernet1/5

description QinQ Test

switchport mode dot1q-tunnel

switchport access vlan 888

spanning-tree port type edge

HA packets must have the configured VLAN tag. If the switch removes or changes this tag, HA heartbeat communication will not work and network traffic will be disrupted.

Previous
Next