Fortinet black logo

FortiGate-7000 Handbook

Home FortiGate-7000 5.6.14 FortiGate-7000 Handbook

Connect the M1 and M2 interfaces for HA heartbeat communication

5.6.14
6.2.3
6.0.10
6.0.9
6.0.8
6.0.6
6.0.4
5.6.14
5.6.12
5.6.11
5.6.7
5.4.9
Copy Link
Copy Doc ID 42931b88-172e-11ec-8c53-00505692583a:541088
Download PDF

Connect the M1 and M2 interfaces for HA heartbeat communication

HA heartbeat communication between FortiGate-7000s happens over the 10Gbit M1 and M2 interfaces of the FIMs in each chassis. To set up HA heartbeat connections:

  • Connect the M1 interfaces of all FIMs together using a switch.
  • Connect the M2 interfaces of all FIMs together using another switch.

All of the M1 interfaces must be connected together with a switch and all of the M2 interfaces must be connected together with another switch. Connecting M1 interfaces or M2 interfaces directly is not supported as each FIM needs to communicate with all other FIMs.

Caution Connect the M1 and M2 interfaces before enabling HA. Enabling HA moves heartbeat communication between the FIMs in the same chassis to the M1 and M2 interfaces. So if these interfaces are not connected before you enable HA, FIMs in the same chassis will not be able to communicate with each other.

Heartbeat packets are VLAN packets with VLAN ID 999 and ethertype 8890. The MTU value for the M1 and M2 interfaces is 1500.

You can use the following command to change the HA heartbeat packet VLAN ID and ethertype values if required for your switches. By default the M1 and M2 interface heartbeat packets use the same VLAN IDs. The following example changes the M1 VLAN ID to 4086 and the M2 VLAN ID to 4087.

config system ha

set hbdev "1-M1" 50 "2-M1" 50 "1-M2" 50 "2-M2" 50

set hbdev-vlan-id 4086

set hbdev-second-vlan-id 4087

set ha-eth-type <eth-type>

end

For this configuration to work, you must change both VLAN IDs. You cannot use the default value of 999.

Recommended HA heartbeat interface configuration

If you are setting up an HA configuration of two FortiGate-7030Es installed in the same location, you can directly connect their M1 interfaces and their M2 interfaces without using switches.

For redundancy, for other FortiGate-7000s, Fortinet recommends using separate switches for the M1 and M2 connections.These switches should be dedicated to HA heartbeat communication and not used for other traffic.

If you use the same switch for the M1 and M2 interfaces, separate the M1 and M2 traffic on the switch and set the heartbeat traffic on the M1 and M2 interfaces to have different VLAN IDs.

If you don't set different VLAN IDs for the M1 and M2 heartbeat packets, you must enable q-in-q on the switch.

Example FortiGate-7000 switch configuration

The switch that you use for connecting HA heartbeat interfaces does not have to support IEEE 802.1ad (also known as Q-in-Q, double-tagging). But the switch should be able to forward the double-tagged frames. Some switches will strip out the inner tag and Fortinet recommends avoiding these switches. FortiSwitch D and E series can correctly forward double-tagged frames.

Note This configuration is not required for FortiGate-7030E HA configurations if you have set up direct connections between the HA heartbeat interfaces.

This example shows how to configure a FortiGate-7000 to use different VLAN IDs for the M1 and M2 HA heartbeat interfaces and then how to configure two ports on a Cisco switch to allow HA heartbeat packets.

Note This example sets the native VLAN ID for both switch ports to 777. You can use any VLAN ID as the native VLAN ID as long as the native VLAN ID is not the same as the allowed VLAN ID.

  1. On both FortiGate-7000s in the HA configuration, enter the following command to use different VLAN IDs for the M1 and M2 interfaces. The command sets the M1 VLAN ID to 4086 and the M2 VLAN ID to 4087:

    config system ha

    set hbdev "1-M1" 50 "2-M1" 50 "1-M2" 50 "2-M2" 50

    set hbdev-vlan-id 4086

    set hbdev-second-vlan-id 4087

    end

  2. Use the get system ha status command to confirm the VLAN IDs. 

    get system ha status
...
HBDEV stats:
 FG74E83E16000015(updated 1 seconds ago):
   1-M1: physical/10000full, up, rx-bytes/packets/dropped/errors=579602089/2290683/0/0, tx=215982465/761929/0/0, vlan-id=4086
   2-M1: physical/10000full, up, rx-bytes/packets/dropped/errors=577890866/2285570/0/0, tx=215966839/761871/0/0, vlan-id=4086
   1-M2: physical/10000full, up, rx-bytes/packets/dropped/errors=579601846/2290682/0/0, tx=215982465/761929/0/0, vlan-id=4087
   2-M2: physical/10000full, up, rx-bytes/packets/dropped/errors=577890651/2285569/0/0, tx=215966811/761871/0/0, vlan-id=4087
 FG74E83E16000016(updated 1 seconds ago):
   1-M1: physical/10000full, up, rx-bytes/packets/dropped/errors=598602425/2290687/0/0, tx=196974887/761899/0/0, vlan-id=4086
   2-M1: physical/10000full, up, rx-bytes/packets/dropped/errors=596895956/2285588/0/0, tx=196965052/761864/0/0, vlan-id=4086
   1-M2: physical/10000full, up, rx-bytes/packets/dropped/errors=598602154/2290686/0/0, tx=196974915/761899/0/0, vlan-id=4087
   2-M2: physical/10000full, up, rx-bytes/packets/dropped/errors=596895685/2285587/0/0, tx=196965080/761864/0/0, vlan-id=4087
...

  3. Configure the Cisco switch port that connects the M1 interfaces to allow packets with a VLAN ID of 4086:

    interface <name>

    switchport mode trunk

    switchport trunk native vlan 777

    switchport trunk allowed vlan 4086

  4. Configure the Cisco switch port that connects the M2 interfaces to allow packets with a VLAN ID of 4087:

    interface <name>

    switchport mode trunk

    switchport trunk native vlan 777

    switchport trunk allowed vlan 4087

Previous
Next

Connect the M1 and M2 interfaces for HA heartbeat communication

HA heartbeat communication between FortiGate-7000s happens over the 10Gbit M1 and M2 interfaces of the FIMs in each chassis. To set up HA heartbeat connections:

  • Connect the M1 interfaces of all FIMs together using a switch.
  • Connect the M2 interfaces of all FIMs together using another switch.

All of the M1 interfaces must be connected together with a switch and all of the M2 interfaces must be connected together with another switch. Connecting M1 interfaces or M2 interfaces directly is not supported as each FIM needs to communicate with all other FIMs.

Caution Connect the M1 and M2 interfaces before enabling HA. Enabling HA moves heartbeat communication between the FIMs in the same chassis to the M1 and M2 interfaces. So if these interfaces are not connected before you enable HA, FIMs in the same chassis will not be able to communicate with each other.

Heartbeat packets are VLAN packets with VLAN ID 999 and ethertype 8890. The MTU value for the M1 and M2 interfaces is 1500.

You can use the following command to change the HA heartbeat packet VLAN ID and ethertype values if required for your switches. By default the M1 and M2 interface heartbeat packets use the same VLAN IDs. The following example changes the M1 VLAN ID to 4086 and the M2 VLAN ID to 4087.

config system ha

set hbdev "1-M1" 50 "2-M1" 50 "1-M2" 50 "2-M2" 50

set hbdev-vlan-id 4086

set hbdev-second-vlan-id 4087

set ha-eth-type <eth-type>

end

For this configuration to work, you must change both VLAN IDs. You cannot use the default value of 999.

Recommended HA heartbeat interface configuration

If you are setting up an HA configuration of two FortiGate-7030Es installed in the same location, you can directly connect their M1 interfaces and their M2 interfaces without using switches.

For redundancy, for other FortiGate-7000s, Fortinet recommends using separate switches for the M1 and M2 connections.These switches should be dedicated to HA heartbeat communication and not used for other traffic.

If you use the same switch for the M1 and M2 interfaces, separate the M1 and M2 traffic on the switch and set the heartbeat traffic on the M1 and M2 interfaces to have different VLAN IDs.

If you don't set different VLAN IDs for the M1 and M2 heartbeat packets, you must enable q-in-q on the switch.

Example FortiGate-7000 switch configuration

The switch that you use for connecting HA heartbeat interfaces does not have to support IEEE 802.1ad (also known as Q-in-Q, double-tagging). But the switch should be able to forward the double-tagged frames. Some switches will strip out the inner tag and Fortinet recommends avoiding these switches. FortiSwitch D and E series can correctly forward double-tagged frames.

Note This configuration is not required for FortiGate-7030E HA configurations if you have set up direct connections between the HA heartbeat interfaces.

This example shows how to configure a FortiGate-7000 to use different VLAN IDs for the M1 and M2 HA heartbeat interfaces and then how to configure two ports on a Cisco switch to allow HA heartbeat packets.

Note This example sets the native VLAN ID for both switch ports to 777. You can use any VLAN ID as the native VLAN ID as long as the native VLAN ID is not the same as the allowed VLAN ID.

  1. On both FortiGate-7000s in the HA configuration, enter the following command to use different VLAN IDs for the M1 and M2 interfaces. The command sets the M1 VLAN ID to 4086 and the M2 VLAN ID to 4087:

    config system ha

    set hbdev "1-M1" 50 "2-M1" 50 "1-M2" 50 "2-M2" 50

    set hbdev-vlan-id 4086

    set hbdev-second-vlan-id 4087

    end

  2. Use the get system ha status command to confirm the VLAN IDs. 

    get system ha status
...
HBDEV stats:
 FG74E83E16000015(updated 1 seconds ago):
   1-M1: physical/10000full, up, rx-bytes/packets/dropped/errors=579602089/2290683/0/0, tx=215982465/761929/0/0, vlan-id=4086
   2-M1: physical/10000full, up, rx-bytes/packets/dropped/errors=577890866/2285570/0/0, tx=215966839/761871/0/0, vlan-id=4086
   1-M2: physical/10000full, up, rx-bytes/packets/dropped/errors=579601846/2290682/0/0, tx=215982465/761929/0/0, vlan-id=4087
   2-M2: physical/10000full, up, rx-bytes/packets/dropped/errors=577890651/2285569/0/0, tx=215966811/761871/0/0, vlan-id=4087
 FG74E83E16000016(updated 1 seconds ago):
   1-M1: physical/10000full, up, rx-bytes/packets/dropped/errors=598602425/2290687/0/0, tx=196974887/761899/0/0, vlan-id=4086
   2-M1: physical/10000full, up, rx-bytes/packets/dropped/errors=596895956/2285588/0/0, tx=196965052/761864/0/0, vlan-id=4086
   1-M2: physical/10000full, up, rx-bytes/packets/dropped/errors=598602154/2290686/0/0, tx=196974915/761899/0/0, vlan-id=4087
   2-M2: physical/10000full, up, rx-bytes/packets/dropped/errors=596895685/2285587/0/0, tx=196965080/761864/0/0, vlan-id=4087
...

  3. Configure the Cisco switch port that connects the M1 interfaces to allow packets with a VLAN ID of 4086:

    interface <name>

    switchport mode trunk

    switchport trunk native vlan 777

    switchport trunk allowed vlan 4086

  4. Configure the Cisco switch port that connects the M2 interfaces to allow packets with a VLAN ID of 4087:

    interface <name>

    switchport mode trunk

    switchport trunk native vlan 777

    switchport trunk allowed vlan 4087

Previous
Next