Network Configurations - Fortinet FortiGate FortiGate-5000 Backplane Communications Manual

FortiGate-5140 base backplane communication

Network configurations

FortiGate-5000 Series Version 3.0 MR5 Backplane Communications Guide
01-30005-0423-20070829
Note: The FortiGate web-based manager and CLI list interfaces in sort order.
Because interface names, and therefore sort order, vary by FortiGate model, the
preferred slot number for single FortiSwitch modules varies by FortiGate model.
For example, a FortiGate-5001SX or FortiGate-5001FA2 module has interfaces
named port1 through port10; port9 and port10 are equally weighted heartbeat
interfaces, connected to the slot 1 FortiSwitch and the slot 2 FortiSwitch,
respectively. In the Heartbeat Interface list, port1 is first. However, port10 is not
last: due to hash map lookup,port10 is selected after port1 and before port2, not
after port9. Failover passes heartbeat communications from the FortiSwitch
module in slot 2 to slot 1.
There are additional considerations if you create additional heartbeat backup
interfaces connecting FortiGate module interfaces port2 through port8. In this
case, if the FortiSwitch module in slot 2 fails or is removed, the FortiGate cluster
could fail over to port2 through port8, and lastly fail over to the interface connected
to the FortiSwitch module in slot 1.
Because of this behavior, if you install a single FortiSwitch module in slot 1 with
those two models of FortiGate modules, and want to give heartbeat selection
precedence to the base backplane interface, you must set its heartbeat interface
priority to a greater value than the other interfaces. Otherwise, by default, when
priorities are equal, the heartbeat link through the base backplane interface will be
used only in failover, rather than primary, conditions. This is typically the inverse
of intended behavior.
In addition to HA traffic, FortiSwitch modules can pass other traffic types through
or to the base backplane.
Note: FortiSwitch-5003 modules do not support VLAN-tagged packets, so VLAN traffic
cannot occur through the FortiGate-5050 and FortiGate-5140 chassis base backplanes.
Like HA scenarios, network configurations can involve one or two FortiSwitch
modules per chassis, and one or more chassis.
However, unlike HA scenarios, modules connecting to transfer other traffic types
need not use identical interface numbers on each side of the connection, and
therefore they do not require FortiSwitch modules installed in the same slot
numbers. Because of this, by connecting one of the ZRE interfaces on each slot's
FortiSwitch module to another, you can send non-HA traffic between FortiGate
modules that use different base backplane interfaces.
For example, if an HA cluster of FortiGate-5005FA2 modules using base1 (slot 1)
for heartbeat traffic need to send some traffic to a second HA cluster of modules
in the same chassis that use base2 (slot 2) for their heartbeat traffic, you can
connect the two clusters across the two base backplane channels by linking one
of the ZRE interfaces on the slot 1 FortiSwitch module to one of the ZRE
interfaces on the slot 2 FortiSwitch module.
Network configurations
21