Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Handbook

Creating a traffic group

A traffic group is a set of VRIDs. Each VRID keeps talking with its peers using 'hello' packets via its heartbeat interface so that each VRID can be aware of its peers (primary or secondary) operating state and perform a VRRP fail-over in case the primary node fails. The different VRIDs have no relationship with each other.

In Traffic group, both VRID1 and VRID2 use Device1 as the primary. When Port2 on Device1 fails, all traffic between the client and the server can't pass through the device

Traffic group

To solve this problem, you can create a traffic group and add both VRID1 and VRID2 as its members, and set the rule that the whole traffic group to fail over to the success device when either VRID fails. In this case, if Device1’s Port2 fails, the whole traffic group will fail over to Device2.

Using the VRID concept, FortiADC allows you to add objects with floating IP address, such as interface, virtual server, IP pool, and SNAT pool, etc. to a traffic-group. With this configuration, it will trigger the whole traffic group to switch over when a resource fails.

The traffic group is designed to work with the HA active-active-VRRP mode. Normally, the number of traffic groups should be the same as the number of devices in an HA active-active-VRRP mode. In each traffic group, you should configure a different HA node as the primary device. For example, you have HA node A and node B. It's suggested to configure two traffic groups, where traffic group A uses node A as the primary, and node B as the secondary, while traffic group B uses node B as the primary, and node A as the secondary. With this configuration, all the nodes are actively processing traffic, and whichever node fails, its traffic and all related resources such as the floating IP address and virtual server can be taken over by a new primary.

Using traffic group with the HA active-active-VRRP mode can also achieve active-passive HA deployment. FortiADC comes with a predefined traffic group named "default". You can configure the resources such as the floating IP address and virtual server for the default traffic group, then specify the primary node and secondary node in the traffic group, so that when the primary node fails, the resources can be taken over by the new primary.

Please note that traffic group should be associated with a network interface. The floating IP address of the interface can be failed over to the new primary, but the IP address of the interface does not transfer among the HA nodes in this group, because the interface IP address is not synchronized among HA nodes in active-active-VRRP mode and it always attaches to the physical device who owns the interface.

Create a traffic group via the command line interface

Use the following commands to create a new traffic group:

config system traffic-group

edit traffic-group-1

set preempt enable

set network-failover enable

set failover-order 1 3 5

next

end

Note: The failover sequence must be configured according to the order of node IDs. This means that if a node is dead, the next node in queue will take over handling the traffic. If you want to decide when a node should retake the traffic over from power-down to start-up, you MUST enable the Preempt option.

Create a traffic group from the Web GUI

Use the following steps to configure a traffic group from FortiADC's web interface:

  1. Click System > Traffic Group.
  2. Click Create New to open the Traffic Group dialog.
  3. Make the desired entries or selections as described in Traffic-group parameters.
  4. Click Save when done.

Traffic-group parameters

Parameter Description
Traffic Group Name Specify a unique name for the traffic group.
Preempt Disabled by default. If enabled, the node will retake control of traffic from power-down to start-up. For example, if node A was the primary and the traffic was taken over by node B during failover. Once node A comes back, it will again take over the primary role for this traffic group.
Remote IP Monitor Disabled by default. When enabled, the system will actively monitor the remote beacon IP addresses to determine the available network path.
Failover Order Follow the hint onscreen to set the failover sequence among the ports. The number should be the "Local Node ID" in HA configuration.

Creating a traffic group

A traffic group is a set of VRIDs. Each VRID keeps talking with its peers using 'hello' packets via its heartbeat interface so that each VRID can be aware of its peers (primary or secondary) operating state and perform a VRRP fail-over in case the primary node fails. The different VRIDs have no relationship with each other.

In Traffic group, both VRID1 and VRID2 use Device1 as the primary. When Port2 on Device1 fails, all traffic between the client and the server can't pass through the device

Traffic group

To solve this problem, you can create a traffic group and add both VRID1 and VRID2 as its members, and set the rule that the whole traffic group to fail over to the success device when either VRID fails. In this case, if Device1’s Port2 fails, the whole traffic group will fail over to Device2.

Using the VRID concept, FortiADC allows you to add objects with floating IP address, such as interface, virtual server, IP pool, and SNAT pool, etc. to a traffic-group. With this configuration, it will trigger the whole traffic group to switch over when a resource fails.

The traffic group is designed to work with the HA active-active-VRRP mode. Normally, the number of traffic groups should be the same as the number of devices in an HA active-active-VRRP mode. In each traffic group, you should configure a different HA node as the primary device. For example, you have HA node A and node B. It's suggested to configure two traffic groups, where traffic group A uses node A as the primary, and node B as the secondary, while traffic group B uses node B as the primary, and node A as the secondary. With this configuration, all the nodes are actively processing traffic, and whichever node fails, its traffic and all related resources such as the floating IP address and virtual server can be taken over by a new primary.

Using traffic group with the HA active-active-VRRP mode can also achieve active-passive HA deployment. FortiADC comes with a predefined traffic group named "default". You can configure the resources such as the floating IP address and virtual server for the default traffic group, then specify the primary node and secondary node in the traffic group, so that when the primary node fails, the resources can be taken over by the new primary.

Please note that traffic group should be associated with a network interface. The floating IP address of the interface can be failed over to the new primary, but the IP address of the interface does not transfer among the HA nodes in this group, because the interface IP address is not synchronized among HA nodes in active-active-VRRP mode and it always attaches to the physical device who owns the interface.

Create a traffic group via the command line interface

Use the following commands to create a new traffic group:

config system traffic-group

edit traffic-group-1

set preempt enable

set network-failover enable

set failover-order 1 3 5

next

end

Note: The failover sequence must be configured according to the order of node IDs. This means that if a node is dead, the next node in queue will take over handling the traffic. If you want to decide when a node should retake the traffic over from power-down to start-up, you MUST enable the Preempt option.

Create a traffic group from the Web GUI

Use the following steps to configure a traffic group from FortiADC's web interface:

  1. Click System > Traffic Group.
  2. Click Create New to open the Traffic Group dialog.
  3. Make the desired entries or selections as described in Traffic-group parameters.
  4. Click Save when done.

Traffic-group parameters

Parameter Description
Traffic Group Name Specify a unique name for the traffic group.
Preempt Disabled by default. If enabled, the node will retake control of traffic from power-down to start-up. For example, if node A was the primary and the traffic was taken over by node B during failover. Once node A comes back, it will again take over the primary role for this traffic group.
Remote IP Monitor Disabled by default. When enabled, the system will actively monitor the remote beacon IP addresses to determine the available network path.
Failover Order Follow the hint onscreen to set the failover sequence among the ports. The number should be the "Local Node ID" in HA configuration.