Redundant with FGT in IP Pass-through mode
This feature applies to FEX-201E, FEX-202E, FEX-211E, and FEX-212E only. |
A Virtual Router Redundancy Protocol (VRRP) configuration can be used as a high-availability (HA) solution to ensure network connectivity in the event the default router for the network fails. With VRRP, If a router or FortiGate on your network fails, all traffic will transparently fail over to another router or FortiGate. When the failed router or FortiGate is restored, it will once again take over processing traffic for the network. For more information about VRRP, see RFC 3768.
The most common application of VRRP is to provide redundant default routers between an internal network and the internet. The default routers can be FortiGates and or any routers like FortiExtenders that support VRRP.
General configuration procedures
- Add a virtual VRRP router to the internal interface of each of the FortiGates and FortiExtender. This adds the FortiGate and FortiExtender to the same VRRP domain.
- Set the VRRP IP address of the domain to the internal network default gateway IP address.
- Give one of the VRRP domain members the highest priority so it becomes the primary (or master) router and give the others lower priorities (such as FortiExtender) so they become backup routers.
In normal operations, all traffic from the internal network to the internet passes through the primary VRRP router, i.e., FortiGate. The primary router also sends VRRP advertisement messages to the backup router, i.e., FortiExtender. The backup FortiExtender will not attempt to become a primary router while receiving these messages. If the primary router fails, the backup FortiExtender with the highest priority becomes the new primary router after a brief delay, during which the new primary router sends gratuitous ARP packets to the network to map the default route IP address of the network to the MAC address of the new primary router. All packets sent to the default route are now being sent to the new primary router, i.e., FortiExtender. If the new primary router is a FortiGate, the network will continue to benefit from FortiOS security features. If it is a regular router, traffic will continue to flow, but the FortiOS security features will not be available until the FortiGate is back online.
During a VRRP failover with a FortiGate as the backup router, the FortiGate will not have session information for all of the failed-over in-progress sessions. So it would normally not be able to forward in-progress session traffic. To solve this issue, the FortiGate acting as the new primary router will operate with asymmetric routing enabled immediately after a failover and for a short time (called the start time). This enables the FortiGate to re-create all of the in-progress sessions and add them to its session table.
While operating with asymmetric routing enabled, the FortiGate cannot apply security functions. When the start time ends, the FortiGate disables asymmetric routing and returns to normal operation (including applying security functions).
To enable VRRP on the interface attached to the LAN port on FortiGate:
FortiOS# config system interface
FortiOS (interface) # edit <port num>
edit <port num>
set vdom "root"
set ip <ip> <subnet mask>
set allowaccess ping
set type physical
set vrrp-virtual-mac enable
config vrrp
edit <vrrp id>
set vrip <vrrp IP>
set priority <priority>
next
end
end
To enable VRRP on FortiExtender:
config system management set discovery-type fortigate config fortigate-backup vrrp-interface <vrrp interface i.e por1> status enable end end
config system interface wan vrrp set status enable set version 2 <only 2 is supported currently> set ip <IP of virtual router> set id <vrrp id> set priority <priority> set adv-interval <advertisement interval in seconds> set start-time <initialization timer for backup router, typically 1> set preempt <enable | disable> (preempting master typically disable) end
The VRRP interfaces on FortiGate and FortiExtender must be individual ports, and must not be part of a LAN switch with static IP address configuration. Devices reliant on the Internet from FortiGate or FortiExtender must also have a static IP configured. |
To display the status of virtual router on FortiExtender:
get router info vrrp