Fortinet white logo
Fortinet white logo

Redundant with FGT in IP Pass-through mode

Redundant with FGT in IP Pass-through mode

A Virtual Router Redundancy Protocol (VRRP) configuration can be used as a high-availability (HA) solution to ensure network connectivity in the event of a failing FortiGate router. With VRRP enabled on FortiExtender, all traffic will transparently fail over to FortiExtender when the FortiGate on your network fails. When the failed FortiGate is restored, it will take over the processing of traffic for the network.

For more information about VRRP, see RFC 3768.

Use Case 1: FortiExtender in VRRP mode while being managed from FortiGate.

General configuration procedures
  1. The FortiExtender LAN interface consists of multiple ports by default. Be sure to separate out an individual port from the LAN-switch for VRRP purposes. (Refer to "Step 3: Verify the port settings on FortiExtender" in FEX-201E for FortiGate HA configuration .)
  2. Continue managing FortiExtender from FortiGate over the LAN interface. (NOT the VRRP interface.)
  3. Configure the VRRP gateway IP on the newly separated individual port on the FortiExtender and the corresponding VRRP port on the FortiGate.
  4. Set the VRRP priority of the FortiExtender VRRP interface to a value lower than the FortiGate VRRP interface's priority.
  5. Create a firewall policy on the FortiExtender to forward traffic from newly created VRRP interface to the LTE internet (Refer to Configure firewall policies.)
  6. Ensure the VRRP ports on the FortiExtender and the FortiGate are connected by verifying that the FortiExtender is in backup mode and the FortiGate is in master mode by running command "get router info vrrp".

In normal operations, all traffic to the internet passes through the primary VRRP interface of FortiGate. The primary VRRP router, which is the FortiGate, sends VRRP advertisement messages to the backup router, i.e., the FortiExtender. The backup FortiExtender will not attempt to become a primary router while receiving these messages. If the primary router fails, the backup FortiExtender becomes the new primary router after a brief delay, during which the new primary router, i.e., FortiExtender sends gratuitous ARP packets to the network to map the default route GW IP address of the network to the MAC address of the new primary router. All packets sent to the default router are now being sent to the new primary router, i.e., FortiExtender. Upon switchover, the network will not continue to benefit from FortiOS security features until the FortiGate is back online.

To enable VRRP on the interface attached to the LAN port on FortiGate:
config system interface
    edit <port num>
        set vdom "root"
        set ip <ip> <subnet mask>
        set allowaccess ping
        set vrrp-virtual-mac enable
        config vrrp
            edit <vrrp id>
                set vrip <vrrp IP>
                set priority <priority>
            next
        end
    next
end
To enable VRRP on FortiExtender:
config system management
    set discovery-type fortigate
    config fortigate-backup
        set vrrp-interface <vrrp interface i.e por1>
        set status enable
    end
end
config system interface wan vrrp
    set status enable
    set version 2 <only 2 is supported currently>
    set ip <IP of virtual router>
    set id <vrrp id>
    set priority <priority>
    set adv-interval <advertisement interval in seconds>
    set start-time <initialization timer for backup router, typically 1>
    set preempt <enable | disable> (preempting master typically disable)
end

The VRRP interfaces on FortiGate and FortiExtender must be individual ports, and must not be part of a LAN switch with static IP address configuration. Devices reliant on the Internet from FortiGate or FortiExtender must also have a static IP configured.

To display the status of virtual router on FortiExtender:

get router info vrrp

Enable DHCP server on FortiExtender and the VRRP master router

To ensure uninterrupted presence of a DHCP server when one of the VRRP-capable routers is down, you must ensure IP address availability all the time. Typically both the VRRP master and the backup routers are configured with DHCP servers with reserved IP addresses to their corresponding MAC addresses.

FortiExtender configured in VRRP backup mode will not launch the replicated copy of the DHCP server until and unless the VRRP master router goes down; FortiExtender will also terminate the DHCP server when the VRRP master router comes back up.This ability ensures that the hosts in the VRRP domain always gets the same IP address, irrespective of which VRRP router is in operation, without causing any IP address conflicts.

For information on DHCP server configuration, refer to Configure DHCP server.

Enable DHCP relay on both FortiExtender and the VRRP master router

You must guarantee IP address availability to ensure access to the DHCP server at any time. The hosts must be able to access a DHCP server locally or remotely on an uninterrupted basis. In the event that the DHCP server is not present locally, a DHCP relay agent service is needed to receive DHCP requests from DHCP hosts and forwards the requests to the remote DHCP server, receive responses from the server, and cater to the needs of DHCP clients. In this configuration, the FortiExtender which acts in VRRP backup mode will be running a DHCP relay agent on a VRRP interface; the VRRP master router is also running a DHCP relay agent on the respective VRRP interface. This ability ensures that the hosts in the VRRP domain always gets the same IP address, irrespective of which VRRP router is in operation, without causing any IP address conflicts because the requests are catered to by the same remote DHCP server.

For information on DHCP relay configuration, refer to Configure DHCP relayDHCP configurations

DHCP relay

FortiExtender now supports DHCP relay agent which enables it to fetch DHCP leases from a remote server. It has to be configured per interface. Example below:

config system dhcprelay

edit 1

set status enable

set client-interfaces <vrrp interface name on which relay agent services are offered>

set server-interface <interface name through which DHCP server can be reachable>

set server-ip <remote dhcp server IP>

end

Note

The DHCP relay and DHCP server services can be run on any VRRP interface, which could be either a separate port or a VLAN interface.

Redundant with FGT in IP Pass-through mode

Redundant with FGT in IP Pass-through mode

A Virtual Router Redundancy Protocol (VRRP) configuration can be used as a high-availability (HA) solution to ensure network connectivity in the event of a failing FortiGate router. With VRRP enabled on FortiExtender, all traffic will transparently fail over to FortiExtender when the FortiGate on your network fails. When the failed FortiGate is restored, it will take over the processing of traffic for the network.

For more information about VRRP, see RFC 3768.

Use Case 1: FortiExtender in VRRP mode while being managed from FortiGate.

General configuration procedures
  1. The FortiExtender LAN interface consists of multiple ports by default. Be sure to separate out an individual port from the LAN-switch for VRRP purposes. (Refer to "Step 3: Verify the port settings on FortiExtender" in FEX-201E for FortiGate HA configuration .)
  2. Continue managing FortiExtender from FortiGate over the LAN interface. (NOT the VRRP interface.)
  3. Configure the VRRP gateway IP on the newly separated individual port on the FortiExtender and the corresponding VRRP port on the FortiGate.
  4. Set the VRRP priority of the FortiExtender VRRP interface to a value lower than the FortiGate VRRP interface's priority.
  5. Create a firewall policy on the FortiExtender to forward traffic from newly created VRRP interface to the LTE internet (Refer to Configure firewall policies.)
  6. Ensure the VRRP ports on the FortiExtender and the FortiGate are connected by verifying that the FortiExtender is in backup mode and the FortiGate is in master mode by running command "get router info vrrp".

In normal operations, all traffic to the internet passes through the primary VRRP interface of FortiGate. The primary VRRP router, which is the FortiGate, sends VRRP advertisement messages to the backup router, i.e., the FortiExtender. The backup FortiExtender will not attempt to become a primary router while receiving these messages. If the primary router fails, the backup FortiExtender becomes the new primary router after a brief delay, during which the new primary router, i.e., FortiExtender sends gratuitous ARP packets to the network to map the default route GW IP address of the network to the MAC address of the new primary router. All packets sent to the default router are now being sent to the new primary router, i.e., FortiExtender. Upon switchover, the network will not continue to benefit from FortiOS security features until the FortiGate is back online.

To enable VRRP on the interface attached to the LAN port on FortiGate:
config system interface
    edit <port num>
        set vdom "root"
        set ip <ip> <subnet mask>
        set allowaccess ping
        set vrrp-virtual-mac enable
        config vrrp
            edit <vrrp id>
                set vrip <vrrp IP>
                set priority <priority>
            next
        end
    next
end
To enable VRRP on FortiExtender:
config system management
    set discovery-type fortigate
    config fortigate-backup
        set vrrp-interface <vrrp interface i.e por1>
        set status enable
    end
end
config system interface wan vrrp
    set status enable
    set version 2 <only 2 is supported currently>
    set ip <IP of virtual router>
    set id <vrrp id>
    set priority <priority>
    set adv-interval <advertisement interval in seconds>
    set start-time <initialization timer for backup router, typically 1>
    set preempt <enable | disable> (preempting master typically disable)
end

The VRRP interfaces on FortiGate and FortiExtender must be individual ports, and must not be part of a LAN switch with static IP address configuration. Devices reliant on the Internet from FortiGate or FortiExtender must also have a static IP configured.

To display the status of virtual router on FortiExtender:

get router info vrrp

Enable DHCP server on FortiExtender and the VRRP master router

To ensure uninterrupted presence of a DHCP server when one of the VRRP-capable routers is down, you must ensure IP address availability all the time. Typically both the VRRP master and the backup routers are configured with DHCP servers with reserved IP addresses to their corresponding MAC addresses.

FortiExtender configured in VRRP backup mode will not launch the replicated copy of the DHCP server until and unless the VRRP master router goes down; FortiExtender will also terminate the DHCP server when the VRRP master router comes back up.This ability ensures that the hosts in the VRRP domain always gets the same IP address, irrespective of which VRRP router is in operation, without causing any IP address conflicts.

For information on DHCP server configuration, refer to Configure DHCP server.

Enable DHCP relay on both FortiExtender and the VRRP master router

You must guarantee IP address availability to ensure access to the DHCP server at any time. The hosts must be able to access a DHCP server locally or remotely on an uninterrupted basis. In the event that the DHCP server is not present locally, a DHCP relay agent service is needed to receive DHCP requests from DHCP hosts and forwards the requests to the remote DHCP server, receive responses from the server, and cater to the needs of DHCP clients. In this configuration, the FortiExtender which acts in VRRP backup mode will be running a DHCP relay agent on a VRRP interface; the VRRP master router is also running a DHCP relay agent on the respective VRRP interface. This ability ensures that the hosts in the VRRP domain always gets the same IP address, irrespective of which VRRP router is in operation, without causing any IP address conflicts because the requests are catered to by the same remote DHCP server.

For information on DHCP relay configuration, refer to Configure DHCP relayDHCP configurations

DHCP relay

FortiExtender now supports DHCP relay agent which enables it to fetch DHCP leases from a remote server. It has to be configured per interface. Example below:

config system dhcprelay

edit 1

set status enable

set client-interfaces <vrrp interface name on which relay agent services are offered>

set server-interface <interface name through which DHCP server can be reachable>

set server-ip <remote dhcp server IP>

end

Note

The DHCP relay and DHCP server services can be run on any VRRP interface, which could be either a separate port or a VLAN interface.