Redundant with FGT in IP Pass-through mode
A Virtual Router Redundancy Protocol (VRRP) configuration can be used as a high-availability (HA) solution to ensure network connectivity in the event of a failing FortiGate router. With VRRP enabled on FortiExtender, all traffic will transparently fail over to FortiExtender when the FortiGate on your network fails. When the failed FortiGate is restored, it will take over the processing of traffic for the network.
For more information about VRRP, see RFC 3768.
Use Case 1: FortiExtender in VRRP mode while being managed from FortiGate.
General configuration procedures
- The FortiExtender LAN interface consists of multiple ports by default. Be sure to separate out an individual port from the LAN-switch for VRRP purposes. (Refer to "Step 3: Verify the port settings on FortiExtender" in FortiExtender for FortiGate HA configuration .)
- Continue managing FortiExtender from FortiGate over the LAN interface (NOT the VRRP interface).
- Configure the VRRP gateway IP on the newly separated individual port on the FortiExtender and the corresponding VRRP port on the FortiGate.
- Set the VRRP priority of the FortiExtender VRRP interface to a value lower than that of the FortiGate VRRP interface.
- Create a firewall policy on the FortiExtender to forward traffic from the newly created VRRP interface to the LTE internet. See Configure firewall policies
- Ensure the VRRP ports on the FortiExtender and the FortiGate are connected by verifying that the FortiExtender is in backup mode and the FortiGate is in primary mode by running command
'get router info vrrp'.
In normal operations, all traffic to the internet passes through the primary VRRP interface of the FortiGate. The primary VRRP router, which is the FortiGate, sends VRRP advertisement messages to the backup router, i.e., the FortiExtender. The backup FortiExtender will not attempt to become a primary router while receiving these messages. If the primary router fails, the backup FortiExtender becomes the new primary router after a brief delay, during which the new primary router, i.e., FortiExtender sends gratuitous ARP packets to the network to map the default route GW IP address of the network to the MAC address of the new primary router. All packets sent to the default router are now being sent to the new primary router, i.e., FortiExtender. Upon switchover, the network will not continue to benefit from FortiOS security features until the FortiGate is back online.
To enable VRRP on the interface attached to the LAN port on the FortiGate:
config system interface edit <port num> set vdom "root" set ip <ip> <subnet mask> set allowaccess ping set vrrp-virtual-mac enable config vrrp edit <vrrp id> set vrip <vrrp IP> set priority <priority> next end next end
To enable VRRP on the FortiExtender:
config system management set discovery-type fortigate config fortigate-backup set vrrp-interface <vrrp interface i.e por1> set status enable end end config system interface wan vrrp set status enable set version 2 <only 2 is supported currently> set ip <IP of virtual router> set id <vrrp id> set priority <priority> set adv-interval <advertisement interval in seconds> set start-time <initialization timer for backup router, typically 1> set preempt <enable | disable> (preempting primary typically disable) end
The VRRP interfaces on the FortiGate and the FortiExtender must be individual ports, and must not be part of a LAN switch with static IP address configurations. Devices reliant on the internet from the FortiGate or the FortiExtender must also have a static IP configured. |
To display the status of virtual router on FortiExtender:
get router info vrrp
Enable DHCP server on FortiExtender and the VRRP primary router
To ensure uninterrupted presence of a DHCP server when one of the VRRP-capable routers is down, you must ensure IP address availability all the time. Typically, both the VRRP primary and the backup routers are configured with DHCP servers with reserved IP addresses to their corresponding MAC addresses.
The FortiExtender configured in VRRP backup mode will not launch the replicated copy of the DHCP server until and unless the VRRP primary router goes down; The FortiExtender will also terminate the DHCP server when the VRRP primary router comes back up. This ability ensures that the hosts in the VRRP domain always get the same IP address, irrespective of which VRRP router is in operation, without causing any IP address conflict.
For information on DHCP server configuration, seeConfigure DHCP server.
Enable DHCP relay on both FortiExtender and the VRRP primary router
You must guarantee IP address availability to ensure access to the DHCP server at any time. The hosts must be able to access a DHCP server locally or remotely on an uninterrupted basis. In the event that the DHCP server is not present locally, a DHCP relay agent service is needed to receive DHCP requests from DHCP hosts and forwards the requests to the remote DHCP server, receive responses from the server, and cater to the needs of DHCP clients. In this configuration, the FortiExtender which acts in VRRP backup mode will be running a DHCP relay agent on a VRRP interface; the VRRP primary router is also running a DHCP relay agent on the respective VRRP interface. This ability ensures that the hosts in the VRRP domain always get the same IP address, irrespective of which VRRP router is in operation, without causing any IP address conflict because the requests are catered to by the same remote DHCP server.
For information on DHCP relay configuration, see Configure DHCP relayDHCP configurations
DHCP relay
FortiExtender supports DHCP relay agent which enables it to fetch DHCP leases from a remote server. It has to be configured per interface. See the following example:
config system dhcprelay
edit 1
set status enable
set client-interfaces <vrrp interface name on which relay agent services are offered>
set server-interface <interface name through which DHCP server can be reachable>
set server-ip <remote dhcp server IP>
end
The DHCP relay and DHCP server services can be run on any VRRP interface, which could be either a separate port or a VLAN interface. |