Fortinet white logo
Fortinet white logo

Handbook

6.0.0

VRRP virtual MACs

VRRP virtual MACs

The VRRP virtual MAC address (or virtual router MAC address) is a shared MAC address adopted by the primary router. If the primary router fails, the same virtual MAC address is picked up by the new primary router, allowing all devices on the network to transparently connect to the default route using the same virtual MAC address. You must enable the VRRP virtual MAC address feature on all members of a VRRP domain.

Each VRRP router is associated with its own virtual MAC address. The last part of the virtual MAC depends on the VRRP router ID using the following format:

00-00-5E-00-01-<VRID_hex>

Where <VRID_hex> is the VRRP router ID in hexadecimal format in internet standard bit-order. For more information about the format of the virtual MAC see RFC 3768.

Some examples:

  • If the VRRP router ID is 10 the virtual MAC would be 00-00-5E-00-01-0a.
  • If the VRRP router ID is 200 the virtual MAC would be 00-00-5E-00-01-c8.

The VRRP virtual MAC address feature is disabled by default. When you enable the feature on a FortiGate interface, all of the VRRP routers added to that interface use their own VRRP virtual MAC address. Each virtual MAC address will be different because each router has its own ID.

Use the following command to enable the VRRP virtual MAC address for an IPv4 VRRP configuration on the port2 interface:

config system interface

edit port2

set vrrp-virtual-mac enable

end

The port2 interface will now accept packets sent to the MAC addresses of the IPv4 VRRP virtual routers added to this interface.

Use the following command to enable the VRRP virtual MAC address for an IPv6 VRRP configuration on the port22 interface:

config system interface

edit port22

config ipv6

set vrrp-virtual-mac6 enable

end

The port22 interface now accepts packets sent to the MAC addresses of the IPv6 VRRP virtual routers added to this interface.

Since devices on the LAN do not have to learn a new MAC address for a new VRRP router in the event of a failover, this feature can improve network efficiency, especially on large and complex networks.

If the VRRP virtual MAC address feature is disabled, the VRRP domain uses the MAC address of the primary. In the case of a FortiGate VRRP virtual router this is the MAC address of the FortiGate interface that the VRRP router is added to. If a primary fails, when the new primary takes over it sends gratuitous ARPs to associate the VRRP router IP address with the MAC address of the new primary (or the interface of the FortiGate that has become the new primary). If the VRRP virtual MAC address is enabled, the new primary uses the same MAC address as the old primary.

VRRP virtual MACs

VRRP virtual MACs

The VRRP virtual MAC address (or virtual router MAC address) is a shared MAC address adopted by the primary router. If the primary router fails, the same virtual MAC address is picked up by the new primary router, allowing all devices on the network to transparently connect to the default route using the same virtual MAC address. You must enable the VRRP virtual MAC address feature on all members of a VRRP domain.

Each VRRP router is associated with its own virtual MAC address. The last part of the virtual MAC depends on the VRRP router ID using the following format:

00-00-5E-00-01-<VRID_hex>

Where <VRID_hex> is the VRRP router ID in hexadecimal format in internet standard bit-order. For more information about the format of the virtual MAC see RFC 3768.

Some examples:

  • If the VRRP router ID is 10 the virtual MAC would be 00-00-5E-00-01-0a.
  • If the VRRP router ID is 200 the virtual MAC would be 00-00-5E-00-01-c8.

The VRRP virtual MAC address feature is disabled by default. When you enable the feature on a FortiGate interface, all of the VRRP routers added to that interface use their own VRRP virtual MAC address. Each virtual MAC address will be different because each router has its own ID.

Use the following command to enable the VRRP virtual MAC address for an IPv4 VRRP configuration on the port2 interface:

config system interface

edit port2

set vrrp-virtual-mac enable

end

The port2 interface will now accept packets sent to the MAC addresses of the IPv4 VRRP virtual routers added to this interface.

Use the following command to enable the VRRP virtual MAC address for an IPv6 VRRP configuration on the port22 interface:

config system interface

edit port22

config ipv6

set vrrp-virtual-mac6 enable

end

The port22 interface now accepts packets sent to the MAC addresses of the IPv6 VRRP virtual routers added to this interface.

Since devices on the LAN do not have to learn a new MAC address for a new VRRP router in the event of a failover, this feature can improve network efficiency, especially on large and complex networks.

If the VRRP virtual MAC address feature is disabled, the VRRP domain uses the MAC address of the primary. In the case of a FortiGate VRRP virtual router this is the MAC address of the FortiGate interface that the VRRP router is added to. If a primary fails, when the new primary takes over it sends gratuitous ARPs to associate the VRRP router IP address with the MAC address of the new primary (or the interface of the FortiGate that has become the new primary). If the VRRP virtual MAC address is enabled, the new primary uses the same MAC address as the old primary.