Fortinet black logo

Handbook

VRRP

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:326332
Download PDF

A Virtual Router Redundancy Protocol (VRRP) configuration can be used as a high availability solution to make sure that a network maintains connectivity with the internet (or with other networks) even if the default router for the network fails. Using VRRP, if a router or a FortiGate fails, all traffic to this router transparently fails over to another router or FortiGate that takes over the role of the router or FortiGate that failed. If the failed router or FortiGate is restored, it will once again take over processing traffic for the network. VRRP is described by RFC 3768.

FortiOS supports VRRP versions 2 and 3 and you can set up VRRP domains that include multiple FortiGates and other VRRP-compatible routers. You can add different FortiGate models to the same VRRP domain. FortiOS supports IPv4 and IPv6 VRRP and you can add IPv4 and IPv6 VRRP virtual routers to the same interface. FortiGates can also be quickly and easily integrated into a network that has already deployed a group of routers using VRRP.

Example VRRP configuration

The most common application of VRRP is to provide redundant default routers between an internal network and the internet. The default routers can be FortiGates and or any routers that support VRRP.

To set up VRRP:

  1. Add a virtual VRRP router to the internal interface of each of the FortiGates and routers. This adds the FortiGates and routers to the same VRRP domain.
  2. Set the VRRP IP address of the domain to the internal network default gateway IP address.
  3. Give one of the VRRP domain members the highest priority so it becomes the primary router and give the others lower priorities so they become backup routers.

During normal operations, all traffic from the internal network to the internet passes through the primary VRRP router. The primary router also sends VRRP advertisement messages to the backup routers. A backup router will not attempt to become a primary router while receiving these messages. If the primary router fails, the backup router with the highest priority becomes the new primary router after a short delay. During this delay the new primary router sends gratuitous ARP packets to the network to map the network's default route IP address to the new primary router's MAC address. All packets sent to the default route are now sent the new primary router. If the new primary router is a FortiGate, the network continues to benefit from FortiOS security features. If the new primary router is just a router, traffic continues to flow, but FortiOS security features are unavailable until the FortiGate is back on line.

If the backup router is a FortiGate, during a VRRP failover, as the FortiGate begins operating as the new primary router it will not have session information for all of the failed over in-progress sessions. So it would normally not be able to forward in-progress session traffic. To resolve this problem, immediately after a failover and for a short time (called the start time) the FortiGate acting as the new primary router operates with asymmetric routing enabled. This allows it to re-create all of the in-progress sessions and add them to its session table.

While operating with asymmetric routing enabled, the FortiGate cannot apply security functions. When the start-time ends the FortiGate disables asymmetric routing and returns to normal operation (including applying security functions).

A Virtual Router Redundancy Protocol (VRRP) configuration can be used as a high availability solution to make sure that a network maintains connectivity with the internet (or with other networks) even if the default router for the network fails. Using VRRP, if a router or a FortiGate fails, all traffic to this router transparently fails over to another router or FortiGate that takes over the role of the router or FortiGate that failed. If the failed router or FortiGate is restored, it will once again take over processing traffic for the network. VRRP is described by RFC 3768.

FortiOS supports VRRP versions 2 and 3 and you can set up VRRP domains that include multiple FortiGates and other VRRP-compatible routers. You can add different FortiGate models to the same VRRP domain. FortiOS supports IPv4 and IPv6 VRRP and you can add IPv4 and IPv6 VRRP virtual routers to the same interface. FortiGates can also be quickly and easily integrated into a network that has already deployed a group of routers using VRRP.

Example VRRP configuration

The most common application of VRRP is to provide redundant default routers between an internal network and the internet. The default routers can be FortiGates and or any routers that support VRRP.

To set up VRRP:

  1. Add a virtual VRRP router to the internal interface of each of the FortiGates and routers. This adds the FortiGates and routers to the same VRRP domain.
  2. Set the VRRP IP address of the domain to the internal network default gateway IP address.
  3. Give one of the VRRP domain members the highest priority so it becomes the primary router and give the others lower priorities so they become backup routers.

During normal operations, all traffic from the internal network to the internet passes through the primary VRRP router. The primary router also sends VRRP advertisement messages to the backup routers. A backup router will not attempt to become a primary router while receiving these messages. If the primary router fails, the backup router with the highest priority becomes the new primary router after a short delay. During this delay the new primary router sends gratuitous ARP packets to the network to map the network's default route IP address to the new primary router's MAC address. All packets sent to the default route are now sent the new primary router. If the new primary router is a FortiGate, the network continues to benefit from FortiOS security features. If the new primary router is just a router, traffic continues to flow, but FortiOS security features are unavailable until the FortiGate is back on line.

If the backup router is a FortiGate, during a VRRP failover, as the FortiGate begins operating as the new primary router it will not have session information for all of the failed over in-progress sessions. So it would normally not be able to forward in-progress session traffic. To resolve this problem, immediately after a failover and for a short time (called the start time) the FortiGate acting as the new primary router operates with asymmetric routing enabled. This allows it to re-create all of the in-progress sessions and add them to its session table.

While operating with asymmetric routing enabled, the FortiGate cannot apply security functions. When the start-time ends the FortiGate disables asymmetric routing and returns to normal operation (including applying security functions).