Fortinet black logo

Handbook

Multi-domain VRRP example

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:745863
Download PDF

In this configuration two VRRP domains are involved. Each FortiGate participates in both of them. One FortiGate is the primary router of one domain and the other FortiGate is the primary router of the other domain. The network distributes traffic between two different default routes (10.31.101.120 and 10.31.101.130). One VRRP domain is configured with one of the default route IP addresses and the other VRRP domain gets the other default route IP address. During normal operation, both FortiGates are processing traffic and the VRRP domains are used to load balance the traffic between the two FortiGates.

If one of the FortiGates fails, the remaining FortiGate becomes the primary router of both VRRP domains. The network sends all traffic for both default routes to this FortiGate. The result is a configuration that, under normal operation load, balances traffic between two FortiGates, but if one of the FortiGates fails, all traffic fails over to the FortiGate that is still operating.

This example also includes enabling the VRRP virtual MAC address on both FortiGate port2 interfaces so that the VRRP domains use their VRRP virtual MAC addresses.

Example VRRP configuration with two FortiGates and two VRRP domains

To configure the FortiGates
  1. Log into the CLI of FortiGate A.
  2. Enter the following to enable the VRRP virtual MAC address feature and add the VRRP domains to the port2 interface of FortiGate A:

    config system interface

    edit port2

    set vrrp-virtual-mac enable

    config vrrp

    edit 50 (32)

    set vrip 10.31.101.120

    set priority 255

    next

    edit 100 (64)

    set vrip 10.31.101.130

    set priority 50

    end

    end

  3. Log into the CLI of FortiGate B.
  4. Enter the following command to enable the VRRP virtual MAC address feature and add the VRRP domains to the port2 interface of FortiGate B:

    config system interface

    edit port2

    set vrrp-virtual-mac enable

    config vrrp

    edit 50

    set vrip 10.31.101.120

    set priority 50

    next

    edit 100

    set vrip 10.31.101.130

    set priority 255

    end

    end

In this configuration two VRRP domains are involved. Each FortiGate participates in both of them. One FortiGate is the primary router of one domain and the other FortiGate is the primary router of the other domain. The network distributes traffic between two different default routes (10.31.101.120 and 10.31.101.130). One VRRP domain is configured with one of the default route IP addresses and the other VRRP domain gets the other default route IP address. During normal operation, both FortiGates are processing traffic and the VRRP domains are used to load balance the traffic between the two FortiGates.

If one of the FortiGates fails, the remaining FortiGate becomes the primary router of both VRRP domains. The network sends all traffic for both default routes to this FortiGate. The result is a configuration that, under normal operation load, balances traffic between two FortiGates, but if one of the FortiGates fails, all traffic fails over to the FortiGate that is still operating.

This example also includes enabling the VRRP virtual MAC address on both FortiGate port2 interfaces so that the VRRP domains use their VRRP virtual MAC addresses.

Example VRRP configuration with two FortiGates and two VRRP domains

To configure the FortiGates
  1. Log into the CLI of FortiGate A.
  2. Enter the following to enable the VRRP virtual MAC address feature and add the VRRP domains to the port2 interface of FortiGate A:

    config system interface

    edit port2

    set vrrp-virtual-mac enable

    config vrrp

    edit 50 (32)

    set vrip 10.31.101.120

    set priority 255

    next

    edit 100 (64)

    set vrip 10.31.101.130

    set priority 50

    end

    end

  3. Log into the CLI of FortiGate B.
  4. Enter the following command to enable the VRRP virtual MAC address feature and add the VRRP domains to the port2 interface of FortiGate B:

    config system interface

    edit port2

    set vrrp-virtual-mac enable

    config vrrp

    edit 50

    set vrip 10.31.101.120

    set priority 50

    next

    edit 100

    set vrip 10.31.101.130

    set priority 255

    end

    end