Fortinet Document Library

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

VRRP

NOTE: You must have an advanced features license to use VRRP.

The Virtual Router Redundancy Protocol (VRRP) uses virtual routers to control which physical routers are assigned to an access network. A VRRP group consists of a master router and one or more backup routers that share a virtual IP address. If the master router fails, the VRRP automatically assigns one of the backup routers without affecting network traffic. When the failed router is functioning again, it becomes the master router again. VRRP provides this redundancy without user intervention or additional configuration to any of the devices on the network.

To create a VRRP group, you need to create a VRRP virtual MAC address, which is a shared MAC address adopted by the VRRP master. The VRRP virtual MAC address feature is disabled by default. You must enable the VRRP virtual MAC address feature on all members of a VRRP group.

The VRRP master router sends VRRP advertisement messages to the backup routers. When the VRRP master router fails to send advertisement messages, the backup router with the highest priority takes over as the master router.

Configuring VRRP

Using the GUI:
  1. Go to System > Network > Interface > Physical.
  2. Select Edit for the appropriate interface.
  3. Select Add VRRP to add a virtual router.
    • Enter the unique virtual router identifier (VRID).
    • Enter the VRRP group number.
    • Enter the priority. If the highest priority value of 255 is entered, the virtual router becomes the master router.
    • Select Preempt if you want the router to preempt the master virtual router if the priority changes.
    • Enter the source virtual IP address that will be shared across the VRRP group.
    • Enter one or two IP addresses that the master router must track. The maximum number of IP addresses is two. If these IP addresses cannot be reached by the master router, the priority of the master router changes to 0.
    • Select Add VRRP to add each additional virtual router.
  4. After filling in the fields for the virtual routers, select Update.
Using the CLI:

config system interface

edit <VLAN name>

set ip <IP address> <netmask>

set allowaccess <access_types>

set vrrp-virtual-mac enable

config vrrp

edit <VRRP router identifier>

set adv-interval <seconds>

set preempt {enable | disable}

set priority <priority_number>

set start-time <seconds>

set status {enable | disable}

set version {2 | 3}

set vrdst <IPv4_address>

set vrgrp <VRRP_group_number>

set vrip <IPv4_address>

next

end

set snmp-index <index number>

set vlanid <VLAN identifier>

set interface "internal"

next

end

 

NOTE: You can also configure VRRP using IPv6 with the config ipv6 and config vrrp6 commands under the config system interface command.

Example of configuring VRRP using IPv4

In this example, the two FortiSwitch units, FSW-1 and FSW-2, function as both master and backup routers. For VRRP 10, FSW-1 is the master router, and FSW-2 is the backup router. For VRRP, FSW-1 is that standby router, and FSW-2 is the master router. This configuration allows the switches to balance the load and provide redundancy to each other. The downstream clients can split their gateways into two virtual routers, 10.10.10.255 and 10.10.20.255.

For the FSW-1 switch, VRID 10 has the highest priority of 255, so it is the master router; VRID 20 is the backup router.

config system interface

edit "vlan-8"

set ip 10.10.1.1 255.255.0.0

set allowaccess ping https http ssh telnet snmp

set vrrp-virtual-mac enable

config vrrp

edit 10

set priority 255

set vrip 10.10.10.255

next

edit 20

set vrip 10.10.20.255

next

end

set snmp-index 20

set vlanid 8

set interface "internal"

next

end

For the FSW-2 switch, VRID 10 is the backup router; VRID 20 has the highest priority of 255, so it is the master router.

config system interface

edit "vlan-8"

set ip 10.10.1.2 255.255.0.0

set allowaccess ping https http ssh telnet snmp

set vrrp-virtual-mac enable

config vrrp

edit 10

set vrip 10.10.10.255

next

edit 20

set priority 255

set vrip 10.10.20.255

next

end

set snmp-index 20

set vlanid 8

set interface "internal"

next

end

Checking the VRRP configuration

Using the GUI:

Go to Router > Config > Interface to see which interfaces have VRRP configured.

Go to Router > Monitor > VRRP to see the interface, source virtual IP address that is shared across the VRRP group, MAC address for the interface, and virtual router identifier for each VRRP configuration, as shown in the following figure.

Using the CLI:

get router info vrrp

VRRP

NOTE: You must have an advanced features license to use VRRP.

The Virtual Router Redundancy Protocol (VRRP) uses virtual routers to control which physical routers are assigned to an access network. A VRRP group consists of a master router and one or more backup routers that share a virtual IP address. If the master router fails, the VRRP automatically assigns one of the backup routers without affecting network traffic. When the failed router is functioning again, it becomes the master router again. VRRP provides this redundancy without user intervention or additional configuration to any of the devices on the network.

To create a VRRP group, you need to create a VRRP virtual MAC address, which is a shared MAC address adopted by the VRRP master. The VRRP virtual MAC address feature is disabled by default. You must enable the VRRP virtual MAC address feature on all members of a VRRP group.

The VRRP master router sends VRRP advertisement messages to the backup routers. When the VRRP master router fails to send advertisement messages, the backup router with the highest priority takes over as the master router.

Configuring VRRP

Using the GUI:
  1. Go to System > Network > Interface > Physical.
  2. Select Edit for the appropriate interface.
  3. Select Add VRRP to add a virtual router.
    • Enter the unique virtual router identifier (VRID).
    • Enter the VRRP group number.
    • Enter the priority. If the highest priority value of 255 is entered, the virtual router becomes the master router.
    • Select Preempt if you want the router to preempt the master virtual router if the priority changes.
    • Enter the source virtual IP address that will be shared across the VRRP group.
    • Enter one or two IP addresses that the master router must track. The maximum number of IP addresses is two. If these IP addresses cannot be reached by the master router, the priority of the master router changes to 0.
    • Select Add VRRP to add each additional virtual router.
  4. After filling in the fields for the virtual routers, select Update.
Using the CLI:

config system interface

edit <VLAN name>

set ip <IP address> <netmask>

set allowaccess <access_types>

set vrrp-virtual-mac enable

config vrrp

edit <VRRP router identifier>

set adv-interval <seconds>

set preempt {enable | disable}

set priority <priority_number>

set start-time <seconds>

set status {enable | disable}

set version {2 | 3}

set vrdst <IPv4_address>

set vrgrp <VRRP_group_number>

set vrip <IPv4_address>

next

end

set snmp-index <index number>

set vlanid <VLAN identifier>

set interface "internal"

next

end

 

NOTE: You can also configure VRRP using IPv6 with the config ipv6 and config vrrp6 commands under the config system interface command.

Example of configuring VRRP using IPv4

In this example, the two FortiSwitch units, FSW-1 and FSW-2, function as both master and backup routers. For VRRP 10, FSW-1 is the master router, and FSW-2 is the backup router. For VRRP, FSW-1 is that standby router, and FSW-2 is the master router. This configuration allows the switches to balance the load and provide redundancy to each other. The downstream clients can split their gateways into two virtual routers, 10.10.10.255 and 10.10.20.255.

For the FSW-1 switch, VRID 10 has the highest priority of 255, so it is the master router; VRID 20 is the backup router.

config system interface

edit "vlan-8"

set ip 10.10.1.1 255.255.0.0

set allowaccess ping https http ssh telnet snmp

set vrrp-virtual-mac enable

config vrrp

edit 10

set priority 255

set vrip 10.10.10.255

next

edit 20

set vrip 10.10.20.255

next

end

set snmp-index 20

set vlanid 8

set interface "internal"

next

end

For the FSW-2 switch, VRID 10 is the backup router; VRID 20 has the highest priority of 255, so it is the master router.

config system interface

edit "vlan-8"

set ip 10.10.1.2 255.255.0.0

set allowaccess ping https http ssh telnet snmp

set vrrp-virtual-mac enable

config vrrp

edit 10

set vrip 10.10.10.255

next

edit 20

set priority 255

set vrip 10.10.20.255

next

end

set snmp-index 20

set vlanid 8

set interface "internal"

next

end

Checking the VRRP configuration

Using the GUI:

Go to Router > Config > Interface to see which interfaces have VRRP configured.

Go to Router > Monitor > VRRP to see the interface, source virtual IP address that is shared across the VRRP group, MAC address for the interface, and virtual router identifier for each VRRP configuration, as shown in the following figure.

Using the CLI:

get router info vrrp