VRRP
NOTE: You must have an advanced features license to use VRRP.
The Virtual Router Redundancy Protocol (VRRP) uses virtual routers to control which physical routers are assigned to an access network. A VRRP group consists of a master router and one or more backup routers that share a virtual IP address. If the master router fails, the VRRP automatically assigns one of the backup routers without affecting network traffic. When the failed router is functioning again, it becomes the master router again. VRRP provides this redundancy without user intervention or additional configuration to any of the devices on the network.
To create a VRRP group, you need to create a VRRP virtual MAC address, which is a shared MAC address adopted by the VRRP master. The VRRP virtual MAC address feature is disabled by default. You must enable the VRRP virtual MAC address feature on all members of a VRRP group.
The VRRP master router sends VRRP advertisement messages to the backup routers. When the VRRP master router fails to send advertisement messages, the backup router with the highest priority takes over as the master router.
Configuring VRRP
Using the GUI:
- Go to System > Network > Interface > Physical.
- Select Edit for the appropriate interface.
- Select Add VRRP to add a virtual router.
- Enter the unique virtual router identifier (VRID).
- Enter the VRRP group number.
- Enter the priority. If the highest priority value of 255 is entered, the virtual router becomes the master router.
- Select Preempt if you want the router to preempt the master virtual router if the priority changes.
- Enter the source virtual IP address that will be shared across the VRRP group.
- Enter one or two IP addresses that the master router must track. The maximum number of IP addresses is two. If these IP addresses cannot be reached by the master router, the priority of the master router changes to 0.
- Select Add VRRP to add each additional virtual router.
- After filling in the fields for the virtual routers, select Update.
Using the CLI:
config system interface
edit <VLAN name>
set ip <IP address> <netmask>
set allowaccess <access_types>
set vrrp-virtual-mac enable
config vrrp
edit <VRRP router identifier>
set adv-interval <seconds>
set preempt {enable | disable}
set priority <priority_number>
set start-time <seconds>
set status {enable | disable}
set version {2 | 3}
set vrdst <IPv4_address>
set vrgrp <VRRP_group_number>
set vrip <IPv4_address>
next
end
set snmp-index <index number>
set vlanid <VLAN identifier>
set interface "internal"
next
end
NOTE: You can also configure VRRP using IPv6 with the config ipv6
and config vrrp6
commands under the config system interface
command.
Example of configuring VRRP using IPv4
In this example, the two FortiSwitch units, FSW-1 and FSW-2, function as both master and backup routers. For VRRP 10, FSW-1 is the master router, and FSW-2 is the backup router. For VRRP, FSW-1 is that standby router, and FSW-2 is the master router. This configuration allows the switches to balance the load and provide redundancy to each other. The downstream clients can split their gateways into two virtual routers, 10.10.10.255 and 10.10.20.255.
For the FSW-1 switch, VRID 10 has the highest priority of 255, so it is the master router; VRID 20 is the backup router.
config system interface
edit "vlan-8"
set ip 10.10.1.1 255.255.0.0
set allowaccess ping https http ssh telnet snmp
set vrrp-virtual-mac enable
config vrrp
edit 10
set priority 255
set vrip 10.10.10.255
next
edit 20
set vrip 10.10.20.255
next
end
set snmp-index 20
set vlanid 8
set interface "internal"
next
end
For the FSW-2 switch, VRID 10 is the backup router; VRID 20 has the highest priority of 255, so it is the master router.
config system interface
edit "vlan-8"
set ip 10.10.1.2 255.255.0.0
set allowaccess ping https http ssh telnet snmp
set vrrp-virtual-mac enable
config vrrp
edit 10
set vrip 10.10.10.255
next
edit 20
set priority 255
set vrip 10.10.20.255
next
end
set snmp-index 20
set vlanid 8
set interface "internal"
next
end
Checking the VRRP configuration
Using the GUI:
Go to Router > Config > Interface to see which interfaces have VRRP configured.
Go to Router > Monitor > VRRP to see the interface, source virtual IP address that is shared across the VRRP group, MAC address for the interface, and virtual router identifier for each VRRP configuration, as shown in the following figure.
Using the CLI:
get router info vrrp