Technical Tip: VRRP between two device using FortiGate Firewall
Description
This article describes configuring VRRP between two devices using the FortiGate Firewall.
Scope
FortiGate.
Solution
In a typical Virtual Router Redundancy Protocol (VRRP) configuration, two devices are connected within the same broadcast domain, facilitated by a Layer 2 switch.
This article outlines the process of leveraging an existing Layer 3 device, specifically a FortiGate Firewall, to function as a Layer 2 device for transmitting VRRP packets.
Configuration :
FortiGate-A and FortiGate-B could be any other L3 device. Here in the current scenario, FortiGate Firewall and configured VRRP between them are used.
'FortiGate1' is a transit device between two VRRP devices (FortiGate-A and FortiGate-B).
FortiGate1:
config system interface
edit "port1"
set vdom "root"
set type physical
set snmp-index 1
next
end
config system interface
edit "port3"
set vdom "root"
set type physical
set snmp-index 3
next
end
To enable VRRP packet transmission through the firewall, configure the software-switch or switch-interface accordingly.
Note: Ensure that the software switch interface member does not have an IP address assigned. Otherwise, the interface will not be able to be added to the switch-interface.
config system switch-interface
edit "test"
set vdom "root"
set member "port1" "port3"
next
end
config system interface
edit "test"
set vdom "root"
set ip 192.168.1.1 255.255.255.0
set type switch
set device-identification enable
set lldp-transmission enable
set role lan
set snmp-index 15
next
end
Configure the VRRP on FortiGate-A and FortiGate-B.
FortiGate-A:
The 'wan' interface of FortiGate-A is connected to port1 of FortiGate1.
config system interface
edit "wan"
set vdom "root"
set ip 192.168.1.3 255.255.255.0
set allowaccess ping https ssh http telnet fgfm
set type physical
set vrrp-virtual-mac enable
config vrrp
edit 1
set vrgrp 10
set vrip 192.168.1.100
set priority 128
next
end
set role wan
set snmp-index 1
next
end
FortiGate-B :
The 'wan' interface of FortiGate-B is connected to port3 of FortiGate1.
config system interface
edit "wan"
set vdom "root"
set ip 192.168.1.2 255.255.255.0
set allowaccess ping https ssh http telnet fgfm
set type physical
set vrrp-virtual-mac enable
config vrrp
edit 1
set vrgrp 10
set vrip 192.168.1.100
next
end
set role wan
set snmp-index 1
next
end
Verification :
FortiGate-A # get router info vrrp
Interface: wan, primary IP address: 192.168.1.3
UseVMAC: 1, SoftSW: 0, BrPortIdx: 0, PromiscCount: 1
HA mode: master (0:0:1) VRRP master number: 1
VRID: 1 verion: 2
vrip: 192.168.1.100, priority: 128 (128,0), state: MASTER
adv_interval: 1, preempt: 1, ignore_dft: 0 start_time: 3
master_adv_interval: 100, accept: 1
vrmac: 00:00:5e:00:01:01
vrdst:
vrgrp: 10
FortiGate-B # get router info vrrp
Interface: wan, primary IP address: 192.168.1.2
UseVMAC: 1, SoftSW: 0, BrPortIdx: 0, PromiscCount: 0
HA mode: master (0:0:1) VRRP master number: 0
VRID: 1 verion: 2
vrip: 192.168.1.100, priority: 100 (100,0), state: BACKUP
adv_interval: 1, preempt: 1, ignore_dft: 0 start_time: 3
master_adv_interval: 100, accept: 1
vrmac: 00:00:5e:00:01:01
vrdst:
vrgrp: 10
Related article:
Technical Tip: FortiGate VRRP configuration and debug