Could someone help me understand Fortigate VRRP?

Question

We are trying to implement VRRP over L2, but it doesn't seem to be establishing a connection. I have a few questions:

1. Does the interface need it's own actual IP Address plus the vrip?

Example:

FG1

config system interface edit "vrrp1" set vdom "root" set ip 172.30.1.2 255.255.255.0 set allowaccess ping set device-identification enable set vrrp-virtual-mac enable config vrrp edit 200 set vrgrp 200 set vrip 172.30.1.1 set priority 255 next end set role lan set snmp-index 30 set interface "Aggregate" set vlanid 200 next end

FG2

config system interface edit "vrrp1" set vdom "root" set ip 172.30.1.3 255.255.255.0 set allowaccess ping set device-identification enable set vrrp-virtual-mac enable config vrrp edit 200 set vrgrp 200 set vrip 172.30.1.1 set priority 255 next end set role lan set snmp-index 30 set interface "Aggregate" set vlanid 200 next end

2. When I remove the "set ip" command above, BGP stops advertising this network. Can I still announce this network via BGP and configure VRRP for this network?

3. Based on the config above, what would I set for my vrdst?

Thanks

Toshi_Esumi · Answer

VRRP uses the IP to identify the master or others. Needs to have an unique IP. Without it, probably all IP packets won't go/come through this interface since it won't join the VRRP group so vrip is not valid. Nothing to advertise via BGP or any other protocols. I don't expect you see it even in the local routing table.

For vrdst, it's for the master to monitor to withdraw itself if it become unreachable, or change the priority. See below doc:

https://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-high-availability/HA_VRRPFailover.htm?Highlight=VRRP

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded