Skip to main content
jmlux
jmlux
New Member
August 25, 2015
Solved

VRRP secondary IP

  • August 25, 2015
  • 2 replies
  • 6371 views

Hi,

Would anyone happen to know if I can assign secondary IPs to a VRRP instance (multiple redundant gateways inside same VLAN) on a Fortigate?

In fact we wanted to test a migration scenario from another vendor, now we're already stuck.

As far as I can see I can only "set vrip" on a specific instance once.

Thanks and best regards,

Marki

    Best answer by emnoc

    Can you explain more? And provide a get router info vrrp of what you have now? A topology ?

     

    Typically you can set one instance in the same interface by the edit command, never heard of anybody trying to add more. I know other firewalls like huawei let's you defined  numerous instances  with different  vrrp group ids. I believe you can edit more  vrrp instances under 5.2.x (some one will correct  me if I'm wrong ; ) )

     

    If you really need secondaries, you  should re-look your design imho.  My stomach gain oains when I see networks stacked with  multiple secondaries.  Remember your limited to 32 secondaries per-interface ( interface not system )

     

     

     

    2 replies

    emnoc
    emnocAnswer
    New Member
    August 25, 2015

    Can you explain more? And provide a get router info vrrp of what you have now? A topology ?

     

    Typically you can set one instance in the same interface by the edit command, never heard of anybody trying to add more. I know other firewalls like huawei let's you defined  numerous instances  with different  vrrp group ids. I believe you can edit more  vrrp instances under 5.2.x (some one will correct  me if I'm wrong ; ) )

     

    If you really need secondaries, you  should re-look your design imho.  My stomach gain oains when I see networks stacked with  multiple secondaries.  Remember your limited to 32 secondaries per-interface ( interface not system )

     

     

     

    jmlux
    jmluxAuthor
    New Member
    August 26, 2015

    Don't get me wrong, my stomach aches too, but we have to deal with the facts. What we wanted to do is use the Fortinet as a drop-in replacement for an existing VRRP setup. We don't want MAC addresses to change (potential arp cache issues and such) so I thought we could simply use Fortigate's VRRP capability for a smooth migration. Unfortunately we will need several virtual router IPs inside *one* instance, and that does not seem possible with the Fortigate. You can have secondaries on the interfaces themselves, but not inside a VRRP instance it seems. You could create another instance on that same interface, but that would change the MAC address. Also it probably wouldn't find into the existing VRRP setup as the instances on the Fortigate and the other gear would have a different config. Thanks anyway :)

    emnoc
    emnoc
    New Member
    August 26, 2015

    Try opening a  feature request and see what FTNT will say. Most of the time, people are trying to get any with the secondaries approach and simpler network replanning could achieve this. Your best is to see what support or your SSE partner would say or can do.

     

     

     

    jmlux
    jmluxAuthor
    New Member
    August 26, 2015

    It doesn't matter because if it currently isn't possible, we can't wait for it to be implemented.

     

    But you're right, in any case I can ask support, as RFC3768 clearly talks about "One or more IP addresses".

     

    Terms & ConditionsAccessibility statement