Description
This article describes the Virtual Router Redundancy Protocol (VRRP) which is a computer networking protocol that provides for the automatic assignment of available Internet Protocol (IP) routers to participating hosts. This increases the availability and reliability of routing paths via automatic default gateway selections on an IP subnetwork.
Scope
VRRP provides information on the state of a router, not the routes processed and exchanged by that router. Each VRRP instance is limited, in scope, to a single subnet. It does not advertise IP routes beyond that subnet or affect the routing table in any way. VRRP can be used with Internet Protocol Version 4 (IPv4), as well as IPv6.
Useful links:
Fortinet Documentation.
VRRP
Expectations, Requirements.
Note: VRRP can be configured only on physical interfaces or VLAN interfaces. It is not possible to configure VRRP on hardware-switch interfaces where multiple physical interfaces are combined into a hardware-switch interface.
Solution
Default VRRP Configuration :
# config system interface
edit port2
set vrrp-virtual-mac enable
# config vrrp
edit 1
set version 2
set vrgrp 0
set vrip 0.0.0.0
set priority 100
set adv-interval 1
set start-time 3
set preempt enable
set status enable
next
end
next
end
Default VRRP6 Configuration :
# config system interface
edit port2
# config ipv6
set vrrp-virtual-mac6 enable
# config vrrp6
edit 1
set vrgrp 0
set vrip6 0:0:0:0:0:0:0:0
set priority 100
set adv-interval 1
set start-time 3
set preempt enable
set status enable
next
end
end
next
end
Example setup primary unit:
# config system interface
edit port2
set vrrp-virtual-mac enable <-
# config vrrp
edit 5
set vrgrp 360 ...must be in the range of 1-65535.
set vrip 10.31.101.120
set priority 255
set adv-interval 1
set start-time 3 ...maximum wait time between receiving advertisement messages.
set preempt enable ...higher priority unit will replace the current master unit.
set vrdst x.x.x.x ...monitor the route to a destination IP.
set status enable <-
end
end
Backup unit:
# config system interface
edit port2
set vrrp-virtual-mac enable
# config vrrp
edit 5
set vrgrp 360 ...must be in the range of 1-65535.
set vrip 10.31.101.120
set priority 50
set adv-interval 1
set start-time 3 ...maximum wait time between receiving advertisement messages.
set preempt enable ...higher priority unit will replace the current master unit.
set status enable
end
end
Example setup primary unit VRRP6:
# config system interface
edit port3
# config ipv6
set vrrp-virtual-mac6 enable
# config vrrp6
edit 1
set vrgrp 44
set vrip 2001:780:240:10::3
set priority 120
set adv-interval 1
next
end
end
next
end
Backup unit:
# config system interface
edit port3
# config ipv6
set vrrp-virtual-mac6 enable
# config vrrp6
edit 1
set vrgrp 44
set vrip 2001:780:240:10::3
set priority 100
set adv-interval 1
next
end
end
next
end
As of FortiOS v7.6.0, the VRRP Hello interval can be configured in milliseconds. See for more information.
Troubleshooting.
Debug VRRP.
# get router info vrrp
Interface: dmz, primary IP address: 0.0.0.0
UseVMAC: 1, SoftSW: 0, BrPortIdx: 0, PromiscCount: 1
HA mode: master (0:1)
VRID: 5
vrip: 10.10.10.111, priority: 100 (100,0), state: MASTER
adv_interval: 1, preempt: 1, start_time: 3
vrmac: 00:00:5e:00:01:03
vrdst:
vrgrp: 123
# diagnose deb application vrrpd -1
# diag deb en
[vrrp_vrt_adv_timer_func:1411]: dmz, vrid 3, vrip 10.10.10.111, (1343->1343)
[vrrpd_loop:1952]: ret 0
# diag sniffer packet any 'proto 112' 6 0 a
interfaces=[any]
filters=[proto 112]
2017-10-16 16:12:22.553779 dmz out 0.0.0.0 -> 224.0.0.18: ip-proto-112 20
Sniffer packet capture output:
Virtual Router Redundancy Protocol
Version 2, Packet type 1 (Advertisement)
0010 .... = VRRP protocol version: 2
.... 0001 = VRRP packet type: Advertisement (1)
Virtual Rtr ID: 5
Priority: 100 (Default priority for a backup VRRP router)
Addr Count: 1
Auth Type: No Authentication (0)
Adver Int: 1
Checksum: 0x6681 [correct]
[Checksum Status: Good]
IP Address: 10.10.10.111
Debug VRRP6.
# get router info6 vrrp
Interface: port3, primary IPv6 address: 2001:780:240:10::1
link-local IPv6 address: fe80::276:6fff:fe6c:3803
Virtual link-local IPv6 address: fe80::62:44:1
UseVMAC: 1, SoftSW: 0, BrPortIdx: 0, PromiscCount: 2
HA mode: primary (0:0:2)
VRT master count: 1
VRID: 44 version: 3
vrip: 2001:780:240:10::3, priority: 90, state: MASTER
adv_interval: 5, preempt: 1, start_time: 3
master_adv_interval: 500, accept: 1
vrmac: 00:00:5e:00:02:2c
vrdst:
vrgrp: 44
# diagnose deb application vrrpd -1
diag deb en
volkswagen-kvm56 # [vrrpd_loop:2392]: ret 0
[vrrp_vrt_adv_timer_func:1697]: port3, vrid 44, vrip 2001:780:240:10::3, (11343->11343)
# diag sniffer packet any 'proto 112' 6 0 a
Using Original Sniffing Mode
interfaces=[port3]
filters=[proto 112]
2023-04-04 09:53:29.357234 port3 -- fe80::276:6fff:fe6c:3803 -> ff02::12: ip-proto-112 40
