Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
christian_schindler
New Contributor

Connect Fortigate to upstream router with VRRP

Hello,

 

we are using a fortigate in a hosted datacenter to connect/separate our servers to/from the datacenter router.

The datacenter provides redunant router connections through VRRP. (we got two ports to connect to)

 

My question is: how should I connect my 2 WAN IF to the two router ports that were provided to me?

Do I have add a VRRP virtual router to my WAN IF? Or is this SD-WAN?

 

Sorry, but I've never done this before...

 

Thanks for your help!

Christian Schindler

4 REPLIES 4
Toshi_Esumi
Esteemed Contributor III

Regularly a switch is placed in-between, so that FGT side (unless you have two FGTs) connects only one port to the switch with untagged or tagged VLAN interface to the switch. The switch then connects to the two routers at VRRP ports so whichever the master at a time can transmit/receive packets to/from the FGT, at that same time both routers can see the other's advertisement with VRRP protocol each other over the switch.

 

christian_schindler

Thanks for your answer.

 

They provides two different switches for connections to the upstream router and I was told by the DC operator that we need to use VRRP if we want to use both connections.

 

They also have redundant GW IPs: So the first three IPs of the subnet are reserved for the GW IPs (one per GW and the third one as the HA address).

 

So somehow I need to configure my WAN IFs to use VRRP to be able to talk redundantly to these routers.

 

Thanks

Christian

Toshi_Esumi

That's odd. Of course VRRP takes up 3 IPs in the subnet: Virtual IP, which you need to use as GW, and two individual router IPs so that they can see each other to decide the master.

In that situation, the provider side should connect them through their switch(es) and provide one port to you.

Then you have to have your own switch to connect both their switch ports together and provide one port to your FGT. The VRRP in your case is for the GW router redundancy. Your FGT won't join their VRRP.

christian_schindler

Thanks!

 

So you say I need a switch between the FGT and the providers router ports? And this switch connects to both provider ports and to one port of the FGT.

 

But then I have no availability from the FGT if one port should fail on the FGT, right?

 

Thanks

Christian

Labels
Top Kudoed Authors