Hi,
Would anyone happen to know if I can assign secondary IPs to a VRRP instance (multiple redundant gateways inside same VLAN) on a Fortigate?
In fact we wanted to test a migration scenario from another vendor, now we're already stuck.
As far as I can see I can only "set vrip" on a specific instance once.
Thanks and best regards,
Marki
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Can you explain more? And provide a get router info vrrp of what you have now? A topology ?
Typically you can set one instance in the same interface by the edit command, never heard of anybody trying to add more. I know other firewalls like huawei let's you defined numerous instances with different vrrp group ids. I believe you can edit more vrrp instances under 5.2.x (some one will correct me if I'm wrong ; ) )
If you really need secondaries, you should re-look your design imho. My stomach gain oains when I see networks stacked with multiple secondaries. Remember your limited to 32 secondaries per-interface ( interface not system )
PCNSE
NSE
StrongSwan
Can you explain more? And provide a get router info vrrp of what you have now? A topology ?
Typically you can set one instance in the same interface by the edit command, never heard of anybody trying to add more. I know other firewalls like huawei let's you defined numerous instances with different vrrp group ids. I believe you can edit more vrrp instances under 5.2.x (some one will correct me if I'm wrong ; ) )
If you really need secondaries, you should re-look your design imho. My stomach gain oains when I see networks stacked with multiple secondaries. Remember your limited to 32 secondaries per-interface ( interface not system )
PCNSE
NSE
StrongSwan
Don't get me wrong, my stomach aches too, but we have to deal with the facts. What we wanted to do is use the Fortinet as a drop-in replacement for an existing VRRP setup. We don't want MAC addresses to change (potential arp cache issues and such) so I thought we could simply use Fortigate's VRRP capability for a smooth migration. Unfortunately we will need several virtual router IPs inside *one* instance, and that does not seem possible with the Fortigate. You can have secondaries on the interfaces themselves, but not inside a VRRP instance it seems. You could create another instance on that same interface, but that would change the MAC address. Also it probably wouldn't find into the existing VRRP setup as the instances on the Fortigate and the other gear would have a different config. Thanks anyway :)
Try opening a feature request and see what FTNT will say. Most of the time, people are trying to get any with the secondaries approach and simpler network replanning could achieve this. Your best is to see what support or your SSE partner would say or can do.
PCNSE
NSE
StrongSwan
It doesn't matter because if it currently isn't possible, we can't wait for it to be implemented.
But you're right, in any case I can ask support, as RFC3768 clearly talks about "One or more IP addresses".
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1631 | |
1063 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.