Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jmlux
New Contributor III

VRRP secondary IP

Hi,

Would anyone happen to know if I can assign secondary IPs to a VRRP instance (multiple redundant gateways inside same VLAN) on a Fortigate?

In fact we wanted to test a migration scenario from another vendor, now we're already stuck.

As far as I can see I can only "set vrip" on a specific instance once.

Thanks and best regards,

Marki

1 Solution
emnoc
Esteemed Contributor III

Can you explain more? And provide a get router info vrrp of what you have now? A topology ?

 

Typically you can set one instance in the same interface by the edit command, never heard of anybody trying to add more. I know other firewalls like huawei let's you defined  numerous instances  with different  vrrp group ids. I believe you can edit more  vrrp instances under 5.2.x (some one will correct  me if I'm wrong ; ) )

 

If you really need secondaries, you  should re-look your design imho.  My stomach gain oains when I see networks stacked with  multiple secondaries.  Remember your limited to 32 secondaries per-interface ( interface not system )

 

 

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
4 REPLIES 4
emnoc
Esteemed Contributor III

Can you explain more? And provide a get router info vrrp of what you have now? A topology ?

 

Typically you can set one instance in the same interface by the edit command, never heard of anybody trying to add more. I know other firewalls like huawei let's you defined  numerous instances  with different  vrrp group ids. I believe you can edit more  vrrp instances under 5.2.x (some one will correct  me if I'm wrong ; ) )

 

If you really need secondaries, you  should re-look your design imho.  My stomach gain oains when I see networks stacked with  multiple secondaries.  Remember your limited to 32 secondaries per-interface ( interface not system )

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
jmlux
New Contributor III

Don't get me wrong, my stomach aches too, but we have to deal with the facts. What we wanted to do is use the Fortinet as a drop-in replacement for an existing VRRP setup. We don't want MAC addresses to change (potential arp cache issues and such) so I thought we could simply use Fortigate's VRRP capability for a smooth migration. Unfortunately we will need several virtual router IPs inside *one* instance, and that does not seem possible with the Fortigate. You can have secondaries on the interfaces themselves, but not inside a VRRP instance it seems. You could create another instance on that same interface, but that would change the MAC address. Also it probably wouldn't find into the existing VRRP setup as the instances on the Fortigate and the other gear would have a different config. Thanks anyway :)

emnoc
Esteemed Contributor III

Try opening a  feature request and see what FTNT will say. Most of the time, people are trying to get any with the secondaries approach and simpler network replanning could achieve this. Your best is to see what support or your SSE partner would say or can do.

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
jmlux
New Contributor III

It doesn't matter because if it currently isn't possible, we can't wait for it to be implemented.

 

But you're right, in any case I can ask support, as RFC3768 clearly talks about "One or more IP addresses".

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors