Purpose
The Virtual Router Redundancy Protocol (VRRP) is a computer networking protocol that provides for automatic assignment of available Internet Protocol (IP) routers to participating hosts. This increases the availability and reliability of routing paths via automatic default gateway selections on an IP subnetwork.
Scope
VRRP provides information on the state of a router, not the routes processed and exchanged by that router. Each VRRP instance is limited, in scope, to a single subnet. It does not advertise IP routes beyond that subnet or affect the routing table in any way. VRRP can be used with Internet Protocol Version 4 (IPv4), as well as IPv6.
Useful links:
Fortinet Documentation
VRRP
Expectations, Requirements
Note: VRRP can be configured only on physical interfaces or VLAN interfaces. You cannot configure VRRP on hardware-switch interfaces where multiple physical interfaces are combined into a hardware switch interface.
Configuration
Default VRRP Configuration :
# config system interface
edit port2
set vrrp-virtual-mac enable
config vrrp
edit 1
set version 2
set vrgrp 0
set vrip 0.0.0.0
set priority 100
set adv-interval 1
set start-time 3
set preempt enable
set status enable
next
end
next
end
Example setup primary unit:
# config system interface
edit port2
set vrrp-virtual-mac enable
config vrrp
edit 5
set vrgrp 360 ...must be in the range of 1-65535
set vrip 10.31.101.120
set priority 255
set adv-interval 1
set start-time 3 ...maximum wait time between receiving advertisement messages
set preempt enable ...higher priority unit will replace the current master unit
set vrdst x.x.x.x ...Monitor the route to a destination IP
set status enable
end
end
Backup unit:
# config system interface
edit port2
set vrrp-virtual-mac enable
config vrrp
edit 5
set vrgrp 360 ...must be in the range of 1-65535
set vrip 10.31.101.120
set priority 50
set adv-interval 1
set start-time 3 ...maximum wait time between receiving advertisement messages
set preempt enable ...higher priority unit will replace the current master unit
set status enable
end
end
Troubleshooting
Debug VRRP
# get router info vrrp
Interface: dmz, primary IP address: 0.0.0.0
UseVMAC: 1, SoftSW: 0, BrPortIdx: 0, PromiscCount: 1
HA mode: master (0:1)
VRID: 5
vrip: 10.10.10.111, priority: 100 (100,0), state: MASTER
adv_interval: 1, preempt: 1, start_time: 3
vrmac: 00:00:5e:00:01:03
vrdst:
vrgrp: 123
# diagnose deb application vrrpd -1
diag deb en
[vrrp_vrt_adv_timer_func:1411]: dmz, vrid 3, vrip 10.10.10.111, (1343->1343)
[vrrpd_loop:1952]: ret 0
# diag sniffer packet any 'proto 112' 6 0 a
interfaces=[any]
filters=[proto 112]
2017-10-16 16:12:22.553779 dmz out 0.0.0.0 -> 224.0.0.18: ip-proto-112 20
Sniffer packet capture output:
Virtual Router Redundancy Protocol
Version 2, Packet type 1 (Advertisement)
0010 .... = VRRP protocol version: 2
.... 0001 = VRRP packet type: Advertisement (1)
Virtual Rtr ID: 5
Priority: 100 (Default priority for a backup VRRP router)
Addr Count: 1
Auth Type: No Authentication (0)
Adver Int: 1
Checksum: 0x6681 [correct]
[Checksum Status: Good]
IP Address: 10.10.10.111
