Example VRRP configuration: VRRP load balancing two FortiGate units and two VRRP groups
In this configuration two VRRP groups are involved. Each FortiGate unit participates in both of them. One FortiGate unit is the master of one group and the other FortiGate unit is the master of the other group. The network distributes traffic between two different default routes (10.31.101.120 and 10.31.101.130). One VRRP group is configured with one of the default route IP addresses and the other VRRP group get the other default route IP address. So during normal operation both FortiGate units are processing traffic and the VRRP groups are used to load balance the traffic between the two FortiGate units.
If one of the FortiGate units fails, the remaining FortiGate unit becomes the master of both VRRP groups. The network sends all traffic for both default routes to this FortiGate unit. The result is a configuration that under normal operation load balances traffic between two FortiGate units, but if one of the FortiGate units fails, all traffic fails over to the unit that is still operating.
This example also includes enabling the VRRP virtual MAC address on both FortiGate unit port2 interfaces so that the VRRP groups use their VRRP virtual MAC addresses.
Example VRRP configuration with two FortiGate units and two VRRP groups
To configure the FortiGate units
- 1. Log into the CLI of FortiGate unit A.
- 2. Enter the following command to enable the VRRP virtual MAC address feature and add the VRRP groups to the port2 interface of FortiGate unit A:
config system interface
edit port2
set vrrp-virtual-mac enable config vrrp
edit 50 (32)
set vrip 10.31.101.120 set priority 255
next
edit 100 (64)
set vrip 10.31.101.130 set priority 50
end
end
- 3. Log into the CLI of FortiGate unit B.
- 4. Enter the following command to enable the VRRP virtual MAC address feature and add the VRRP groups to the port2 interface of FortiGate unit B:
config system interface edit port2
set vrrp-virtual-mac enable config vrrp
edit 50
set vrip 10.31.101.120 set priority 50
next
edit 100
set vrip 10.31.101.130 set priority 255
end
end
Optional VRRP configuration settings
In addition to the basic configuration settings, you can change to the VRRP configuration to:
- Adjust the virtual router advertisement message interval between 1 and 255 seconds using the adv-interval option.
- Adjust the startup time using the start-time option. The default start time is 3 seconds and the range is 1 to 255 seconds. The start time is the maximum time that the backup unit waits between receiving advertisement messages from the master unit. If the backup unit does not receive an advertisement message during this time it assumes the master has failed and becomes the new master unit. In some cases the advertisement messages may be delayed. For example, some switches with spanning tree enabled may delay some of the advertisement message packets. If you find that backup units are attempting to become master units without the master unit failing, you can extend the start time to make sure the backup units wait long enough for the advertisement messages.
- Enable or disable individual virtual router configurations using the status option. Normally virtual router configurations are enabled but you can temporarily disable one if its not required.
- Enable or disable preempt mode using the preempt option. In preempt mode a higher priority backup unit can preempt a lower priority master unit. This can happen if a master has failed, a backup unit has become the master unit, and the failed master is restarted. Since the restarted unit will have a higher priority, if preempt mode is enabled the restarted unit will replace the current master unit. Preempt mode is enabled by default.
- Monitor the route to a destination IP address using the vrdst option.
Hi Mike,
I would like to inform you about the last option, the ip vrdst option, that this is working with a huge limitation. If in the routing table from the FortiGate a default route exist (0.0.0.0) you can enter every IP address you would like with vrdst but the Fortigate will not fail over until the default route disappear. Once it is disappeared then it works fine, it then will do the lookup in the routing table for the IP address you try to monitor.