Fortinet black logo

Handbook

VRRP groups

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:848396
Download PDF

VRRP groups

If you have added VRRP routers to multiple interfaces of the same FortiGate, each of those routers will be in a different VRRP domain. If one of these routers switches to backup (for example, if it can't connect to its destination), you might want all of the routers on this FortiGate to also switch to backup. If other words, if one of the VRRP routers added to a FortiGate fails, you might want all of the VRRP routers added the FortiGate to also fail.

However, VRRP can only check the status of the routers in a single VRRP domain and can't track the status of routers in other domains. So, if you have multiple VRRP domains on a single FortiGate, one of them can switch to backup but the others can remain operating normally.

VRRP groups allow you to avoid this problem. You can add all of the VRRP virtual routers on the same FortiGate to a VRRP group. If one of the virtual routers in a VRRP group switches to backup, the VRRP group forces all of the other virtual routers in the same group to also switch to backup. So all VRRP traffic being processed by the FortiGate fails over to other devices in your network.

Note

The status of the virtual routers in a VRRP group can only change when one or more of the virtual routers in the group changes status. You cannot use a VRRP group to manually change the status of the virtual routers in the group.

Use the following command to add two VRRP routers to a VRRP group with a group ID of 10. The VRRP group ID can be between 1 and 65535.

config system interface

edit port10

config vrrp

edit 200

set vrip 10.31.101.200

set priority 255

set vrpgrp 10

end

end

edit port20

config vrrp

edit 100

set vrip 10.23.1.223

set priority 20

set vrpgrp 10

end

Use the following command to add two IPv6 VRRP routers to a VRRP group with a group ID of 90. The VRRP group ID can be between 1 and 65535.

config system interface

edit port11

config ipv6

set vrip6_link_local <link-local-ipv6-address>

config vrrp6

edit 220

set vrip 2001:db8:1::12

set priority 255

set vrpgrp 90

end

end

edit port12

config ipv6

set vrip6_link_local <link-local-ipv6-address>

config vrrp6

edit 220

set vrip 2001:db8:1::14

set priority 100

set vrpgrp 90

end

VRRP groups

If you have added VRRP routers to multiple interfaces of the same FortiGate, each of those routers will be in a different VRRP domain. If one of these routers switches to backup (for example, if it can't connect to its destination), you might want all of the routers on this FortiGate to also switch to backup. If other words, if one of the VRRP routers added to a FortiGate fails, you might want all of the VRRP routers added the FortiGate to also fail.

However, VRRP can only check the status of the routers in a single VRRP domain and can't track the status of routers in other domains. So, if you have multiple VRRP domains on a single FortiGate, one of them can switch to backup but the others can remain operating normally.

VRRP groups allow you to avoid this problem. You can add all of the VRRP virtual routers on the same FortiGate to a VRRP group. If one of the virtual routers in a VRRP group switches to backup, the VRRP group forces all of the other virtual routers in the same group to also switch to backup. So all VRRP traffic being processed by the FortiGate fails over to other devices in your network.

Note

The status of the virtual routers in a VRRP group can only change when one or more of the virtual routers in the group changes status. You cannot use a VRRP group to manually change the status of the virtual routers in the group.

Use the following command to add two VRRP routers to a VRRP group with a group ID of 10. The VRRP group ID can be between 1 and 65535.

config system interface

edit port10

config vrrp

edit 200

set vrip 10.31.101.200

set priority 255

set vrpgrp 10

end

end

edit port20

config vrrp

edit 100

set vrip 10.23.1.223

set priority 20

set vrpgrp 10

end

Use the following command to add two IPv6 VRRP routers to a VRRP group with a group ID of 90. The VRRP group ID can be between 1 and 65535.

config system interface

edit port11

config ipv6

set vrip6_link_local <link-local-ipv6-address>

config vrrp6

edit 220

set vrip 2001:db8:1::12

set priority 255

set vrpgrp 90

end

end

edit port12

config ipv6

set vrip6_link_local <link-local-ipv6-address>

config vrrp6

edit 220

set vrip 2001:db8:1::14

set priority 100

set vrpgrp 90

end