VRRP Compliance – Is Fortigate Implementation of VRRP RFC Compliant?

fhrpprotocol-theoryrfcvrrp

By looking at RFC 3768, section 5.3.9 seems to indicate that indeed you should be able to configure more than one virtual IP in a single instance:

5.3.9.  IP Address(es)

   One or more IP addresses that are associated with the virtual router.
   The number of addresses included is specified in the "Count IP Addrs"
   field.  These fields are used for troubleshooting misconfigured
   routers.

What would you call a manufacturer that allows you to define secondary IPs on an interface/VLAN, but not in a VRRP instance on that interface? Instead, they say you should just create another instance. While that would work, interoperability with other gear may be at stake.

We're talking about Fortinet, and all I ever hear from them is "our gear just works that way".

Best Answer

It's hard to say exactly what the question is.

Maybe you should rephrase it, with something like :

"Is fortinet implementation of VRRP RFC-Compliant?"

The fact is the RFC3768 is obsoleted by RFC5798, where it is stated in section 3 :

VRRP specifies an election protocol to provide the virtual router function described earlier. All protocol messaging is performed using either IPv4 or IPv6 multicast datagrams; thus, the protocol can operate over a variety of multiaccess LAN technologies supporting IPvX multicast. Each link of a VRRP virtual router has a single well-known MAC address allocated to it. This document currently only details the mapping to networks using the IEEE 802 48-bit MAC address. The virtual router MAC address is used as the source in all periodic VRRP messages sent by the Master router to enable bridge learning in an extended LAN.

A virtual router is defined by its virtual router identifier (VRID) and a set of either IPv4 or IPv6 address(es). A VRRP router may associate a virtual router with its real address on an interface. The scope of each virtual router is restricted to a single LAN. A VRRP router may be configured with additional virtual router mappings and priority for virtual routers it is willing to back up. The mapping between the VRID and its IPvX address(es) must be coordinated among all VRRP routers on a LAN.

There is no restriction against reusing a VRID with a different address mapping on different LANs, nor is there a restriction against using the same VRID number for a set of IPv4 addresses and a set of IPv6 addresses; however, these are two different virtual routers.

Following your comment I goes trough the entire RFC and you're right in the fact it always mention "a set of IP address". It even speak about the "primary address" in a set.

So it's quite clear that the author itended the protocol to support multiple IPs per VRID.

However, nowhere in the RFC is mentioned something like "the router MUST support a set of X IP address for a given VRID"

5.2.5. Count IPvX Addr

This is the number of either IPv4 addresses or IPv6 addresses contained in this VRRP advertisement. The minimum value is 1.

So I would say, despite the fact the RFC clearly spoke about a "set" of IP address, unfortunately it lacks a "MUST" statement to force vendors to implement it.

I guess we have to conclude that, regarding this specific point, Fortinet implementation is RFC-compliant (but I would say, really border-line).

Best Answer

Related Solutions

VRRP vs HSRP – Differences Between VRRP and HSRP

VRRP and VRRP-Extended

Related Topic