Allowing VRRP, HSRP, and STP Through Transparent-Mode FortiGate
This post records validation results for passing control traffic through a FortiGate deployed in transparent mode. The focus is on VRRP, HSRP, and STP/BPDU behavior.
The purpose of this test is not to repeat vendor documentation, but to confirm actual behavior with real devices and real command outputs.
Scope of Validation
- VRRP forwarding
- HSRP forwarding
- STP/BPDU forwarding
- Effect of
set stpforward enable
VRRP Verification (Cisco)
Two Cisco routers were connected with a transparent-mode FortiGate inserted between them.
Router#show vrrp brief
Interface Grp Pri Time Own Pre State Master addr Group addr
Gi0/5 1 100 3609 Y Backup 192.168.84.2 192.168.84.254
Router#The router remained in Backup state, confirming that the Master was detected.
HSRP Verification (Cisco)
Router#show standby brief
Interface Grp Pri P State Active Standby Virtual IP
Gi0/5 1 100 Standby 192.168.84.1 local 192.168.84.254
Router#The router remained in Standby state, confirming that the Active router was detected.
VRRP Verification (NEC IX)
Two NEC IX routers were connected with a transparent-mode FortiGate inserted between them. VRRP operated normally.
STP/BPDU Behavior
Layer 2 switches were tested with a transparent-mode FortiGate inserted between them.
Topology
- Cisco Catalyst 2960
- Aruba 2530
Result (via FortiGate)
Switch#show spanning-tree | i root
This bridge is the root
HP-2530# show spanning-tree | i root
This switch is root
Both switches identified themselves as root, indicating that STP was not exchanged.
Direct Connection Check
When directly connected, STP operated normally.
This confirms that FortiGate blocked BPDU in the default configuration.
Configuration Change
config system interface
edit <interface-name>
set stpforward enable
next
endAfter enabling this setting, STP communication became functional.
Conclusion
- VRRP passes through transparent FortiGate
- HSRP passes through transparent FortiGate
- STP is blocked by default
stpforwardis required for BPDU forwarding
If BPDU forwarding is not enabled, multiple root bridges may form, leading to unstable Layer 2 topology.
This case is part of our Validation Evidence.
コメントを残す