Fortinet black logo

Cookbook

Equal cost multi-path

Copy Link
Copy Doc ID 664e9f16-22ad-11eb-96b9-00505692583a:25967
Download PDF

Equal cost multi-path

Equal cost multi-path (ECMP) is a mechanism that allows a FortiGate to load-balance routed traffic over multiple gateways. Just like routes in a routing table, ECMP is considered after policy routing, so any matching policy routes will take precedence over ECMP.

ECMP pre-requisites are as follows:

  • Routes must have the same destination and costs. In the case of static routes, costs include distance and priority
  • Routes are sourced from the same routing protocol. Supported protocols include static routing, OSPF, and BGP
ECMP and SD-WAN implicit rule

ECMP and SD-WAN implicit rule are essentially similar in the sense that an SD-WAN implicit rule is processed after SD-WAN service rules are processed. See Implicit rule to learn more.

The following table summarizes the different load-balancing algorithms supported by each:

ECMP

SD-WAN

Description

(GUI)

(CLI)

source-ip-based

Source IP

source-ip-based

Traffic is divided equally between the interfaces. Sessions that start at the same source IP address use the same path.

This is the default selection.

weight-based

Sessions

weight-based

The workload is distributed based on the number of sessions that are connected through the interface.

The weight that you assign to each interface is used to calculate the percentage of the total sessions allowed to connect through an interface, and the sessions are distributed to the interfaces accordingly.

usage-based

Spillover

usage-based

The interface is used until the traffic bandwidth exceeds the ingress and egress thresholds that you set for that interface. Additional traffic is then sent through the next interface member.

source-dest-ip-based

Source-Destination IP

source-dest-ip-based

Traffic is divided equally between the interfaces. Sessions that start at the same source IP address and go to the same destination IP address use the same path.

Not supported

Volume

measured-volume-based

This mode is supported in SD-WAN only.

The workload is distributed based on the number of packets that are going through the interface.

To configure the ECMP algorithm from the CLI:
  • At the VDOM-level:

    config system settings

    set v4-ecmp-mode {source-ip-based* | weight-based | usage-based | source-dest-ip-based}

    end

  • If SD-WAN is enabled, the above option is not available and ECMP is configured under the SD-WAN settings:

    config system sdwan

    set sdwan enable

    set load-balance-mode {source-ip-based* | weight-based | usage-based | source-dest-ip-based | measured-volume-based}

    end

For ECMP in IPv6, the mode must also be configured under SD-WAN.

# diagnose sys vd list

system fib version=63

list virtual firewall info:

name=root/root index=0 enabled fib_ver=40 use=168 rt_num=46 asym_rt=0 sip_helper=0, sip_nat_trace=1, mc_fwd=0, mc_ttl_nc=0, tpmc_sk_pl=0

ecmp=source-ip-based, ecmp6=source-ip-based asym_rt6=0 rt6_num=55 strict_src_check=0 dns_log=1 ses_num=20 ses6_num=0 pkt_num=19154477

To change the number of paths allowed by ECMP:

config system settings

set ecmp-max-paths <number of paths>

end

Note

Setting ecmp-max-paths to the lowest value of 1 is equivalent to disabling ECMP.

ECMP configuration examples

The following examples demonstrate the behavior of ECMP in different scenarios:

Example 1: Default ECMP

config router static

edit 1

set gateway 172.16.151.1

set device "port1"

next

edit 2

set gateway 192.168.2.1

set device "port2"

next

end

# get router info routing-table all

Routing table for VRF=0

S* 0.0.0.0/0 [10/0] via 172.16.151.1, port1

[10/0] via 192.168.2.1, port2

C 172.16.151.0/24 is directly connected, port1

C 192.168.2.0/24 is directly connected, port2

Result:

Both routes are added to the routing table and load-balanced based on the source IP.

Example 2: Same distance, different priority

config router static

edit 1

set gateway 172.16.151.1

set priority 5

set device "port1"

next

edit 2

set gateway 192.168.2.1

set device "port2"

next

end

# get router info routing-table all

Routing table for VRF=0

S* 0.0.0.0/0 [10/0] via 192.168.2.1, port2

[10/0] via 172.16.151.1, port1, [5/0]

C 172.16.151.0/24 is directly connected, port1

C 192.168.2.0/24 is directly connected, port2

Result:

Both routes are added to the routing table, but traffic is routed to port2 which has a lower priority value with a default of 0.

Example 3: Weight-based ECMP

config router static

edit 3

set dst 10.10.30.0 255.255.255.0

set weight 80

set device "vpn2HQ1"

next

edit 5

set dst 10.10.30.0 255.255.255.0

set weight 20

set device "vpn2HQ2"

next

end

# get router info routing-table all

Routing table for VRF=0

...

S 10.10.30.0/24 [10/0] is directly connected, vpn2HQ1, [0/80]

[10/0] is directly connected, vpn2HQ2, [0/20]

C 172.16.151.0/24 is directly connected, port1

C 192.168.0.0/24 is directly connected, port3

C 192.168.2.0/24 is directly connected, port2

Result:

Both routes are added to the routing table, but 80% of the sessions to 10.10.30.0/24 are routed to vpn2HQ1, and 20% are routed to vpn2HQ2.

Example 4: Load-balancing BGP routes

config router bgp

set as 64511

set router-id 192.168.2.86

set ebgp-multipath enable

config neighbor

edit "192.168.2.84"

set remote-as 64512

next

edit "192.168.2.87"

set remote-as 64512

next

end

end

# get router info routing-table all

Routing table for VRF=0

...

C 172.16.151.0/24 is directly connected, port1

C 192.168.0.0/24 is directly connected, port3

C 192.168.2.0/24 is directly connected, port2

B 192.168.80.0/24 [20/0] via 192.168.2.84, port2, 00:00:33

[20/0] via 192.168.2.87, port2, 00:00:33

Result:

The network 192.168.80.0/24 is advertised by two BGP neighbors. Both routes are added to the routing table, and traffic is load-balanced based on Source IP.

For multiple BGP paths to be added to the routing table, you must enable ebgp-multipath for eBGP or ibgp-multipath for iBGP. These settings are disabled by default.

Equal cost multi-path

Equal cost multi-path (ECMP) is a mechanism that allows a FortiGate to load-balance routed traffic over multiple gateways. Just like routes in a routing table, ECMP is considered after policy routing, so any matching policy routes will take precedence over ECMP.

ECMP pre-requisites are as follows:

  • Routes must have the same destination and costs. In the case of static routes, costs include distance and priority
  • Routes are sourced from the same routing protocol. Supported protocols include static routing, OSPF, and BGP
ECMP and SD-WAN implicit rule

ECMP and SD-WAN implicit rule are essentially similar in the sense that an SD-WAN implicit rule is processed after SD-WAN service rules are processed. See Implicit rule to learn more.

The following table summarizes the different load-balancing algorithms supported by each:

ECMP

SD-WAN

Description

(GUI)

(CLI)

source-ip-based

Source IP

source-ip-based

Traffic is divided equally between the interfaces. Sessions that start at the same source IP address use the same path.

This is the default selection.

weight-based

Sessions

weight-based

The workload is distributed based on the number of sessions that are connected through the interface.

The weight that you assign to each interface is used to calculate the percentage of the total sessions allowed to connect through an interface, and the sessions are distributed to the interfaces accordingly.

usage-based

Spillover

usage-based

The interface is used until the traffic bandwidth exceeds the ingress and egress thresholds that you set for that interface. Additional traffic is then sent through the next interface member.

source-dest-ip-based

Source-Destination IP

source-dest-ip-based

Traffic is divided equally between the interfaces. Sessions that start at the same source IP address and go to the same destination IP address use the same path.

Not supported

Volume

measured-volume-based

This mode is supported in SD-WAN only.

The workload is distributed based on the number of packets that are going through the interface.

To configure the ECMP algorithm from the CLI:
  • At the VDOM-level:

    config system settings

    set v4-ecmp-mode {source-ip-based* | weight-based | usage-based | source-dest-ip-based}

    end

  • If SD-WAN is enabled, the above option is not available and ECMP is configured under the SD-WAN settings:

    config system sdwan

    set sdwan enable

    set load-balance-mode {source-ip-based* | weight-based | usage-based | source-dest-ip-based | measured-volume-based}

    end

For ECMP in IPv6, the mode must also be configured under SD-WAN.

# diagnose sys vd list

system fib version=63

list virtual firewall info:

name=root/root index=0 enabled fib_ver=40 use=168 rt_num=46 asym_rt=0 sip_helper=0, sip_nat_trace=1, mc_fwd=0, mc_ttl_nc=0, tpmc_sk_pl=0

ecmp=source-ip-based, ecmp6=source-ip-based asym_rt6=0 rt6_num=55 strict_src_check=0 dns_log=1 ses_num=20 ses6_num=0 pkt_num=19154477

To change the number of paths allowed by ECMP:

config system settings

set ecmp-max-paths <number of paths>

end

Note

Setting ecmp-max-paths to the lowest value of 1 is equivalent to disabling ECMP.

ECMP configuration examples

The following examples demonstrate the behavior of ECMP in different scenarios:

Example 1: Default ECMP

config router static

edit 1

set gateway 172.16.151.1

set device "port1"

next

edit 2

set gateway 192.168.2.1

set device "port2"

next

end

# get router info routing-table all

Routing table for VRF=0

S* 0.0.0.0/0 [10/0] via 172.16.151.1, port1

[10/0] via 192.168.2.1, port2

C 172.16.151.0/24 is directly connected, port1

C 192.168.2.0/24 is directly connected, port2

Result:

Both routes are added to the routing table and load-balanced based on the source IP.

Example 2: Same distance, different priority

config router static

edit 1

set gateway 172.16.151.1

set priority 5

set device "port1"

next

edit 2

set gateway 192.168.2.1

set device "port2"

next

end

# get router info routing-table all

Routing table for VRF=0

S* 0.0.0.0/0 [10/0] via 192.168.2.1, port2

[10/0] via 172.16.151.1, port1, [5/0]

C 172.16.151.0/24 is directly connected, port1

C 192.168.2.0/24 is directly connected, port2

Result:

Both routes are added to the routing table, but traffic is routed to port2 which has a lower priority value with a default of 0.

Example 3: Weight-based ECMP

config router static

edit 3

set dst 10.10.30.0 255.255.255.0

set weight 80

set device "vpn2HQ1"

next

edit 5

set dst 10.10.30.0 255.255.255.0

set weight 20

set device "vpn2HQ2"

next

end

# get router info routing-table all

Routing table for VRF=0

...

S 10.10.30.0/24 [10/0] is directly connected, vpn2HQ1, [0/80]

[10/0] is directly connected, vpn2HQ2, [0/20]

C 172.16.151.0/24 is directly connected, port1

C 192.168.0.0/24 is directly connected, port3

C 192.168.2.0/24 is directly connected, port2

Result:

Both routes are added to the routing table, but 80% of the sessions to 10.10.30.0/24 are routed to vpn2HQ1, and 20% are routed to vpn2HQ2.

Example 4: Load-balancing BGP routes

config router bgp

set as 64511

set router-id 192.168.2.86

set ebgp-multipath enable

config neighbor

edit "192.168.2.84"

set remote-as 64512

next

edit "192.168.2.87"

set remote-as 64512

next

end

end

# get router info routing-table all

Routing table for VRF=0

...

C 172.16.151.0/24 is directly connected, port1

C 192.168.0.0/24 is directly connected, port3

C 192.168.2.0/24 is directly connected, port2

B 192.168.80.0/24 [20/0] via 192.168.2.84, port2, 00:00:33

[20/0] via 192.168.2.87, port2, 00:00:33

Result:

The network 192.168.80.0/24 is advertised by two BGP neighbors. Both routes are added to the routing table, and traffic is load-balanced based on Source IP.

For multiple BGP paths to be added to the routing table, you must enable ebgp-multipath for eBGP or ibgp-multipath for iBGP. These settings are disabled by default.