Equal cost multi-path
Equal cost multi-path (ECMP) is a mechanism that allows a FortiGate to load-balance routed traffic over multiple gateways. Just like routes in a routing table, ECMP is considered after policy routing, so any matching policy routes will take precedence over ECMP.
ECMP pre-requisites are as follows:
- Routes must have the same destination and costs. In the case of static routes, costs include distance and priority
- Routes are sourced from the same routing protocol. Supported protocols include static routing, OSPF, and BGP
ECMP and SD-WAN implicit rule
ECMP and SD-WAN implicit rule are essentially similar in the sense that an SD-WAN implicit rule is processed after SD-WAN service rules are processed. See Implicit rule to learn more.
The following table summarizes the different load-balancing algorithms supported by each:
ECMP |
SD-WAN |
Description |
|
---|---|---|---|
GUI |
CLI |
||
source-ip-based |
Source IP |
source-ip-based |
Traffic is divided equally between the interfaces. Sessions that start at the same source IP address use the same path. This is the default selection. |
weight-based |
Sessions |
weight-based |
The workload is distributed based on the number of sessions that are connected through the interface. The weight that you assign to each interface is used to calculate the percentage of the total sessions allowed to connect through an interface, and the sessions are distributed to the interfaces accordingly. |
usage-based |
Spillover |
usage-based |
The interface is used until the traffic bandwidth exceeds the ingress and egress thresholds that you set for that interface. Additional traffic is then sent through the next interface member. |
source-dest-ip-based |
Source-Destination IP |
source-dest-ip-based |
Traffic is divided equally between the interfaces. Sessions that start at the same source IP address and go to the same destination IP address use the same path. |
Not supported |
Volume |
measured-volume-based |
This mode is supported in SD-WAN only. The workload is distributed based on the number of packets that are going through the interface. |
To configure the ECMP algorithm from the CLI:
-
At the VDOM-level:
config system settings set v4-ecmp-mode {source-ip-based* | weight-based | usage-based | source-dest-ip-based} end
-
If SD-WAN is enabled, the above option is not available and ECMP is configured under the SD-WAN settings:
config system sdwan set status enable set load-balance-mode {source-ip-based* | weight-based | usage-based | source-dest-ip-based | measured-volume-based} end
For ECMP in IPv6, the mode must also be configured under SD-WAN:
# diagnose sys vd list system fib version=63 list virtual firewall info: name=root/root index=0 enabled fib_ver=40 use=168 rt_num=46 asym_rt=0 sip_helper=0, sip_nat_trace=1, mc_fwd=0, mc_ttl_nc=0, tpmc_sk_pl=0 ecmp=source-ip-based, ecmp6=source-ip-based asym_rt6=0 rt6_num=55 strict_src_check=0 dns_log=1 ses_num=20 ses6_num=0 pkt_num=19154477
To change the number of paths allowed by ECMP:
config system settings set ecmp-max-paths <number of paths> end
Setting |
ECMP configuration examples
The following examples demonstrate the behavior of ECMP in different scenarios:
- Example 1: Default ECMP
- Example 2: Same distance, different priority
- Example 3: Weight-based ECMP
- Example 4: Load-balancing BGP routes
Example 1: Default ECMP
config router static edit 1 set gateway 172.16.151.1 set device "port1" next edit 2 set gateway 192.168.2.1 set device "port2" next end
# get router info routing-table all Routing table for VRF=0 S* 0.0.0.0/0 [10/0] via 172.16.151.1, port1 [10/0] via 192.168.2.1, port2 C 172.16.151.0/24 is directly connected, port1 C 192.168.2.0/24 is directly connected, port2
Result:
Both routes are added to the routing table and load-balanced based on the source IP.
Example 2: Same distance, different priority
config router static edit 1 set gateway 172.16.151.1 set priority 5 set device "port1" next edit 2 set gateway 192.168.2.1 set device "port2" next end
# get router info routing-table all Routing table for VRF=0 S* 0.0.0.0/0 [10/0] via 192.168.2.1, port2 [10/0] via 172.16.151.1, port1, [5/0] C 172.16.151.0/24 is directly connected, port1 C 192.168.2.0/24 is directly connected, port2
Result:
Both routes are added to the routing table, but traffic is routed to port2
which has a lower priority value with a default of 0
.
Example 3: Weight-based ECMP
config router static edit 3 set dst 10.10.30.0 255.255.255.0 set weight 80 set device "vpn2HQ1" next edit 5 set dst 10.10.30.0 255.255.255.0 set weight 20 set device "vpn2HQ2" next end
# get router info routing-table all Routing table for VRF=0 ... S 10.10.30.0/24 [10/0] is directly connected, vpn2HQ1, [0/80] [10/0] is directly connected, vpn2HQ2, [0/20] C 172.16.151.0/24 is directly connected, port1 C 192.168.0.0/24 is directly connected, port3 C 192.168.2.0/24 is directly connected, port2
Result:
Both routes are added to the routing table, but 80% of the sessions to 10.10.30.0/24
are routed to vpn2HQ1
, and 20% are routed to vpn2HQ2
.
Example 4: Load-balancing BGP routes
config router bgp set as 64511 set router-id 192.168.2.86 set ebgp-multipath enable config neighbor edit "192.168.2.84" set remote-as 64512 next edit "192.168.2.87" set remote-as 64512 next end end # get router info routing-table all Routing table for VRF=0 ... C 172.16.151.0/24 is directly connected, port1 C 192.168.0.0/24 is directly connected, port3 C 192.168.2.0/24 is directly connected, port2 B 192.168.80.0/24 [20/0] via 192.168.2.84, port2, 00:00:33 [20/0] via 192.168.2.87, port2, 00:00:33
Result:
The network 192.168.80.0/24
is advertised by two BGP neighbors. Both routes are added to the routing table, and traffic is load-balanced based on Source IP.
For multiple BGP paths to be added to the routing table, you must enable ebgp-multipath
for eBGP or ibgp-multipath
for iBGP. These settings are disabled by default.