Technical Tip: Route Selection Process for Self-Generated Traffic in Relation to VRFs

Route Selection Behavior: 

When a FortiGate includes multiple paths to reach a specific destination IP address via different VRFs, it follows a defined selection process. The device will always choose the route associated with the lowest VRF number. 

Example Scenario:

To illustrate this behavior, consider the following example where the FortiGate needs to reach the DNS server IP address '8.8.8.8'. The routing tables indicate that there are two available paths:

1. Through port1 with VRF 11.
2. Through port2 with VRF 30.

In this case, the FortiGate will select the route via 'Port1' (VRF 11) since it has the lower VRF number.

Routing Table Output:

The following command can be used to check the routing details for the destination IP address:

get router info routing-table details 8.8.8.8 <- The output will display the routing entries for both VRFs.

Routing table for VRF=11
Routing entry for 8.8.8.8/32
Known via "static", distance 10, metric 0, best
* vrf 11 10.5.63.254, via port1

Routing table for VRF=30
Routing entry for 8.8.8.8/32
Known via "static", distance 10, metric 0, best
* vrf 30 10.5.31.254, via port2

Packet Sniffer Output:

To observe the traffic flow, The sniffer command mentioned below can be used. (The command output confirms that the FortiGate is indeed routing traffic through the selected interface (port1)):

di sniffer packet any "host 8.8.8.8 and port 53" 4
Using Original Sniffing Mode
interfaces=[any]
filters=[host 8.8.8.8 and port 53]
5.175623 port1 out 10.5.63.82.1510 -> 8.8.8.8.53: udp 29
5.189339 port1 in 8.8.8.8.53 -> 10.5.63.82.1510: udp 45

Note:

V7.6.1 and above support the option to select 'vrf id' for local-out traffic.

Example:

config system DNS

    set vrf-select 30

end