- Fortinet Forum
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiSandbox
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- Customer Service
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
- Fortinet Community
- Knowledge Base
- FortiGate
- Technical Tip: ECMP – Load balancing algorithms fo...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Email to a Friend
- Printer Friendly Page
- Report Inappropriate Content
Description
This article describes how to modify the ECMP load balancing algorithms for both IPv4 and IPv6.
Solution
This article describes how to modify the ECMP load balancing algorithms for both IPv4 and IPv6.
Solution
Equal cost multi-path (ECMP) is a mechanism that allows a FortiGate to load-balance routed traffic over multiple gateways.
Just like routes in a routing table, ECMP is considered after policy routing, so any matching policy routes will take precedence over ECMP.
ECMP pre-requisites are as follows.
- Routes must have the same destination and costs. In the case of static routes, costs include distance and priority
- Routes are sourced from the same routing protocol. Supported protocols include static routing, OSPF, and BGP
By default, both IPv4 and IPv6 uses source-IP-based algorithm for ECMP. Please note that ECMP settings can be modified on a per-VDOM basis.
# config system settingsset v4-ecmp-modesource-ip-based <----- Select next hop based on source IP.weight-based <----- Select next hop based on weight.usage-based <----- Select next hop based on usage.source-dest-ip-based <----- Select next hop based on both source and destination IPs.
This can be verified using the following command:
# diagnose sys vd listsystem fib version=37list virtual firewall info:------Truncated output ------name=root/root index=0 enabled use=112 rt_num=31 asym_rt=0 sip_helper=1, sip_nat_trace=1, mc_fwd=1, mc_ttl_nc=0, tpmc_sk_pl=0ecmp=source-ip-based, ecpm6=source-ip-based asym_rt6=0 rt6_num=32 strict_src_check=0 dns_log=1 ses_num=5 ses6_num=1 pkt_num=1158894tree_flag=1 tree6_flag=1 nataf=0 traffic_log=1 extended_traffic_log=0 svc_depth=2log_neigh=0, deny_tcp_with_icmp=0 ses_denied_traffic=no tcp_no_syn_check=0 central_nat=0 policy_mode_ngfw=0 block_land_attack=0 link_check_local_in=1fw_session_hairpin=no keep-PRP-trailer=0ipv4_rate=0, ipv6_rate=0, mcast6-PMTU=0, allow_linkdown_path=0mode=standalone ha_state=work prio=0 vid=0vf_count=5 vfe_count=17
To change the algorithm for IPv6, use the config system virtual-wan-link/config system sdwan on as per VDOM basis. The option selected here will apply to both IPv4 and IPv6.
# config system virtual-wan-link OR config system sdwanset status enable(virtual-wan-link) set load-balance-modesource-ip-based <----- Source IP load balancing. All traffic from a source IP is sent to the same interface.weight-based <----- Weight-based load balancing. Interfaces with higher weights have higher priority and get more traffic.usage-based <----- Usage-based load balancing. All traffic is sent to the first interface on the list. When the bandwidth on that interface exceeds the spill-over limit new traffic is sent to the next interface.source-dest-ip-based <----- Source and destination IP load balancing. All traffic from a source IP to a destination IP is sent to the same interface.measured-volume-based <----- Volume-based load balancing. Traffic is load balanced based on traffic volume (in bytes). More traffic is sent to interfaces with higher volume ratios.(virtual-wan-link) set load-balance-mode source-dest-ip-based(virtual-wan-link) end
Verify using following command:
(global) # diagnose sys vd listsystem fib version=37list virtual firewall info:------Truncated output ------name=root/root index=0 enabled use=112 rt_num=31 asym_rt=0 sip_helper=1, sip_nat_trace=1, mc_fwd=1, mc_ttl_nc=0, tpmc_sk_pl=0ecmp=source-dest-ip-based, ecpm6=source-dest-ip-based asym_rt6=0 rt6_num=32 strict_src_check=0 dns_log=1 ses_num=7 ses6_num=1 pkt_num=1161223tree_flag=1 tree6_flag=1 nataf=0 traffic_log=1 extended_traffic_log=0 svc_depth=2log_neigh=0, deny_tcp_with_icmp=0 ses_denied_traffic=no tcp_no_syn_check=0 central_nat=0 policy_mode_ngfw=0 block_land_attack=0 link_check_local_in=0fw_session_hairpin=no keep-PRP-trailer=0ipv4_rate=1, ipv6_rate=0, mcast6-PMTU=0, allow_linkdown_path=0mode=standalone ha_state=work prio=0 vid=0Related document.vf_count=5 vfe_count=17
https://docs.fortinet.com/document/fortigate/7.0.1/administration-guide/25967/equal-cost-multi-pathRelated Articles
Technical Tip: Equal cost multi-path (ECMP) - Maximum number of paths and routing issues
Labels:
News & Articles
Security Research
Company
- Copyright 2021 Fortinet, Inc. All Rights Reserved.
- Terms of Service
- Privacy Policy
- GDPR