Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
emmanouilg
Staff
Staff

Created on ‎05-29-2022 09:26 PM Edited on ‎03-09-2025 10:53 PM By Community Manager

Article Id 213369

Technical Tip : Routes to the same destination known by different protocols

Description This article describes the behavior of FortiGate when a route is known by two different protocols.
Scope FortiGate.
Solution

When a route is known by different protocol routes (dynamic, static), only one protocol's route will be installed in the routing table even if Equal Cost Multi-Path (ECMP) is enabled.

 

If a route is learned from two protocols with the same distance and metric, the route that will be installed is the latest one updated in the kernel.

 

In the example below, a static route to 2.2.2.2/32 was configured with an Administrative Distance of 200, the same as the iBGP distance of 200. Only the static route was installed in the routing table.

 

universe-esx55 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default

Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 10.109.31.254, port1
S 2.2.2.2/32 [200/0] is directly connected, port2
C 10.109.16.0/20 is directly connected, port1
C 10.119.0.0/20 is directly connected, port2


universe-esx55 # get router info routing-table database
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
> - selected route, * - FIB route, p - stale info

Routing table for VRF=0
S *> 0.0.0.0/0 [10/0] via 10.109.31.254, port1
S *> 2.2.2.2/32 [200/0] is directly connected, port2
B 2.2.2.2/32 [200/0] via 10.119.1.24, port2, 00:01:44
C *> 10.109.16.0/20 is directly connected, port1
C *> 10.119.0.0/20 is directly connected, port2


universe-esx55 # show router static 2
config router static

edit 2

set dst 2.2.2.2 255.255.255.255
set distance 200
set device "port2"

next

end

 

By default, ECMP is enabled. If the route 2.2.2.2/32 is learned by two different static route entries with the same distance, then both will be installed in the routing table. A maximum of 255 paths can be installed for a particular destination.

 

universe-esx55 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default

Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 10.109.31.254, port1
S 2.2.2.2/32 [10/0] is directly connected, port2
                       [10/0] is directly connected, port3
C 10.109.16.0/20 is directly connected, port1
C 10.119.0.0/20 is directly connected, port2

 

To disable ECMP and enforce a maximum of one route per prefix, set ecmp-max-paths to 1. 

 

config system setting

set ecmp-max-paths 1

end

 

It is recommended to leave ECMP enabled in most environments. See Administration Guide: Equal Cost Muti Path (v7.6.2).

 

2208
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.