In this topology, FortiSwitch AGG-N2B has 60 VLAN interfaces that need to be redistributed to FortiSwitch CORE_B. Conversely, FortiSwitch CORE_B has 3 VLAN interfaces that must be redistributed to FortiSwitch AGG-N2B.

To maximize throughput, both uplinks between FortiSwitch AGG-N2B and FortiSwitch CORE_B are utilized, aiming to achieve 200 Gbps. This requires ECMP routing to be enabled on both FortiSwitch devices.

Network Topology:

• FortiSwitch CORE_B acts as an ABR (Area Border Router) because it connects to Area 0.
• FortiSwitch AGG-N2B is an internal router within the NSSA area.
• All FortiSwitch in the NSSA generates LSA Type 7 updates.
• The FortiSwitch ABR uses 0.0.0.0 as the NSSA Forwarding Address, whereas internal routers use an IP from the point-to-point links (e.g., AGG-N2B uses 192.168.12.2 or 192.168.13.2).
• The FortiSwitch AGG-N2B receives LSA Type 7 updates from FortiSwitch CORE_B with Forwarding Address 0.0.0.0, and based on its OSPF table, reaches advertised prefixes via 192.168.21.6 and 192.168.23.6, which in turn are accessed through 192.168.12.3 and 192.168.13.4.

Figure 1. FortiSwitch CORE_B - LSA type 7 showing prefix 10.10.253.0/24

Figure 2. FortiSwitch AGG-N2B OSPF - external routing table (get router info ospf route)

FortiSwitch AGG-N2B successfully installs ECMP routes to FortiSwitch CORE_B prefixes. However, the reverse is not true.

When FortiSwitch AGG-N2B advertises its prefixes via LSA Type 7, it sets the NSSA Forwarding Address to either 192.168.12.2 or 192.168.13.2, depending on the route. This causes FortiSwitch CORE_B to only install a single path to FortiSwitch AGG-N2B prefixes, thus disabling ECMP.

Figure 3. FortiSwitch AGG-N2B - LSA type 7 showing prefix 10.10.1.0/24

Figure 4. FortiSwitch CORE_B OSPF - external routing table (get router info ospf route)

FortiSwitch CORE_B has reached all prefixes connected to FortiSwitch AGG-N2B by only the IP 192.168.21.3, and ECMP routes have not been installed.

To resolve this, configure a loopback interface and advertise it as the NSSA Forwarding Address. Follow the steps below:

Create a loopback interface in all FortiSwitch (FortiSwitch: AGG-N2B):

config system interface

    edit "loopback2"

        set ip 192.168.254.2 255.255.255.255

        set allowaccess ping

        set type loopback

    next

end

Configure OSPF (FortiSwitch: AGG-N2B):

config router ospf

    set router-id 192.168.254.2

    config area

        edit 1.0.0.1

            set type nssa

        next

    end

    config interface

        edit "port49"

        next

        edit "port50"

        next

        edit "loopback2"

        next

    end

    config network

        edit 1 <----- Prioritize loopback.

            set area 1.0.0.1

            set prefix 192.168.254.2 255.255.255.255

        next

        edit 2

            set area 1.0.0.1

            set prefix 192.168.13.0 255.255.255.0

        next

        edit 3

            set area 1.0.0.1

            set prefix 192.168.12.0 255.255.255.0

        next

    end

    config redistribute "connected"

        set status enable

    end

end

Monitoring and Validation:

Figure 5. FortiSwitch AGG-N2B - LSA type 7 showing prefix 10.10.1.0/24 (Forwarding Address is loopback IP)

The loopback IP (192.168.254.2) is used as the Forwarding Address and is reachable via both uplinks (192.168.12.2 and 192.168.13.2). As a result, FortiSwitch CORE_B correctly installs ECMP routes to FortiSwitch AGG-N2B prefixes.

Figure 6. FortiSwitch CORE_B OSPF - external routing table (get router info ospf route)

Conclusion:
Using a loopback interface as the Forwarding Address in NSSA OSPF configurations allows ECMP routing to function as expected between FortiSwitches. Ensure that the loopback is configured and prioritized appropriately in the OSPF configuration to enable balanced routing and full utilization of uplinks.