I am wondering if someone could help me with this solution.
I have an FG Cluster and I want to configure 2 x point-to-point OSPF links (OSPF-LINK-1 and OSPF-LINK-2) on the FG CLuster to 2 different upstream Cisco switches (OSPF-LINK-1 --> CISCO-SW1 and OSPF-LINK-2 --> CISCO-SW2) .
In addition I want to run ECMP across the OSPF links from the FG to the upstream switches.
I have enabled the ECMP capability on the FG Cluster:
config system settings set ecmp-max-paths 2 end
ECMP is configured throughout the upstream network and also on the return path downstream to the FG Cluster so I expect that there will be an asymmetric condition whereby traffic egressing out OSPF-LINK-1 port on the FG could be ingressing back via OSPF-LINK-2 port and visa versa.
The topology and scenario is quiet similar to that shown here, however I am using OSPF with ECMP load-balancing to the upstream devices:
http://kb.fortinet.com/kb....do?externalID=FD30895
As such I am wondering will I have to enable asymmetric routing on the VDOM as follows:
config system settings set asymroute enable end
Initially I thought that I would have to enable asymmetric routing due to the RPF (Anti-Spoofing) feature however from reading all of the documentation that I could find it states:
The FortiGate implements a mechanism called RPF (Reverse Path Forwarding), or Anti Spoofing, which prevents an IP packet to be forwarded if its Source IP does not either:
[ul]Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
Enable NAT in firewall policy is good practice to avoid asymroute happening.
In your case, no need to enable asymroute. if ECMP happen, that means routes to source address of reply traffic exist on both links, so no RPF drop. But the session may not offload to NPU.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1547 | |
1031 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.