ECMP Strict Source Path

Reply
L5 Sessionator

ECMP Strict Source Path

Hello.

 

In ECMP settings there is Strict Source Path option to enable. But I can't find any descriptin about this option anywhere. Anyone knows what exactly does this option do? 

Tags (2)
L7 Applicator

Re: ECMP Strict Source Path

This has been bugging me since it was posted. I was finally able to do enough digging and found the answer.

 

Strict Source Path is a feature of the ECMP specification, rather than a feature unique to Palo Alto Networks. There are 2 types of source routing with ECMP, loose and strict. 

 

Check the following RFC, section 3.1. The subsections are titled "Loose Source and Record Route" and "Strict Source and Record Route".

https://tools.ietf.org/rfc/rfc791.txt

 

Both require options in the IP header. Loose (type=131) is by far the most common, but some environments will need strict (type=137). 

L3 Networker

Re: ECMP Strict Source Path

Hi @gwesson

Thanks, i also had this query.

 

It may be not relevent here, but appreciate if you can clarify me in this option, I can see 'symmetric return' under ECMP option, is this a alternative option for symmetric return in dual ISP failover/ECMP scenario ?. i have seen in dual ISP scenarios, poeple were using PBF for symmetric return enforcement.

 

So if i have web services running inside and ECMP is enabled in dual ISP scenario, i just need to enable this option instead of doing PBF and select ' symmetric return' ?

L7 Applicator

Re: ECMP Strict Source Path

@Abdul_Razaq they're related, but do different things in their own context. The PBF option is when you could have asymmetric routes, whereas in ECMP it overrides the inherent load balancing that ECMP provides. Both of the following are pulled from the inline help on the firewall from their respective sections:

 

Symmetric return in ECMP

Select Symmetric Return to cause return packets to egress out the same interface on which the associated ingress packets arrived. That is, the firewall will use the ingress interface on which to send return packets, rather than use the ECMP interface, so the Symmetric Return setting overrides load balancing. This behavior occurs only for traffic flows from the server to the client.

 

Symmetric return in PBF

Select Enforce Symmetric Return and enter one or more IP addresses in the Next Hop Address List. Enabling symmetric return ensures that return traffic (such as from the Trust zone on the LAN to the Internet) is forwarded out through the same interface through which traffic ingresses from the internet.
L5 Sessionator

Re: ECMP Strict Source Path

Ty for the info.

L0 Member

Re: ECMP Strict Source Path

"strict source path" means no ECMP. It applies to firewall originated IKE/IPsec traffic. Traffic will be sent out over the tunnel based on which tunnel the source address belong to. It has nothing to do with real "source routing". It does not affect transit traffic. Similar to "symetric return" it is an exception of ECMP hashing.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!