Nominated Discussion: How Does the Firewall Determine Route Priority without ECMP?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community Team Member
Did you find this article helpful? Yes No
No ratings

This article is based on a discussion, "ECMP". Read on to see @Raido_Rattameister's response! 

 

Dear Team,

 

Our question is "How can the firewall choose the route without configuring the ECMP?"

 

Appreciate your support as mentioned in this documentation:

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/ecmp

 

"Without this feature, if there are multiple equal-cost routes to the same destination, the virtual router chooses one of those routes from the routing table and adds it to its forwarding table; it will not use any of the other routes unless there is an outage in the chosen route"

 

Best Regards,

Ahmed Sadek

Accepted Solution:

 

If you have multiple route entries to same destination with same metric you need ECMP to be enabled.

ECMP path choosing methods are:

 

- IP Modulo (default)—The virtual router load balances sessions using a hash of the source and destination IP addresses in the packet header to determine which ECMP route to use.

- IP Hash—There are two IP hash methods that determine which ECMP route to use:
If you select IP Hash, by default the firewall uses a hash of the source and destination IP addresses.
If you Use Source Address Only (available in PAN-OS 8.0.3 and later releases), the firewall ensure that all sessions belonging to the same source IP address always take the same path.
If you also Use Source/Destination Ports, the firewall includes the ports in either hash calculation. You can also enter a Hash Seed value (an integer) to further randomize load balancing.

- Weighted Round Robin—You can use this algorithm to take in to consideration different link capacities and speeds. When choosing this algorithm, the Interface dialog opens. Add and select an Interface to include in the weighted round robin group. For each interface, enter the Weight for that interface (range is 1 to 255; default is 100). The higher the weight for a specific equal-cost path, the more often that the equal-cost path is selected for a new session. A higher speed link should be given a higher weight than a slower link so that more of the ECMP traffic goes over the faster link. You can then Add another interface and weight.

- Balanced Round Robin—Distributes incoming ECMP sessions equally across links.

 

Other option is to use Policy Based Forwarding.

 

PBF will be checked first and if traffic matches PBF policy then PBF route takes precedence and virtual router routes are not checked.

 

You can't configure multiple routes with same metric if you don't enable ECMP.

So without ECMP metric is used to decide route.

Smaller metric configured on static route will take precedence.

 

The commit will fail if you have multiple routes to same destination with same metric without enabling ECMP.

 

Raido_Rattameister_0-1672240011987.png

 

Raido_Rattameister_1-1672240051045.png

 

Rate this article:
Register or Sign-in
Labels
Article Dashboard
Version history
Last update:
‎12-28-2022 11:43 AM
Updated by: