12-28-2022 03:18 AM
Dear Team,
Our question is "How can the firewall choose the route without configuring the ECMP"
Appreciate your support as mentioned in this documentation
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/ecmp
"Without this feature, if there are multiple equal-cost routes to the same destination, the virtual router chooses one of those routes from the routing table and adds it to its forwarding table; it will not use any of the other routes unless there is an outage in the chosen route"
Best Regards,
Ahmed Sadek
12-28-2022 05:52 AM
If you have multiple route entries to same destination with same metric you need ECMP to be enabled.
ECMP path choosing methods are:
- IP Modulo (default)—The virtual router load balances sessions using a hash of the source and destination IP addresses in the packet header to determine which ECMP route to use.
- IP Hash—There are two IP hash methods that determine which ECMP route to use:
If you select IP Hash, by default the firewall uses a hash of the source and destination IP addresses.
If you Use Source Address Only (available in PAN-OS 8.0.3 and later releases), the firewall ensure that all sessions belonging to the same source IP address always take the same path.
If you also Use Source/Destination Ports, the firewall includes the ports in either hash calculation. You can also enter a Hash Seed value (an integer) to further randomize load balancing.
- Weighted Round Robin—You can use this algorithm to take in to consideration different link capacities and speeds. When choosing this algorithm, the Interface dialog opens. Add and select an Interface to include in the weighted round robin group. For each interface, enter the Weight for that interface (range is 1 to 255; default is 100). The higher the weight for a specific equal-cost path, the more often that the equal-cost path is selected for a new session. A higher speed link should be given a higher weight than a slower link so that more of the ECMP traffic goes over the faster link. You can then Add another interface and weight.
- Balanced Round Robin—Distributes incoming ECMP sessions equally across links.
Other option is to use Policy Based Forwarding.
PBF will be checked first and if traffic matches PBF policy then PBF route takes precedence and virtual router routes are not checked.
12-28-2022 06:14 AM
Thanks for the replay, But our concern about the routing selection without configuring ECMP plus If we have multiple route entries to the same destination with the same metric.
How can Palo Alto firewall choose the specific route.
12-28-2022 07:03 AM - edited 12-28-2022 07:13 AM
You can't configure multiple routes with same metric if you don't enable ECMP.
So without ECMP metric is used to decide route.
Smaller metric configured on static route will take precedence.
12-28-2022 07:08 AM - edited 12-28-2022 07:08 AM
Commit will fail if you have multiple routes to same destination with same metric without enabling ECMP.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
