ECMP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

ECMP

L1 Bithead

Dear Team,

 

Our question is "How can the firewall choose the route without configuring the ECMP"

 

Appreciate your support as mentioned in this documentation

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/ecmp

 

"Without this feature, if there are multiple equal-cost routes to the same destination, the virtual router chooses one of those routes from the routing table and adds it to its forwarding table; it will not use any of the other routes unless there is an outage in the chosen route"

 

Best Regards,

Ahmed Sadek

4 REPLIES 4

L7 Applicator

If you have multiple route entries to same destination with same metric you need ECMP to be enabled.

ECMP path choosing methods are:

- IP Modulo (default)—The virtual router load balances sessions using a hash of the source and destination IP addresses in the packet header to determine which ECMP route to use.

- IP Hash—There are two IP hash methods that determine which ECMP route to use:
If you select IP Hash, by default the firewall uses a hash of the source and destination IP addresses.
If you Use Source Address Only (available in PAN-OS 8.0.3 and later releases), the firewall ensure that all sessions belonging to the same source IP address always take the same path.
If you also Use Source/Destination Ports, the firewall includes the ports in either hash calculation. You can also enter a Hash Seed value (an integer) to further randomize load balancing.

- Weighted Round Robin—You can use this algorithm to take in to consideration different link capacities and speeds. When choosing this algorithm, the Interface dialog opens. Add and select an Interface to include in the weighted round robin group. For each interface, enter the Weight for that interface (range is 1 to 255; default is 100). The higher the weight for a specific equal-cost path, the more often that the equal-cost path is selected for a new session. A higher speed link should be given a higher weight than a slower link so that more of the ECMP traffic goes over the faster link. You can then Add another interface and weight.

- Balanced Round Robin—Distributes incoming ECMP sessions equally across links.

 

Other option is to use Policy Based Forwarding.

PBF will be checked first and if traffic matches PBF policy then PBF route takes precedence and virtual router routes are not checked.

Enterprise Architect, Security @ Cloud Carib Ltd
ACE, PCNSE, PCNSI

L1 Bithead

Thanks for the replay, But our concern about the routing selection without configuring ECMP plus If we have multiple route entries to the same destination with the same metric.

How can Palo Alto firewall choose the specific route.

L7 Applicator

You can't configure multiple routes with same metric if you don't enable ECMP.

So without ECMP metric is used to decide route.

Smaller metric configured on static route will take precedence.

Enterprise Architect, Security @ Cloud Carib Ltd
ACE, PCNSE, PCNSI

L7 Applicator

 

Commit will fail if you have multiple routes to same destination with same metric without enabling ECMP.

 

Raido_Rattameister_0-1672240011987.png

 

Raido_Rattameister_1-1672240051045.png

 

Enterprise Architect, Security @ Cloud Carib Ltd
ACE, PCNSE, PCNSI
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!