How to configure ECMP Equal Cost Multi-Path Between Palo Alto And Cisco

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to configure ECMP Equal Cost Multi-Path Between Palo Alto And Cisco

Not applicable

Is it Possible to achieve  ECMP between a cisco router and a PA-2000 series running PAN-OS 4.1.7

If Yes Can somebody point me to the right direction.

Thank You

1 accepted solution

Accepted Solutions

L6 Presenter

Hi ,

Currently Paloalto does not do any kinds of ECMP routing. If we have two equal cost routes on the PAN, PAN will just use one of the two routes and will not do any load balancing. This is true for any protocol let it be static route or OSPF or anything. So if want to achieve ECMP you have to do it on either upstream/downstream of Paloalto.

Thanks,
Sandeep T

View solution in original post

4 REPLIES 4

L6 Presenter

I dont know if PA itself supports ECMP or not but usually (in my opinion) the ECMP will be setup in the routers before and after the PA-cluster (cluster of PA's who are individually configured (meaning no active/passive or active/active) in order to gain performance).

Most modern Cisco routers supports at least 8 paths of ECMP (meaning up to 8 nexthops with the same metric/cost and they all will be used).

What you must make sure is to use "ip load-sharing per-destination" (default when CEF is enabled) so that the traffic will use a single path for all src+dstip traffic (compared to ip "load-sharing per-packet" which would break things in this situation):

"

Configuring per-Destination Load Balancing

Per-destination load balancing is enabled by default when you enable CEF. To use per-destination load balancing, you do not perform any additional tasks once you enable CEF.

Per-destination load balancing allows the router to use multiple paths to achieve load sharing. Packets for a given source-destination host pair are guaranteed to take the same path, even if multiple paths are available. Traffic destined for different pairs tend to take different paths. Per-destination load balancing is enabled by default when you enable CEF, and is the load balancing method of choice for most situations.

Because per-destination load balancing depends on the statistical distribution of traffic, load sharing becomes more effective as the number of source-destination pairs increase.

You can use per-destination load balancing to ensure that packets for a given host pair arrive in order. All packets for a certain host pair are routed over the same link (or links).

"

L6 Presenter

Hi ,

Currently Paloalto does not do any kinds of ECMP routing. If we have two equal cost routes on the PAN, PAN will just use one of the two routes and will not do any load balancing. This is true for any protocol let it be static route or OSPF or anything. So if want to achieve ECMP you have to do it on either upstream/downstream of Paloalto.

Thanks,
Sandeep T

Hi Sandeep,

May i know why ECMP is not supported ? What it takes to request it? I requested this back in 2011 and nothing happened since then. I would like to know, Why PA doesn't want to include ECMP ?

Happy news, ECMP is added now in PanOS 7


ECMP

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
  • 1 accepted solution
  • 7272 Views
  • 4 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!