PBF with ECMP Issue

cancel
Showing results for 
Search instead for 
Did you mean: 

PBF with ECMP Issue

L1 Bithead

Hello, i have question about PBF Using ECMP.

We have 3 ISP and using ECMP Setting with weight round robin and Symetric Return Settings

ISP A > 200

ISP B > 100

ISP C > 50

 

NAT we set like this

All  User > ISP A

 

Using PBF for some IP Segment

Segment A to ISP A

Segment B to ISP B

Segment C to ISP C

 

But we have some problem link below : 

When we check the traffic monitor, we can see that IP Segment A is still Going to ISP B and ISP C

When we disable ECMP, setting the ISP metric in virtual routing to 10,20,30, the Globalprotect only up for ISP that have a low metric.

For some reason, some users can't access/maybe have a slower access to specific website.

Security policy for now we set to Allow All.

 

Is there any solution to avoid IP Segment A going to ISP B and C using this ECMP Method?

2 REPLIES 2

Cyber Elite
Cyber Elite

I may be missing the point, but why do you enable ECMP if you only set NAT for ISP A and then set PBF policies to send traffic to a certain ISP?

 

i bet you're running into some sort of conflict where ECMP is bouncing users off to ISP B+C (because you defined ECMP)

Tom Piens
PANgurus - (co)managed services and consultancy

For first deployment we was setting to ECMP because they want to utilize all the WAN Links, after few weeks our user had a problem with routing,so we check the routing and see if any problem but we don't find that.

 

So we use the NAT and PBF to specify some segment to specific WAN link, and let the other segment use the ECMP Configuration. I Check another threat in palo/others vendors, i think this is the behaviour the ECMP configuration, balancing the traffic, even we specify the link and when the link is higher than the other, the configuration is balancing the link.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!