Configure ECMP on a Virtual Router
Focus
Focus

Configure ECMP on a Virtual Router

Table of Contents

Configure ECMP on a Virtual Router

Use the following procedure to enable ECMP on a virtual router. The prerequisites are to:
  • Specify the interfaces that belong to a virtual router (NetworkVirtual RoutersRouter SettingsGeneral).
  • Specify the IP routing protocol.
ECMP is not supported for equal-cost routes where one or more of those routes has a virtual router as the next hop. None of the equal-cost routes will be installed in the Forwarding Information Base (FIB).
Enabling, disabling, or changing ECMP for an existing virtual router causes the system to restart the virtual router, which might cause sessions to be terminated.
  1. Enable ECMP for a virtual router.
    1. Select NetworkVirtual Routers and select the virtual router on which to enable ECMP.
    2. Select Router SettingsECMP and select Enable.
  2. (Optional) Enable symmetric return of packets from server to client.
    Select Symmetric Return to cause return packets to egress out the same interface on which the associated ingress packets arrived. That is, the firewall will use the ingress interface on which to send return packets, rather than use the ECMP interface. The Symmetric Return setting overrides load balancing. This behavior occurs only for traffic flows from the server to the client.
  3. Enable Strict Source Path to ensure that IKE and IPSec traffic originating at the firewall egresses the physical interface to which the source IP address of the IPSec tunnel belongs.
    When you enable ECMP, IKE and IPSec traffic originating at the firewall by default egresses an interface that an ECMP load-balancing method determines. Alternatively, you can ensure that IKE and IPSec traffic originating at the firewall always egresses the physical interface to which the source IP address of the IPSec tunnel belongs, by enabling Strict Source Path. You would enable this function when the firewall has more than one ISP providing equal-cost paths to the same destination. ISPs typically perform a reverse Path Forwarding (RPF) check (or a different check to prevent IP address spoofing) to confirm that traffic is egressing the same interface on which it arrived. Because ECMP would choose an egress interface based on the configured ECMP method (instead of choosing the source interface as the egress interface), that wouldn’t be what the ISP expects and the ISP could block legitimate return traffic. In this case, enable Strict Source Path so that the firewall uses the egress interface that is the interface to which the source IP address of the IPSec tunnel belongs, the RPF check succeeds, and the ISP allows the return traffic.
  4. Specify the maximum number of equal-cost paths (to a destination network) that can be copied from the Routing Information Base (RIB) to the Forwarding Information Base (FIB).
    For Max Path allowed, enter 2, 3, or 4. Default: 2.
  5. Select the load-balancing algorithm for the virtual router. For more information on load-balancing methods and how they differ, see ECMP Load-Balancing Algorithms.
    For Load Balance, select one of the following options from the Method list:
    • IP Modulo (default)—Uses a hash of the source and destination IP addresses in the packet header to determine which ECMP route to use.
    • IP Hash—There are two IP hash methods that determine which ECMP route to use (select hash options in Step 5):
      • Use a hash of the source address (available in PAN-OS 8.0.3 and later releases).
      • Use a hash of the source and destination IP addresses (the default IP hash method).
    • Balanced Round Robin—Uses round robin among the ECMP paths and re-balances paths when the number of paths changes.
    • Weighted Round Robin—Uses round robin and a relative weight to select from among ECMP paths. Specify the weights in Step 6 below.
  6. (IP Hash only) Configure IP Hash options.
    If you selected IP Hash as the Method:
    1. Select Use Source Address Only (available in PAN-OS 8.0.3 and later releases) if you want to ensure all sessions belonging to the same source IP address always take the same path from available multiple paths. This IP hash option provides path stickiness and eases troubleshooting. If you don’t select this option or you’re using a release prior to PAN-OS 8.0.3, the IP hash is based on the source and destination IP addresses (the default IP hash method).
      If you select Use Source Address Only, you shouldn’t push the configuration from Panorama to firewalls running PAN-OS 8.0.2, 8.0.1, or 8.0.0.
    2. Select Use Source/Destination Ports if you want to use source or destination port numbers in the IP Hash calculation.
      Enabling this option along with Use Source Address Only will randomize path selection even for sessions belonging to the same source IP address.
    3. Enter a Hash Seed value (an integer with a maximum of nine digits). Specify a Hash Seed value to further randomize load balancing. Specifying a hash seed value is useful if you have a large number of sessions with the same tuple information.
  7. (Weighted Round Robin only) Define a weight for each interface in the ECMP group.
    If you selected Weighted Round Robin as the Method, define a weight for each of the interfaces that are the egress points for traffic to be routed to the same destinations (that is, interfaces that are part of an ECMP group, such as the interfaces that provide redundant links to your ISP or interfaces to the core business applications on your corporate network).
    The higher the weight, the more often that equal-cost path will be selected for a new session.
    Give higher speed links a higher weight than a slower links so that more of the ECMP traffic goes over the faster link.
    1. Create an ECMP group by clicking Add and selecting an Interface.
    2. Add the other interfaces in the ECMP group.
    3. Click on Weight and specify the relative weight for each interface (range is 1-255; default is 100).
  8. Save the configuration.
    1. Click OK.
    2. At the ECMP Configuration Change prompt, click Yes to restart the virtual router. Restarting the virtual router might cause existing sessions to be terminated.
      This message displays only if you are modifying an existing virtual router with ECMP.
  9. Commit your changes.
    Commit the configuration.