Equal Cost Multiple Path (ECMP) processing is a networking
feature that enables the firewall to use up to four equal-cost routes
to the same destination. Without this feature, if there are multiple
equal-cost routes to the same destination, the virtual router chooses
one of those routes from the routing table and adds it to its forwarding
table; it will not use any of the other routes unless there is an
outage in the chosen route.
Enabling ECMP functionality on a virtual router allows the firewall
to have up to four equal-cost paths to a destination in its forwarding
table, allowing the firewall to:
Load balance flows (sessions) to the same destination over
multiple equal-cost links.
Efficiently use all available bandwidth on links to the same
destination rather than leave some links unused.
Dynamically shift traffic to another ECMP member to the same
destination if a link fails, rather than having to wait for the
routing protocol or RIB table to elect an alternative path/route.
This can help reduce downtime when links fail.
ECMP is supported on all Palo Alto Networks
models, with hardware forwarding support on the PA-7000 Series,
PA-5200 Series, and PA-3200 Series. VM-Series firewalls support
ECMP through software only. Performance is affected for sessions
that cannot be hardware offloaded.
ECMP is supported on Layer 3, Layer 3 subinterface, VLAN, tunnel,
and Aggregated Ethernet interfaces.
ECMP can be configured for static routes and any of the dynamic
routing protocols the firewall supports.
ECMP affects the route table capacity because the capacity is
based on the number of paths, so an ECMP route with four paths will
consume four entries of route table capacity. ECMP implementation
might slightly decrease the route table capacity because more memory
is being used by session-based tags to map traffic flows to particular
Virtual router-to-virtual router routing using static routes
does not support ECMP.