ECMP Load-Balancing Algorithms
Let’s suppose the Routing Information Base (RIB) of
the firewall has multiple equal-cost paths to a single destination.
The maximum number of equal-cost paths defaults to 2. ECMP chooses
the best two equal-cost paths from the RIB to copy to the Forwarding
Information Base (FIB). ECMP then determines, based on the load-balancing
method, which of the two paths in the FIB that the firewall will
use for the destination during this session.
ECMP load balancing is done at the session level, not at the
packet level—the start of a new session is when the firewall (ECMP)
chooses an equal-cost path. The equal-cost paths to a single destination
are considered ECMP path members or ECMP group members. ECMP determines
which one of the multiple paths to a destination in the FIB to use
for an ECMP flow, based on which load-balancing algorithm you set.
A virtual router can use only one load-balancing algorithm.
Enabling, disabling, or changing ECMP
on an existing virtual router causes the system to restart the virtual
router, which might cause existing sessions to be terminated.
The four algorithm choices emphasize different priorities, as
follows:
Hash-based algorithms prioritize session stickiness—The
IP Modulo and
IP
Hash algorithms use hashes based on information in the packet
header, such as source and destination address. Because the header
of each flow in a given session contains the same source and destination
information, these options prioritize session
stickiness.
If you choose the
IP Hash algorithm, the
hash can be based on the source and destination addresses, or the
hash can be based on the source address only. Using an IP hash based
on only the source address causes all sessions belonging to the
same source IP address to always take the same path from available
multiple paths. Thus the path is considered sticky and is easier
to troubleshoot if necessary. You can optionally set a
Hash
Seed value to further randomize load balancing if you
have a large number of sessions to the same destination and they’re
not being distributed evenly over the ECMP links.
Balanced algorithm prioritizes load balancing—The Balanced
Round Robin algorithm distributes incoming sessions
equally across the links, favoring load balancing over session stickiness.
(Round robin indicates a sequence in which the least recently chosen
item is chosen.) In addition, if new routes are added or removed
from an ECMP group (for example if a path in the group goes down),
the virtual router will re-balance the sessions across links in
the group. Additionally, if the flows in a session have to switch
routes due to an outage, when the original route associated with
the session becomes available again, the flows in the session will
revert to the original route when the virtual router once again
re-balances the load.
Weighted algorithm prioritizes link capacity and/or speed—As
an extension to the ECMP protocol standard, the Palo Alto Networks® implementation
provides for a Weighted Round Robin load-balancing
option that takes into account differing link capacities and speeds
on the egress interfaces of the firewall. With this option, you
can assign ECMP Weights (range is 1 to 255;
default is 100) to the interfaces based on link performance using
factors such as link capacity, speed, and latency to ensure that
loads are balanced to fully leverage the available links.
For
example, suppose the firewall has redundant links to an ISP: ethernet1/1
(100 Mbps) and ethernet1/8 (200 Mbps). Although these are equal-cost
paths, the link via ethernet1/8 provides greater bandwidth and therefore
can handle a greater load than the ethernet1/1 link. Therefore,
to ensure that the load-balancing functionality takes into account
link capacity and speed, you might assign ethernet1/8 a weight of
200 and ethernet1/1 a weight of 100. The 2:1 weight ratio causes
the virtual router to send twice as many sessions to ethernet1/8
as it sends to ethernet1/1. However, because the ECMP protocol is
inherently session-based, when using the Weighted Round
Robin algorithm, the firewall will be able to load balance
across the ECMP links only on a best-effort basis.
Keep in
mind that ECMP weights are assigned to interfaces to determine load
balancing (to influence which
equal-cost path is chosen),
not for route selection (a route choice from routes that could have
different costs).
Assign lower-speed
or lower-capacity links with a lower weight. Assign higher-speed
or higher-capacity links with a higher weight. In this manner, the
firewall can distribute sessions based on these ratios, rather than
overdrive a low-capacity link that is one of the equal-cost paths.