Configure ECMP on a Virtual Router
Table of Contents
Expand all | Collapse all
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
Configure ECMP on a Virtual Router
Use the following procedure to enable ECMP
on a virtual router. The prerequisites are to:
- Specify the interfaces that belong to a virtual router ().NetworkVirtual RoutersRouter SettingsGeneral
- Specify the IP routing protocol.
Enabling,
disabling, or changing ECMP for an existing virtual router causes
the system to restart the virtual router, which might cause sessions
to be terminated.
- Enable ECMP for a virtual router.
- Selectand select the virtual router on which to enable ECMP.NetworkVirtual Routers
- Selectand selectRouter SettingsECMPEnable.
- (Optional) Enable symmetric return of packets from server to client.SelectSymmetric Returnto cause return packets to egress out the same interface on which the associated ingress packets arrived. That is, the firewall will use the ingress interface on which to send return packets, rather than use the ECMP interface. TheSymmetric Returnsetting overrides load balancing. This behavior occurs only for traffic flows from the server to the client.
- EnableStrict Source Pathto ensure that IKE and IPSec traffic originating at the firewall egresses the physical interface to which the source IP address of the IPSec tunnel belongs.When you enable ECMP, IKE and IPSec traffic originating at the firewall by default egresses an interface that an ECMP load-balancing method determines. Alternatively, you can ensure that IKE and IPSec traffic originating at the firewall always egresses the physical interface to which the source IP address of the IPSec tunnel belongs, by enabling Strict Source Path. You would enable this function when the firewall has more than one ISP providing equal-cost paths to the same destination. ISPs typically perform a reverse Path Forwarding (RPF) check (or a different check to prevent IP address spoofing) to confirm that traffic is egressing the same interface on which it arrived. Because ECMP would choose an egress interface based on the configured ECMP method (instead of choosing the source interface as the egress interface), that wouldn’t be what the ISP expects and the ISP could block legitimate return traffic. In this case, enable Strict Source Path so that the firewall uses the egress interface that is the interface to which the source IP address of the IPSec tunnel belongs, the RPF check succeeds, and the ISP allows the return traffic.
- Specify the maximum number of equal-cost paths (to a destination network) that can be copied from the Routing Information Base (RIB) to the Forwarding Information Base (FIB).ForMax Pathallowed, enter2,3, or4. Default: 2.
- Select the load-balancing algorithm for the virtual router. For more information on load-balancing methods and how they differ, see ECMP Load-Balancing Algorithms.ForLoad Balance, select one of the following options from theMethodlist:
- IP Modulo(default)—Uses a hash of the source and destination IP addresses in the packet header to determine which ECMP route to use.
- IP Hash—There are two IP hash methods that determine which ECMP route to use (select hash options in Step 5):
- Use a hash of the source address (available in PAN-OS 8.0.3 and later releases).
- Use a hash of the source and destination IP addresses (the default IP hash method).
- Balanced Round Robin—Uses round robin among the ECMP paths and re-balances paths when the number of paths changes.
- Weighted Round Robin—Uses round robin and a relative weight to select from among ECMP paths. Specify the weights in Step 6 below.
- (IP Hash only) Configure IP Hash options.If you selectedIP Hashas theMethod:
- SelectUse Source Address Only(available in PAN-OS 8.0.3 and later releases) if you want to ensure all sessions belonging to the same source IP address always take the same path from available multiple paths. This IP hash option provides path stickiness and eases troubleshooting. If you don’t select this option or you’re using a release prior to PAN-OS 8.0.3, the IP hash is based on the source and destination IP addresses (the default IP hash method).If you selectUse Source Address Only, you shouldn’t push the configuration from Panorama to firewalls running PAN-OS 8.0.2, 8.0.1, or 8.0.0.
- SelectUse Source/Destination Portsif you want to use source or destination port numbers in theIP Hashcalculation.Enabling this option along withUse Source Address Onlywill randomize path selection even for sessions belonging to the same source IP address.
- Enter aHash Seedvalue (an integer with a maximum of nine digits). Specify aHash Seedvalue to further randomize load balancing. Specifying a hash seed value is useful if you have a large number of sessions with the same tuple information.
- (Weighted Round Robin only) Define a weight for each interface in the ECMP group.If you selectedWeighted Round Robinas theMethod, define a weight for each of the interfaces that are the egress points for traffic to be routed to the same destinations (that is, interfaces that are part of an ECMP group, such as the interfaces that provide redundant links to your ISP or interfaces to the core business applications on your corporate network).The higher the weight, the more often that equal-cost path will be selected for a new session.Give higher speed links a higher weight than a slower links so that more of the ECMP traffic goes over the faster link.
- Create an ECMP group by clickingAddand selecting anInterface.
- Addthe other interfaces in the ECMP group.
- Click onWeightand specify the relative weight for each interface (range is 1-255; default is 100).
- Save the configuration.
- ClickOK.
- At the ECMP Configuration Change prompt, clickYesto restart the virtual router. Restarting the virtual router might cause existing sessions to be terminated.This message displays only if you are modifying an existing virtual router with ECMP.
- Commit your changes.Committhe configuration.