ECMP is supported on all Palo Alto Networks firewall
platforms, with hardware forwarding support on the PA-7000 Series,
PA-5000 Series, PA-3060 firewalls, and PA-3050 firewalls. PA-3020
firewalls, PA-500 firewalls, PA-200 firewalls, and VM-Series firewalls
support ECMP through software only. Performance is affected for sessions
that cannot be hardware offloaded.
ECMP is supported on Layer 3, Layer 3 subinterface, VLAN, tunnel,
and Aggregated Ethernet interfaces.
ECMP can be configured for static routes and any of the dynamic
routing protocols the firewall supports.
ECMP affects the route table capacity because the capacity is
based on the number of paths, so an ECMP route with four paths will
consume four entries of route table capacity. ECMP implementation
might slightly decrease the route table capacity because more memory
is being used by session-based tags to map traffic flows to particular
ECMP has the following restrictions:
PA-2000 Series firewalls and
PA-4000 Series firewalls with ECMP enabled might not be able to
offload sessions to hardware for forwarding. Packets matching ECMP
routes will be sent to software, while packets matching non-ECMP
routes can still be forwarded by hardware.
For the PA-4000 Series firewalls, packets to be forwarded
by ECMP routes will be sent to software for route lookup and forwarding,
even though the session is in offloaded state.
Virtual router-to-virtual router routing using static routes
does not support ECMP.