Configure ECMP on a Virtual Router
Use the following procedure to enable ECMP on a virtual router. The prerequisites are to:
- Specify the interfaces that belong to a virtual router (NetworkVirtual RoutersRouter SettingsGeneral).
- Specify the IP routing protocol.
Enabling, disabling, or changing ECMP for an existing virtual router causes the system to restart the virtual router, which might cause sessions to be terminated.
- Enable ECMP for a virtual router.
- Select NetworkVirtual Routers and select the virtual router on which to enable ECMP.
- Select Router SettingsECMP and select Enable.
- (Optional) Enable symmetric return of packets
from server to client.Select Symmetric Return to cause return packets to egress out the same interface on which the associated ingress packets arrived. That is, the firewall will use the ingress interface on which to send return packets, rather than use the ECMP interface. The Symmetric Return setting overrides load balancing. This behavior occurs only for traffic flows from the server to the client.
- Specify the maximum number of equal-cost paths (to a
destination network) that can be copied from the Routing Information
Base (RIB) to the Forwarding Information Base (FIB).For Max Path allowed, enter 2, 3, or 4. Default: 2.
- Select the load-balancing algorithm for the virtual router.
For more information on load-balancing methods and how they differ,
Load-Balancing Algorithms.For Load Balance, select one of the following options from the Method list:
- IP Modulo (default)—Uses a hash of the source and destination IP addresses in the packet header to determine which ECMP route to use.
- IP Hash—There are two IP hash methods
that determine which ECMP route to use (select hash options in Step
- Use a hash of the source address (available in PAN-OS 8.0.3 and later releases).
- Use a hash of the source and destination IP addresses (the default IP hash method).
- Balanced Round Robin—Uses round robin among the ECMP paths and re-balances paths when the number of paths changes.
- Weighted Round Robin—Uses round robin and a relative weight to select from among ECMP paths. Specify the weights in Step 6 below.
Hash only) Configure IP Hash options.If you selected IP Hash as the Method:
- Select Use Source Address Only (available
in PAN-OS 8.0.3 and later releases) if you want to ensure all sessions
belonging to the same source IP address always take the same path
from available multiple paths. This IP hash option provides path
stickiness and eases troubleshooting. If you don’t select this option
or you’re using a release prior to PAN-OS 8.0.3, the IP hash is based
on the source and destination IP addresses (the default IP hash
method).If you select Use Source Address Only, you shouldn’t push the configuration from Panorama to firewalls running PAN-OS 8.0.2, 8.0.1, or 8.0.0.
- Select Use Source/Destination Ports if
you want to use source or destination port numbers in the IP
Hash calculation.Enabling this option along with Use Source Address Only will randomize path selection even for sessions belonging to the same source IP address.
- Enter a Hash Seed value (an integer with a maximum of nine digits). Specify a Hash Seed value to further randomize load balancing. Specifying a hash seed value is useful if you have a large number of sessions with the same tuple information.
- Select Use Source Address Only (available in PAN-OS 8.0.3 and later releases) if you want to ensure all sessions belonging to the same source IP address always take the same path from available multiple paths. This IP hash option provides path stickiness and eases troubleshooting. If you don’t select this option or you’re using a release prior to PAN-OS 8.0.3, the IP hash is based on the source and destination IP addresses (the default IP hash method).
Round Robin only) Define a weight for each interface in the
ECMP group.If you selected Weighted Round Robin as the Method, define a weight for each of the interfaces that are the egress points for traffic to be routed to the same destinations (that is, interfaces that are part of an ECMP group, such as the interfaces that provide redundant links to your ISP or interfaces to the core business applications on your corporate network).The higher the weight, the more often that equal-cost path will be selected for a new session.Give higher speed links a higher weight than a slower links so that more of the ECMP traffic goes over the faster link.
- Create an ECMP group by clicking Add and selecting an Interface.
- Add the other interfaces in the ECMP group.
- Click on Weight and specify the relative weight for each interface (range is 1-255; default is 100).
- Save the configuration.
- Click OK.
- At the ECMP Configuration Change prompt, click Yes to
restart the virtual router. Restarting the virtual router might
cause existing sessions to be terminated.This message displays only if you are modifying an existing virtual router with ECMP.
- Commit your changes.Commit the configuration.
ECMP Settings Network > Virtual Routers > Router Settings > ECMP Use the following fields to configure Equal-Cost Multiple Path settings. ECMP Settings Description Enable ...
ECMP Load-Balancing Algorithms
ECMP Load-Balancing Algorithms Let’s suppose the Routing Information Base (RIB) of the firewall has multiple equal-cost paths to a single destination. The maximum number of ...
ECMP Equal Cost Multiple Path (ECMP) processing is a networking feature that enables the firewall to use up to four equal-cost routes to the same ...
Enable ECMP for Multiple BGP Autonomous Systems
Enable ECMP for Multiple BGP Autonomous Systems Perform the following task if you have BGP configured, and you want to enable ECMP over multiple autonomous ...
Verify ECMP A virtual router configured for ECMP indicates in the Forwarding Information Base (FIB) table which routes are ECMP routes. An ECMP flag (E) ...
ECMP Network > Virtual Routers > Router Settings > ECMP Equal Cost Multiple Path (ECMP) processing is a networking feature that enables the firewall to ...
Advanced Session Distribution Algorithms for Destination NAT
When a destination NAT address is a dynamic IP address that returns more than one address, select the method the firewall uses to distribute incoming ...
ECMP Model, Interface, and IP Routing Support
ECMP Model, Interface, and IP Routing Support ECMP is supported on all Palo Alto Networks firewall models, with hardware forwarding support on the PA-7000 Series, ...
ECMP in Active/Active HA Mode
ECMP in Active/Active HA Mode When an active/active HA peer fails, its sessions transfer to the new active-primary firewall, which tries to use the same ...