How to Implement ECMP (Load Balancing) on the Firewall

How to Implement ECMP (Load Balancing) on the Firewall

213709
Created On 09/25/18 17:19 PM - Last Modified 09/14/20 19:20 PM


Symptom


Equal Cost Multipath (ECMP) is a new feature introduced in PAN-OS 7.0. It provides multipath support for "equal cost" routes going to the same destination. There is a max of 4 equal cost paths supported

Without this feature, if there are multiple equal-cost routes to the same destination, the virtual router chooses one of those routes from the routing table and adds it to its forwarding table; it will not use any of the other routes unless there is an outage in the chosen route.

ECMP load balancing is done at the session level, not at the packet level—the start of a new session is when the firewall (ECMP) chooses an equal-cost path

This article focuses on basic configuration to achieve ECMP on the firewall

Environment


  • PAN-OS 7.0
  • ECMP (Equal Cost Multi Path)

Resolution


Topology

Topology.png

Interface configuration:

Interface.png
Note: ethernet1/1 and ethernet1/11 are ISP interfaces configured in different zones L3-Untrust and VPN respectively. However, these interfaces can be configured in same zone also


Route configuration with both default routes having "equal-cost":

Screen Shot 2016-09-05 at 4.20.12 PM.png

NAT policy to be able to route traffic over internet:
NAT diff zone.png

Note: If both ISP interfaces are in the same zone, then destination interfaces need to be added to the NAT policy as in the following screenshot:
NAT same zone.png

Security policy configuration to allow the traffic: (covers both scenario when interfaces are in same or different zone)
Policy.png

Enabling ECMP on the firewall:
ECMP enable.png

Note:

  • Max Path 2 means that only 2 equal cost paths will be installed in FIB table. If there are more than 2 equal-cost paths that need to be installed in FIB table, change Max Path value. Max supported value is 4.
  • Load balance method can be selected according to the requirement. For more information about load balance algorithm, please click here
  • Enable Symmetric Return if reply packet should be sent out the same interface that the request packet came in.

Additional Information


Verify ECMP is working:
Monitor > Traffic Logs (with different zone)
Screen Shot 2016-07-17 at 3.21.44 PM.png

Monitor > Traffic Logs (with same zone)
Screen Shot 2016-07-17 at 3.19.44 PM.png

Route installed for ECMP has a "E" flag in it:
Screen Shot 2016-07-17 at 3.22.34 PM.png
 

FIb table.png
Note: For detailed information on ECMP, please click here
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF8CAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language