This document provides information on how to configure the Adaptive Security Appliance (ASA) with up to three equal cost routes to the same destination network per interface. The ASA hashes the source and destination IP addresses of the outbound packet to determine which route it will use to determine the next hop for the packet (the ASA does not employ a round-robin algorithm to choose the next hop). As opposed to round-robin load balancing, packets with the same source and destination pair are always sent towards the same next hop, as per the computed hash.
There are no specific requirements for this document.
This document is not restricted to specific software and hardware versions.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
In this section, you are presented with the information to configure the features described in this document.
Note: Use the Command Lookup Tool (registered customers only) to obtain more information on the commands used in this section.
This document describes these configurations:
Static Routes Used to Accomplish ECMP
Open Shortest Path First Routing Protocol Used to Accomplish ECMP
Static Routes Used to Accomplish ECMP
This example shows static routes which are equal cost routes that direct traffic to three different gateways on the outside interface. The security appliance distributes the traffic among the specified gateways based on the source and destination IP addresses in the packet.
Multiple static routes that utilize ECMP are available only on the same interface. ECMP is not supported across multiple interfaces.
ASA Sample Configuration:
route outside 10.10.10.0 255.255.255.0 192.168.1.1 route outside 10.10.10.0 255.255.255.0 192.168.1.2 route outside 10.10.10.0 255.255.255.0 192.168.1.3
Show Route Output on the ASA:
S 10.10.10.0 255.255.255.0 [1/0] via 192.168.1.1, outside [1/0] via 192.168.1.2, outside [1/0] via 192.168.1.3, outside
Open Shortest Path First Routing Protocol Used to Accomplish ECMP
Open Shortest Path First (OSPF) can be configured to utilize ECMP by the provision of routes with the same cost path. Below is an example of the use of OSPF between an ASA and two adjacent routers.
In this example, the two routers on the outside run OSPF, which are configured to inject default routes to the ASA. Default routes are added to the ASA's routing table, and since they send the same metric, the ASA adds them as ECMPs to the default destination nework.
OSPF is featured in this document. However any routing protocol that the ASA supports could be used, such as Enhanced Interior Gateway Routing Protocol (EIGRP).
Sample Configuration
ASA:
router ospf 10 network 10.10.10.0 255.255.255.0 area 0 log-adj-changes
Router 1:
router ospf 10 network 10.10.10.0 0.0.0.255 area 0 default-information originate metric 10
Router 2:
router ospf 10 network 10.10.10.0 0.0.0.255 area 0 default-information originate metric 10
The default-information originate command sets the metric to 10, which when received by the ASA, will install the route with the same cost path.
Show Route Output on the ASA:
O*E2 0.0.0.0 0.0.0.0 [110/1] via 10.10.10.1, 0:10:18, outside [110/1] via 10.10.10.2, 0:10:18, outside
There is currently no verification procedure available for this configuration.
If EIGRP is used to accomplish ECMP, refer to Cisco bug ID CSCti54545 (registered customers only) , EIGRP metrics will not update properly on ASA.
Revision | Publish Date | Comments |
---|---|---|
1.0 |
21-Mar-2013 |
Initial Release |