Adaptive Security Appliance Equal Cost Multi-Path Configuration Example

Available Languages

Download Options

  • PDF     (8.8 KB)
    View with Adobe Reader on a variety of devices
Updated:March 21, 2013
Document ID:115986

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Introduction

This document provides information on how to configure the Adaptive Security Appliance (ASA) with up to three equal cost routes to the same destination network per interface. The ASA hashes the source and destination IP addresses of the outbound packet to determine which route it will use to determine the next hop for the packet (the ASA does not employ a round-robin algorithm to choose the next hop). As opposed to round-robin load balancing, packets with the same source and destination pair are always sent towards the same next hop, as per the computed hash.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

This document is not restricted to specific software and hardware versions.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Configure

In this section, you are presented with the information to configure the features described in this document.

Note: Use the Command Lookup Tool (registered customers only) to obtain more information on the commands used in this section.

Configurations

This document describes these configurations:

  • Static Routes Used to Accomplish ECMP

  • Open Shortest Path First Routing Protocol Used to Accomplish ECMP

Static Routes Used to Accomplish ECMP

This example shows static routes which are equal cost routes that direct traffic to three different gateways on the outside interface. The security appliance distributes the traffic among the specified gateways based on the source and destination IP addresses in the packet.

Multiple static routes that utilize ECMP are available only on the same interface. ECMP is not supported across multiple interfaces.

ASA Sample Configuration:

route outside 10.10.10.0 255.255.255.0 192.168.1.1
route outside 10.10.10.0 255.255.255.0 192.168.1.2
route outside 10.10.10.0 255.255.255.0 192.168.1.3

Show Route Output on the ASA:

S 10.10.10.0 255.255.255.0 [1/0] via 192.168.1.1, outside
                                    [1/0] via 192.168.1.2, outside
                                    [1/0] via 192.168.1.3, outside

Open Shortest Path First Routing Protocol Used to Accomplish ECMP

Open Shortest Path First (OSPF) can be configured to utilize ECMP by the provision of routes with the same cost path. Below is an example of the use of OSPF between an ASA and two adjacent routers.

In this example, the two routers on the outside run OSPF, which are configured to inject default routes to the ASA. Default routes are added to the ASA's routing table, and since they send the same metric, the ASA adds them as ECMPs to the default destination nework.

OSPF is featured in this document. However any routing protocol that the ASA supports could be used, such as Enhanced Interior Gateway Routing Protocol (EIGRP).

Sample Configuration

ASA:

router ospf 10
 network 10.10.10.0 255.255.255.0 area 0
 log-adj-changes

Router 1:

router ospf 10
 network 10.10.10.0 0.0.0.255 area 0 
 default-information originate metric 10

Router 2:

router ospf 10
 network 10.10.10.0 0.0.0.255 area 0 
 default-information originate metric 10

The default-information originate command sets the metric to 10, which when received by the ASA, will install the route with the same cost path.

Show Route Output on the ASA:

O*E2 0.0.0.0 0.0.0.0 [110/1] via 10.10.10.1, 0:10:18, outside
                            [110/1] via 10.10.10.2, 0:10:18, outside

Verify

There is currently no verification procedure available for this configuration.

Troubleshoot

If EIGRP is used to accomplish ECMP, refer to Cisco bug ID CSCti54545 (registered customers only) , EIGRP metrics will not update properly on ASA.

Related Information

Revision History

Revision Publish Date Comments
1.0
21-Mar-2013
Initial Release
TAC Authored

Contributed by Cisco Engineers

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products