ECMP

This chapter describes the procedure to configure Equal Cost Multi-Path (ECMP) routing that routing protocols use to load balance the network traffic.

About ECMP

The threat defense device supports Equal-Cost Multi-Path (ECMP) routing. You can configure traffic zones per virtual router to contain a group of interfaces. You can have up to 8 equal cost static or dynamic routes across up to 8 interfaces within each zone. For example, you can configure multiple default routes across three interfaces in the zone: 


route for 0.0.0.0 0.0.0.0 through outside1 to 10.1.1.2
route for 0.0.0.0 0.0.0.0 through outside2 to 10.2.1.2
route for 0.0.0.0 0.0.0.0 through outside3 to 10.3.1.2

Guidelines and Limitations for ECMP

Firewall Mode Guidelines

ECMP zones are supported on routed firewall mode only.

Interface Guidelines

dVTI and Loopback interfaces are not supported.

Additional Guidelines

  • A device can have a maximum of 256 ECMP zones.

  • You can associate only 8 interfaces per ECMP zone.

  • An interface can be a member of only one ECMP zone.

  • You cannot remove an interface that is associated with an equal cost static route from the ECMP zone.

  • You cannot delete an ECMP zone if its interface has equal cost static routes associated with it.

  • Only routed interfaces can be associated with an ECMP zone.

  • The following interfaces cannot be associated with an ECMP zone:

    • BVI interface.

    • Member interfaces in an EtherChannel.

    • Failover or state link interface.

    • Management-only or management-access interfaces.

    • Cluster control link interface.

    • VNIs.

    • VLAN interfaces.

    • Interfaces in a remote access VPN configuration with SSL enabled.

  • DHCP Relay is not supported on interfaces in an ECMP zone.

  • Dual ISP/WAN threat defense Deployment—Create a single ECMP zone for the primary and secondary data interfaces. This configuration enables creation of static routes for both the interfaces with same metric values.

  • The threat defense does not support ECMP with NAT in IPsec sessions—a standard IPsec virtual private network (VPN) tunnel does not work with NAT points in the delivery path of IPsec packets.

Create an ECMP Zone

ECMP zones are created per virtual router. Thus, only the interfaces of the virtual router where the ECMP is being created can be associated with the ECMP.

Procedure

Step 1

Choose Devices > Device Management, and edit the threat defense device.

Step 2

Click Routing.

Step 3

From the virtual router drop-down, select the virtual router in which you want to create the ECMP zone.

You can create ECMP zones in global virtual router and user-defined virtual routers. For information on creating virtual routers, see Create a Virtual Router.

Step 4

Click ECMP.

Step 5

Click Add.

Step 6

In the Add ECMP box, enter a name for the ECMP zone.

Note

 

The ECMP name must be unique for the routed device.

Step 7

To associate interfaces, select the interface under the Available Interfaces box, and then click Add.

Remember the following:

  • Only interfaces belonging to the virtual router are available for assigning.

  • Only interfaces with a logical name are listed under the Available Interfaces box. You can edit the interface and provide a logical name in Interfaces. Remember to save the changes for the settings to take effect.

Step 8

Click OK.

The ECMP page now displays the newly created ECMP.

Step 9

Click Save and Deploy the configuration.

You can associate the ECMP zone interfaces with equal cost static route by defining them with same destination and metric value, but with different gateway.

What to do next

Configure an Equal Cost Static Route

Smart License Classic License Supported Devices Supported Domains

Access

Any

N/A

threat defense and threat defense virtual

Any

Admin/Network Admin/Security Approver

You can assign interfaces of a virtual router, both global and user-defined, to an ECMP zone for the device.

Before you begin

  • To configure an equal cost static route for an interface, ensure to associate it with an ECMP zone. See Create an ECMP Zone.

  • All routing configuration settings of a non-VRF capable device are also available for a global virtual router.

  • You cannot define a static route for interfaces with same destination and metric without associating the interfaces with an ECMP zone.

Procedure

Step 1

From the Devices > Device Management page, edit the threat defense device. Click the Routing tab.

Step 2

From the drop-down list, select the virtual router whose interfaces are associated with an ECMP zone.

Step 3

To configure the equal cost static route for the interfaces, click Static Route.

Step 4

Either click Add Route to add a new route, or click Edit (edit icon) for an existing route.

Step 5

From the Interface drop-down, select the interface belonging to the virtual router and an ECMP zone.

Step 6

Select the destination network from the Available Networks box and click Add.

Step 7

Enter a gateway for the network.

Step 8

Enter a metric value. It can be a number that ranges between 1 and 254.

Step 9

To save the settings, click Save.

Step 10

To configure equal cost static routing, repeat the steps to configure the static route for another interface in the same ECMP zone with the same destination network and metric value. Remember to provide a different gateway.

What to do next

Modify an ECMP Zone

Procedure

Step 1

Choose Devices > Device Management, and edit the threat defense device.

Step 2

Click Routing.

Step 3

Click ECMP.

ECMP zones with its associated interfaces are displayed in the ECMP page.

Step 4

To modify an ECMP, click Edit (edit icon) against the desired ECMP. In the Edit ECMP box, you can do the following:

  • ECMP Name—Ensure that the changed name is unique for the device.

  • Interfaces—You can add or remove interfaces. You cannot include an interface that is already associated with another ECMP. In addition, you cannot remove the interface that is associated with an equal cost static route.

Step 5

Click OK.

Step 6

To save the changes, click Save.

What to do next

Remove an ECMP Zone

Procedure

Step 1

Choose Devices > Device Management, and edit the threat defense device.

Step 2

Click Routing.

Step 3

Click ECMP.

ECMP zones with its associated interfaces are displayed in the ECMP page.

Step 4

To remove an ECMP zone, click Delete (delete icon) against the ECMP zone.

You cannot delete the ECMP zone if any of its interfaces are associated with an equal cost static route.

Step 5

Click Delete in the confirmation message.

Step 6

To save the changes, click Save.

Configuration Example for ECMP

This example demonstrates how to use management center to configure ECMP zones on threat defense such that the traffic flowing through the device is handled efficiently. With ECMP configured, threat defense maintains the routing table per zone basis, and hence it makes it possible to re-route the packets in the best possible routes. Thus, ECMP supports asymmetric routing, load balancing, and handles lost traffic seamlessly. In this example, R4 records the two paths to reach the external file server.

Figure 1. Configuration Example for ECMP
Configuration example for ecmp

Procedure

Step 1

Create virtual routerR4 with Inside1, Outside1, and Outside2 interfaces:

Figure 2. Configuring R4 Virtual Router
Configuring R4 virtual router

Step 2

Create ECMP zones:

  1. In the Routing tab, choose R4 user defined virtual router, and then click ECMP.

  2. Click Add.

  3. Enter the ECMP name and from the Available Interfaces list, choose Outside1 and Outside2:

    Figure 3. Creating ECMP Zone
    Creating ECMP zone

  4. Click Ok, and then Save.

Step 3

Create static routes for the zone interfaces:

  1. In the Routing tab, click Static Route.

  2. From the Interface drop-down list, select Outside1.

  3. Under Available Network, choose any-ipv4 and click Add.

  4. Specify the next-hop address in the Gateway field, 10.1.1.2:

    Figure 4. Configuring Static Route for Outside1
    Static route for outside1

  5. Configure the static route for Outside2, repeating from Step 3b to Step 3d.

Ensure to specify same metric, but different gateways for the static routes:

Figure 5. Configured Static Routes of ECMP Zone Interfaces
Static routes of ECMP zone interfaces

Step 4

Save and Deploy.

The network packets to reach its destination, R3, follows R4>R1>R3 or R4>R2>R3, based on the ECMP algorithm. If R1>R3 route is lost, the traffic flows through R2 without any packet drops. Similarly, the response from R3 can be received by Outside2 though the packet was sent from Outside1. In addition, when the network traffic is heavy, R4 distributes them between the two routes and thus balances the load.

History for ECMP in Secure Firewall Threat Defense

Feature

Minimum Management Center

Minimum Threat Defense

Details

ECMP support as Routing Policy

7.1

Any

Secure Firewall Threat Defense was supporting ECMP routing through FlexConfig policies. From this release, you can group interfaces in to traffic zones and configure ECMP routing in Secure Firewall Management Center.

New/modified screens: Devices > Device Management > Routing > ECMP