Cisco ASA ECMP
Multiple static routes that utilize ECMP are available only on the same interface. ECMP is not supported across multiple interfaces.
No very useful!!!
Configure PBR with HTTP Path Monitor on FMC - Cisco
Asymmetric routing is allowed in ECMP zone.
Troubleshoot Firepower Threat Defense Routing - Cisco
Equal Cost Multiple Path (ECMP) enables the firewall to use up to four equal-cost routes to the same destination
IN real world configuration, two VPN VTIs are configured with ECMP to AWS, traffic always return to the tunnel where they came from, this seems the behaviors of Palo's "Symmetric Return".
================
Palo Alto ECMP
ECMP load balancing is done at the session level, not at the packet level—the start of a new session is when the firewall (ECMP) chooses an equal-cost path.
ECMP is not supported for equal-cost routes where one or more of those routes has a virtual router or logical router as the next hop.
Configuration:
https://docs.paloaltonetworks.com/ngfw/networking/ecmp/configure-ecmp-on-a-virtual-router#id7b41dd6b-dcfb-429c-adb1-b955cb15a9c7
Suggest to enable "Symmetric Return" and "Strict Source Path"
https://www.youtube.com/watch?v=KICp-9yXOT0
Comments
Post a Comment