Paloalto using ECMP for active/active ISP connectivity
Home > Enterprise security devices or applications > Paloalto firewall > Paloalto using ECMP for active/active ISP connectivity
Enabling ECMP
If organization has multiple ISPs then:
- Enable ECMP in virtual router with symmetric return. We can enable up to 4 equal cost routes via ECMP
- After commit check "runtime stats" local routing table of the device (Should be done on device, cant be done via panorama) and validate that we have default routes for 0.0.0.0/0 via multiple ISPs of same cost. Typically these will have flags 'A S E' for Active, Static and ECMP.
- If a ISP is PPPoE then we will see two routes
- For 0.0.0.0 with next hop of ISP gateway with flags S E
- For 0.0.0.0 with next hop of 0.0.0.0 with flags A S E
- If a ISP is PPPoE then we will see two routes
ECMP with multiple ISPs with a few ISP having less priority
Note that once we enable ECMP, any other ISPs on the same virtual router stop functioning properly even for incoming NAT. This is because while the incoming packets come via one ISP, they always leave with one of the ISPs in ECMP. Hence, if there is a third non-ECMP ISP, then its reply packets go from one of the other two ISP. Even https:// management or VPN will not work on this third ISP which is on same router but not part of ECMP due to less priority.
To have both ECMP across two ISPs and then a few other ISPs only for VPN / NAT we need to setup two virtual routers. In this case LAN would be on first virtual router with default route of ECMP towards the two ISPs. Then we add a static route for other ISP public IPs towards second router. In second router we can have default route pointing to the ISP gateway and LAN/DMZ specific routes pointing to first router.
Home > Enterprise security devices or applications > Paloalto firewall > Paloalto using ECMP for active/active ISP connectivity
