O'Reilly logo

ScreenOS Cookbook by Sunil Wadhwa, Joe Kelly, Ken Draper, David Delcourt, Vik Davar, Stefan Brunner

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

4.6. Create ECMP Routing

Problem

You have configured dynamic routing protocols and can possibly learn equal-cost routes. You want to load-balance the traffic flows using all available paths.

Solution

Enable ECMP on the VR using the following command to load-balance traffic per flow among the equal-cost routes:

	SSG-> set vr trust-vr max-ecmp-routes 4
	SSG->

Discussion

You use ECMP on the VR to allow equal-cost routes to be updated in the route table. This recipe illustrates ECMP with the following topology (see Figure 4-4) that has firewalls in Chicago and New York. Both firewalls are connected to the dynamic routing protocol cloud, which means that both could learn equal-cost routes for their internal networks.

ECMP routing

Figure 4-4. ECMP routing

The configuration on the Chicago firewall shows that both are using OSPF as the dynamic routing protocol:

	set vrouter "trust-vr"
	unset auto-route-export
	set protocol ospf
	set enable
	exit
	set interface "ethernet0/0" zone "Trust"
	set interface "ethernet0/1" zone "Untrust"
	set interface ethernet0/0 ip 10.1.1.1/24
	set interface ethernet0/0 route
	set interface ethernet0/1 ip 10.1.2.1/24
	set interface ethernet0/1 route
	set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit
	set policy id 1
	exit
	set vrouter "trust-vr"
	set max-ecmp-routes 4
	set route 0.0.0.0/0 interface ethernet0/1 gateway 1.1.1.1
	exit
	set interface ethernet0/0 protocol ospf area 0.0.0.0
	set interface ethernet0/0 protocol ospf enable
	set interface ethernet0/1 protocol ospf area 0.0.0.0
	set interface ethernet0/1 protocol ospf enable

OSPF is enabled on the trust-vr, ethernet0/0 is bound to the Trust zone, and ethernet0/1 is bound to the Untrust zone. The ethernet0/0 interface has an IP address of 10.1.1.1/24 and ethernet0/1 has an IP address of 10.1.2.1/24. OSPF is enabled on both interfaces and is attached to area 0. A simple policy is created to allow traffic from the Trust zone to the Untrust zone.

The max-ecmp-routes 4 configuration command enables ECMP on the VR and allows a maximum of four equal-cost routes to be updated in the route table. This is the maximum number of equal-cost routes you can configure on a single VR.

You can verify whether the equal-cost routes are populated in the routing table using the get route command. Here is the routing table output before enabling ECMP:

	Chicago-> get route

	IPv4 Dest-Routes for <untrust-vr> (0 entries)
	--------------------------------------------------------------------
	H: Host C: Connected S: Static A: Auto-Exported
	I: Imported R: RIP P: Permanent D: Auto-Discovered
	iB: IBGP eB: EBGP O: OSPF E1: OSPF external type 1
	E2: OSPF external type 2


	IPv4 Dest-Routes for <trust-vr> (8 entries)
	--------------------------------------------------------------------
	   ID        IP-Prefix  Interface      Gateway   P Pref  Mtr   Vsys
	--------------------------------------------------------------------
	*  25        0.0.0.0/0     eth0/1      1.1.1.1   S   20    1   Root
	*  19      10.1.2.1/32     eth0/1      0.0.0.0   H    0    0   Root
	*   4      10.1.1.1/32     eth0/0      0.0.0.0   H    0    0   Root
	*  29      10.1.5.1/32     eth0/1   10.1.2.100   O   60    1   Root
	*  28      10.1.4.0/24     eth0/1   10.1.2.100   O   60    3   Root
	*   3      10.1.1.0/24     eth0/0      0.0.0.0   C    0    0   Root
	*  18      10.1.2.0/24     eth0/1      0.0.0.0   C    0    0   Root
	*  30      10.1.3.0/24     eth0/1   10.1.2.100   O   60    2   Root

	Chicago->

IP subnets 10.1.3.0/24 and 10.1.4.0/24 have only one route learned via OSPF on eth0/1, with a next-hop gateway of 10.1.2.100.

Here is the output of the trust-vr table using the get vr trust-vr command after you enable ECMP on the device:

	Chicago-> get vr trust-vr
	Routing Table
	--------------------------------------------------------------------
	H: Host C: Connected S: Static A: Auto-Exported
	I: Imported R: RIP P: Permanent D: Auto-Discovered
	iB: IBGP eB: EBGP O: OSPF E1: OSPF external type 1
	E2: OSPF external type 2

	Total 10/max entries

	   ID     IP-Prefix    Interface     Gateway   P Pref   Mtr    Vsys
	------------------------------------------------------------------
	*  25     0.0.0.0/0    eth0/1        1.1.1.1   S   20     1     Root
	*  19   10.1.2.1/32    eth0/1        0.0.0.0   H    0     0     Root
	*   4   10.1.1.1/32    eth0/0        0.0.0.0   H    0     0     Root
	*  29   10.1.5.1/32    eth0/1     10.1.2.100   O   60     1     Root
	*  32   10.1.4.0/24    eth0/1     10.1.2.100   O   60     3     Root
	*  33   10.1.4.0/24    eth0/1     10.1.2.200   O   60     3     Root
	*   3   10.1.1.0/24    eth0/0        0.0.0.0   C    0     0     Root
	*  18   10.1.2.0/24    eth0/1        0.0.0.0   C    0     0     Root
	*  30   10.1.3.0/24    eth0/1     10.1.2.100   O   60     2     Root
	*  31   10.1.3.0/24    eth0/1     10.1.2.200   O   60     2     Root

	Interfaces
	--------------------------------------------------------------------
	tunnel, hidden.1, l2v, self, ethernet0/0, vlan1
	v1-trust, v1-untrust, v1-dmz, ethernet0/2, ethernet0/1

	Auto-exporting:                 Disabled
	Default-vrouter:                Yes
	Shared-vrouter:                 Yes
	nsrp-config-sync:               Yes
	System-Default-route:           Not present
	Advertise-Inactive-Interface:   Disabled
	Source-Based-Routing:           Disabled
	SIBR-Routing:                   Disabled
	SNMP Trap:                      Public
	Ignore-Subnet-Conflict:         DisabledECMP-Routing:                   Enabled with 4 as maximum routes

Now, IP subnets 10.1.3.0/24 and 10.1.4.0/24 have two active routes via the eth0/1 interface, but with two different next-hop gateways: 10.1.2.100 and 10.1.2.200. The route IDs 32 and 33 show routes for IP prefix 10.1.4.0/24, and the route IDs 30 and 31 show routes for IP prefix 10.1.3.0/24. The traffic flow is now load-balanced between these routes in a round-robin fashion. At the bottom of the output, you see that ECMP routing is enabled.

Tip

It is important to know that traffic load balancing will be done per session and not per packet. So, if there is only one session, all packets for that session will always flow through the same route. When a second session is initiated, it will use the second route and forward the traffic.

Also, remember that when you enable ECMP, the equal-cost routes will be populated in the routing table only when there is a topology change, such as OSPF's neighbor going down and up. They would not populate for already existing topology calculations.

You can verify how the sessions are being load-balanced using the get session command. Here is an example of two sessions:

	id 48047/s**,vsys 0,flag 08000040/0000/0001,policy 1,time 170, dip 0 module 0
	 if 0(nspflag 801801):10.1.1.10/35968->10.1.4.32/21,6,000c29eeeed6,sess token 4,vlan
	0,tun 0,vsd 0,route 3
	 if 5(nspflag 801800):10.1.1.10/35968<-10.1.4.32/21,6,000585caf0a0,sess token 6,vlan
	0,tun 0,vsd 0,route 32

	id 48050/s**,vsys 0,flag 08000040/0000/0001,policy 1,time 180, dip 0 module 0
	 if 0(nspflag 801801):10.1.1.10/35970->10.1.4.32/23,6,000c29eeeed6,sess token 4,vlan
	0,tun 0,vsd 0,route 3
	 if 5(nspflag 801800):10.1.1.10/35970<-10.1.4.32/23,6,0010db558d90,sess token 6,vlan
	0,tun 0,vsd 0,route 33

Session ID 48047 shows that a File Transfer Protocol (FTP) session was created from 10.1.1.10–10.1.4.32 and is using route ID 32. The second session ID, 48050, shows that a Telnet session between the same hosts is using route ID 33. You have already seen from the routing table that the 10.1.4.0/24 network is reachable via route IDs 32 and 33.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required