topic Re: FTD ECMP with multiple interfaces in Network Security

FTD ECMP with multiple interfaces

Patrick Moubarak — Fri, 21 Feb 2020 15:18:17 GMT

ASA 9.3(2) introduced the concept of zones with ECMP support across different interfaces (in the same zone):

You can group interfaces together into a traffic zone to accomplish traffic load balancing (using Equal Cost Multi-Path (ECMP) routing), route redundancy, and asymmetric routing across multiple interfaces.

Any idea when FTD will support this? the interface zone in FMC seems to be for Snort, not for ASA Lina, only nameif is present in Lina CLI:

firepower# show nameif
Interface Name Security
Ethernet1/5 inside1 0
Ethernet1/6 inside2 0

firepower# show zone
firepower#

EIGRP neighbors come up on both interfaces but routes are only present on inside1.

Is there a recommended design for FTD using L3 routing to 2 Nexus switches? I can't have EIGRP neighbors on vPC VLANs... so I opted for L3 routed interfaces between the 2 Nexus and between each Nexus and FTD.

Thanks

Patrick

Re: FTD ECMP with multiple interfaces

Bogdan Nita — Wed, 07 Feb 2018 15:54:11 GMT

You could use FlexConfig.

If you want to configure Equal-Cost-Multi-Path (ECMP) routing using traffic zones, the zone command differs for Firepower Threat Defense devices compared to the one used on ASA. Although you can still follow the instructions in the ASA general configuration guide, use zone name ecmp instead of the ASA version of the command.

https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/flexconfig_policies.html

HTH

Bogdan

Re: FTD ECMP with multiple interfaces

Patrick Moubarak — Wed, 07 Feb 2018 16:10:49 GMT

Thanks Bogdan, I just tried it and it works like a charm!

The FMC doc under ECMP routing says it is not supported across different interfaces.

https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/routing_overview_for_firepower_threat_defense.html#ID-2101-0000004d

It is the same text as ASA doc before the zone feature was introduced, they just forgot to correct it. They should have a reference to the FlexConfig zone name ecmp.

Patrick

Re: FTD ECMP with multiple interfaces

diogo_1203 — Fri, 04 Jan 2019 13:39:21 GMT

Hello Patrick

Do you still have the script to configure the FlexConfig policy?

Can you share it, please?

Thanks

Re: FTD ECMP with multiple interfaces

michal.nehasil — Tue, 08 Dec 2020 11:01:28 GMT

This worked for me:

zone <zone-name> ecmp

!
interface EthernetX/X
zone-member <zone-name>
interface EthernetY/Y
zone-member <zone-name>

Re: FTD ECMP with multiple interfaces

Damon Kalajzich — Mon, 29 Aug 2022 08:42:19 GMT

Hi all, A FYI Warning. I just did the FMC upgrade to 7.2 and push policy as per the process. My FTD's all lost their Zone config and everything went to S41t. Devices were still running 7.0. FMC 7.2 has added Zones to the Device -> Routing - ECMP. recreate the Zones and assigned the interfaces here. Then remove the flex config from the device.