Solved: Firepower ECMP on two ISP with unequal bandwidth.

AlexandreMoniot · ‎06-16-2023

Hello,

I have a cluster of two firepower 3120 in high availability (active/stanby).

It's managed by FMC.

Everything is running in version 7.3.0.

For now, an ECMP zone is configured and load balance the trafic between my two ISP, which both have a bandwidht of 1Gbps.

We will upgrade one of this link to 2Gbps.

Does the ECMP will work?

I have done that before on Palo Alto with weighted round-robin algorithm but on FMC, it seems that i can't choose the repartition's algorithm.

Have you any advice about this configuration?

Thank you.

Regards

MHM Cisco World · ‎06-16-2023

as I mention before the static route to care about the BW of link, not like OSPF/EIGRP
here you config two default route with same metric which make firepower add two path as equal cost.
I check the firepower guide, the firepower for equal cost multi path use hash it not use weight as Palo.

View solution in original post

MHM Cisco World · ‎06-16-2023

The bandwidth mismatch not effect ecmp if you use default route for both path.

defualt route dont care about bw of link

AlexandreMoniot · ‎06-16-2023

Hello @MHM Cisco World ,

Thanks for your reply.

I have defaut route for both path with the same metric.

How the difference of bandwidth will be handled?

If i understand it good, the traffic is balanced equally between the links.

So in my case 50%/50% between the two 1Gbs links.
But with my new link, i would probably prefer a repartition of 66%/33%.

Am i wrong?

On my ex Palo Alto firewall, i can achieve this using a weight on the interfaces but it seems not possible with FTD.

Regards

MHM Cisco World · ‎06-16-2023

This firepower 1k or 2k?

AlexandreMoniot · ‎06-16-2023

It's a cluster of two FPR 2130.

Managed by FMC and using FTD v7.3.0

MHM Cisco World · ‎06-16-2023

It spanned link' etherchannel what uou use for cluster ?

AlexandreMoniot · ‎06-16-2023

Sorry, i'm not sure i understand your question.

The cluster is active/standby, so only one device is passing the trafic.

The topology is as follow:

The FRP are connected to my core switch (Catalyst 9500 in stackwise virtual) using :

- 1 Port channel (2x10G) for inside (LAN).

- 1 Port channel (2x10G) for outside (WAN)

This Port-channel is cut in sub-interfaces which each connected to a different ISP in diffèrent VLANs.

ISP routers are connected to my core switch with 10Gbps optical fiber module.

MHM Cisco World · ‎06-16-2023

as I mention before the static route to care about the BW of link, not like OSPF/EIGRP
here you config two default route with same metric which make firepower add two path as equal cost.
I check the firepower guide, the firepower for equal cost multi path use hash it not use weight as Palo.

AlexandreMoniot · ‎06-18-2023

Helllo @MHM Cisco World ,

Thank you.

You confirm what i was thinking.

I can't have the load balanced correspondingly to the link capacity.

Regards

ivan.garrido · ‎02-28-2024

Hi all, does FPR 1000 support ECMP? I´m considering connect it to two ISP with ECMP. Thanks in advance.