Solved: FTD ECMP with multiple interfaces

Patrick Moubarak · ‎02-07-2018

ASA 9.3(2) introduced the concept of zones with ECMP support across different interfaces (in the same zone):

You can group interfaces together into a traffic zone to accomplish traffic load balancing (using Equal Cost Multi-Path (ECMP) routing), route redundancy, and asymmetric routing across multiple interfaces.

Any idea when FTD will support this? the interface zone in FMC seems to be for Snort, not for ASA Lina, only nameif is present in Lina CLI:

firepower# show nameif
Interface Name Security
Ethernet1/5 inside1 0
Ethernet1/6 inside2 0

firepower# show zone
firepower#

EIGRP neighbors come up on both interfaces but routes are only present on inside1.

Is there a recommended design for FTD using L3 routing to 2 Nexus switches? I can't have EIGRP neighbors on vPC VLANs... so I opted for L3 routed interfaces between the 2 Nexus and between each Nexus and FTD.

Thanks

Patrick

Bogdan Nita · ‎02-07-2018

You could use FlexConfig.

If you want to configure Equal-Cost-Multi-Path (ECMP) routing using traffic zones, the zone command differs for Firepower Threat Defense devices compared to the one used on ASA. Although you can still follow the instructions in the ASA general configuration guide, use zone name ecmp instead of the ASA version of the command.

https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/flexconfig_policies.html

HTH

Bogdan

View solution in original post

Bogdan Nita · ‎02-07-2018

You could use FlexConfig.

If you want to configure Equal-Cost-Multi-Path (ECMP) routing using traffic zones, the zone command differs for Firepower Threat Defense devices compared to the one used on ASA. Although you can still follow the instructions in the ASA general configuration guide, use zone name ecmp instead of the ASA version of the command.

https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/flexconfig_policies.html

HTH

Bogdan

Patrick Moubarak · ‎02-07-2018

Thanks Bogdan, I just tried it and it works like a charm!

The FMC doc under ECMP routing says it is not supported across different interfaces.

https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/routing_overview_for_firepower_threat_defense.html#ID-2101-0000004d

It is the same text as ASA doc before the zone feature was introduced, they just forgot to correct it. They should have a reference to the FlexConfig zone name ecmp.

Patrick

diogo_1203 · ‎01-04-2019

Hello Patrick

Do you still have the script to configure the FlexConfig policy?

Can you share it, please?

Thanks

michal.nehasil · ‎12-08-2020

This worked for me:

zone <zone-name> ecmp

!
interface EthernetX/X
zone-member <zone-name>
interface EthernetY/Y
zone-member <zone-name>

Damon Kalajzich · ‎08-29-2022

Hi all, A FYI Warning. I just did the FMC upgrade to 7.2 and push policy as per the process. My FTD's all lost their Zone config and everything went to S41t. Devices were still running 7.0. FMC 7.2 has added Zones to the Device -> Routing - ECMP. recreate the Zones and assigned the interfaces here. Then remove the flex config from the device.