1. Overview:
– Equal Cost Multipath (ECMP) is a new feature introduced in Palo Alto PAN-OS 7.0. This feature supports load balancing when we have many different internet lines. This feature is only supported maximum for 4 WANs.
– Without this feature, the firewall device will choose one of the available internet routes to serve internet access needs, the remaining internet routes will not be used until the internet connection is in use. an incident occurred.
– ECMP load balancing is performed at the session level, not at the packet level — the start of a new session is when the firewall (ECMP) picks up an internet path.
2. Diagram for the lab:
– The network diagram has the following components:
- WAN 1 >> ISP 1: belongs to network class 10.0.0.0/24. There are 2 IPs: ISP: 10.0.0.1, Firewall: 10.0.0.2 (ethernet 1/2).
- WAN 2 >> ISP 2: belongs to network class 172.16.31.0/24. There are 2 IPs: ISP: 172.16.31.1, Firewall: 172.16.31.2 (ethernet 1/1).
- LAN Subnet: 172.16.16.0/24. In the lab there will be a PC with IP: 172.16.16.100 Connect to Ethernet port 1/3 of the Palo Alto Firewall with IP address: 172.16.16.1.
– This article will guide you on configuring load balancing using ECMP so that internet traffic from the PC will be divided into 2 paths. WAN 1 and WAN 2.
3. Steps to take:
- Zone configuration.
- Interface configuration.
- Configure Virtual Router.
- Configure NAT policy.
- Configure Security Policy.
- Check the result.
4. Zone configuration: create 2 zones: LAN and WAN
– Go to the link: Network >> Zone >> Click Add > in page Zone Enter the information:
- Name: WAN
- Type: Layer3
– Create more Zone LAN:
5. Internet configuration:
– Interface configuration ethernet1/1enter Network >> Interface >> ethernet1/1 >> in page Ethernet Interface Enter the following information.
– In tabs Config:
- Interface Type: Layer3
- Security Zone: WAN
– In tabs IPv4:
- Type: Static.
- Click Add and enter additional IP: 172.16.31.2/24.
– Next, do the same with the 2 interfaces: Ethernet1/2 and Ethernet1/3 The parameters are as shown below:
– Interface configuration Ethernet1/2:
– Interface configuration Ethernet1/3:
6. Configure Virtual Routers: to route traffic from LAN to 2 WAN
– To create Virtual Routers follow the path Network >> Virtual Routers >> click Add > in page Virtual Router.
– In tabs Router Settings, Configure the following information:
- Name: VR1.
- Interface: click Add and select 3 interfaces: ethernet1/1, ethernet1/2 and ethernet1/3.
– In tabs Static Routes >> click Add >> create 2 default-1 and default-2 with parameters as shown:
– Go back to the tab Router Settings move on to section ECMP To configure load balancing:
- Check in Enable to enable load balancing.
- Inside Load Balance >> Method We will have load balancing methods such as IP Modulo, IP Hash, Weighted Round Robin, Balanced Round Robin.
– Explanation of 4 Load Balancing methods:
- Algorithm IP Modulo and IP Hash: uses hash functions based on information in the packet header, such as source and destination addresses. Because the header of each stream in a given session contains the same source and destination information, these options prioritize the continuity of sessions. If you choose algorithm IP Hash, the hash function can be based on the source address and destination address, or the hash function can be based on the source address only (in PAN-OS 8.0.3 and later versions). Using an IP Hash algorithm based solely on the source address causes all sessions belonging to the same source IP address to always use the same path from multiple available paths. As a result, the path is considered seamless and easier to troubleshoot if needed. You can optionally set the Hash Seed value for further random load balancing if you have a large number of sessions going to the same destination and they are not evenly distributed across the ECMP links.
- Algorithm Balanced Round Robin distributes incoming sessions evenly across links, prioritizing load balancing over session seamlessness. (Round robin indicates the sequence in which the least recently selected item was selected.) Additionally, if new routes are added to or removed from an ECMP group (for example, if a path in the group is down), Virtual Routers will balance sessions across links in the group. Additionally, if flows in a session have to switch routes due to a failure, when the original route associated with the session becomes available again, the flows in the session will return to the original route as the Virtual Routers once again rebalance the load important.
- Algorithm Weighted Round Robin weighted to prioritize capacity and/or link speed — As an extension to the ECMP protocol standard, the Palo Alto Networks implementation provides a Weighted Round Robin load balancing option that takes into account capacities and speeds. different link strength on firewall output interfaces. With this option, you can specify ECMP weights (range is 1-255; default is 100) for interfaces based on link performance using factors such as link capacity, and latency to ensure that the load is balanced to fully utilize the available links.
– In this tutorial we will choose Balanced Round Robin.
7. Configure NAT Policy Rule:
– We need to create 2 NAT Policies for 2 WANs to the internet, ISP 1 and ISP 2. Go to page Policies >> NAT >> click Add
– Create the first NAT Policy to ISP 1 with the following configurations.
– Create the first NAT Policy to ISP 2 with the following configurations.
8. Configure Security Policy:
– Go to the path Policies >> Security >> click Add and configure the parameters as shown below.
9. Results:
– Access Google from PC.
– Go to GUI’s Firewall >> Monitor > Logs > Traffic and check the results.
– It can be seen that the traffic of the PC is with IP 172.16.16.100 has been evenly distributed across both ports ethernet1/1 connect to ISP 2 and ethernet1/2 connect to ISP1.
—Posts (PaloAlto)Configure Load Balancing using ECMP the end–
Xem tiếp...