FTD Traffic Zones (ECMP)

  • Post author:
  • Post category:Cisco / FTD

Cisco Secure Firewall (FTD) Firewall supports Equal Cost Multi-Path (ECMP) routing using traffic zones to group interfaces to load balance traffic over multiple interfaces.

  • ECMP supports asymmetric routing and load balancing.
  • Up to 8 interfaces can be grouped within a zone.
  • ECMP traffic zones are supported in routed mode only.
  • Supported using FTD 6.5 and higher.
  • FMC 7.1 allows native configuration of ECMP in the GUI, older versions require using FlexConfig.

Topology

The diagram below represents the topology used in this example, where 2 interfaces “Cloud-1” and “Cloud-2” will be configured in a Traffic Zone called “Cloud-Zone” to ensure equal cost routing to the ISP routers.

Configuration

This post assumes that the basic interface and routing configuration is already setup.

  • Navigate to Devices > Device Management > DEVICENAME > Routing > ECMP.
  • Click Add
  • Define an appropriate
  • Add the Available Interfaces

  • Once completed click

  • Click Static Route
  • Add a static route via both interfaces, ensure the metric is identical.

NOTE – if you create 2 or more static routes with the same metric and have not configured ECMP, you will receive an error “Invalid IPv4 Route Configured.” as below. To use ECMP static routing you must ensure you create the Zone and add the correct interfaces into the zone.

  • Click Save
  • Click Deploy

Verification

Once the configuration changes have been deployed to the FTD, login to the CLI.

  • Run the command show zone to confirm the zone configuration and zone membership.

To observe the traffic zone configuration run show running-config zone

> show running-config zone
zone Cloud-Zone ecmp

To observe the interface configuration run show running-config interface gigabitethernet x/y

> show running-config interface GigabitEthernet 0/0
!
interface GigabitEthernet0/0
nameif Cloud-1
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
zone-member Cloud-Zone
 ip address 192.0.2.1 255.255.255.248
ospf authentication null

> show running-config interface GigabitEthernet 0/1
!
interface GigabitEthernet0/1
nameif Cloud-2
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
zone-member Cloud-Zone
ip address 192.0.2.9 255.255.255.248
ospf authentication null

To confirm the static routes are configured using ECMP, run show route static. From the output below we can confirm 2 static routes with the same metric to 172.16.0.0 via both Cloud-1 and Cloud-2 interfaces.

Testing

For testing we ping the IP address 172.16.0.1 of a server on the outside the FTD, traffic will be routed over both interfaces. To easily confirm which interface traffic is using we shall take a packet capture on both interfaces, filtering on the destination server IP address.

From the FTD configure 2 packet captures, match on the different interfaces.

capture Cloud-1 interface Cloud-1 match ip any host 172.16.0.1
capture Cloud-2 interface Cloud-2 match ip any host 172.16.0.1

With the captures enabled, we generate some traffic by pinging the destination IP address.

Run show capture, the bytes increasing on both interfaces confirm traffic is being captured.

Run show capture Cloud-1 will confirm traffic is sent and received.

Tags: , , ,