Guest

Cisco Adaptive Security Appliance (ASA) Software

Adaptive Security Appliance Equal Cost Multi-Path Configuration Example

Document ID: 115986

Updated: Mar 21, 2013

Contributed by Cisco TAC Engineers.

   Print

Introduction

This document provides information on how to configure the Adaptive Security Appliance (ASA) with up to three equal cost routes to the same destination network per interface. The ASA hashes the source and destination IP addresses of the outbound packet to determine which route it will use to determine the next hop for the packet (the ASA does not employ a round-robin algorithm to choose the next hop). As opposed to round-robin load balancing, packets with the same source and destination pair are always sent towards the same next hop, as per the computed hash.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

This document is not restricted to specific software and hardware versions.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Configure

In this section, you are presented with the information to configure the features described in this document.

Note: Use the Command Lookup Tool (registered customers only) to obtain more information on the commands used in this section.

Configurations

This document describes these configurations:

  • Static Routes Used to Accomplish ECMP

  • Open Shortest Path First Routing Protocol Used to Accomplish ECMP

Static Routes Used to Accomplish ECMP

This example shows static routes which are equal cost routes that direct traffic to three different gateways on the outside interface. The security appliance distributes the traffic among the specified gateways based on the source and destination IP addresses in the packet.

Multiple static routes that utilize ECMP are available only on the same interface. ECMP is not supported across multiple interfaces.

ASA Sample Configuration:

route outside 10.10.10.0 255.255.255.0 192.168.1.1
route outside 10.10.10.0 255.255.255.0 192.168.1.2
route outside 10.10.10.0 255.255.255.0 192.168.1.3

Show Route Output on the ASA:

S 10.10.10.0 255.255.255.0 [1/0] via 192.168.1.1, outside
                                    [1/0] via 192.168.1.2, outside
                                    [1/0] via 192.168.1.3, outside

Open Shortest Path First Routing Protocol Used to Accomplish ECMP

Open Shortest Path First (OSPF) can be configured to utilize ECMP by the provision of routes with the same cost path. Below is an example of the use of OSPF between an ASA and two adjacent routers.

In this example, the two routers on the outside run OSPF, which are configured to inject default routes to the ASA. Default routes are added to the ASA's routing table, and since they send the same metric, the ASA adds them as ECMPs to the default destination nework.

OSPF is featured in this document. However any routing protocol that the ASA supports could be used, such as Enhanced Interior Gateway Routing Protocol (EIGRP).

Sample Configuration

ASA:

router ospf 10
 network 10.10.10.0 255.255.255.0 area 0
 log-adj-changes

Router 1:

router ospf 10
 network 10.10.10.0 0.0.0.255 area 0 
 default-information originate metric 10

Router 2:

router ospf 10
 network 10.10.10.0 0.0.0.255 area 0 
 default-information originate metric 10

The default-information originate command sets the metric to 10, which when received by the ASA, will install the route with the same cost path.

Show Route Output on the ASA:

O*E2 0.0.0.0 0.0.0.0 [110/1] via 10.10.10.1, 0:10:18, outside
                            [110/1] via 10.10.10.2, 0:10:18, outside

Verify

There is currently no verification procedure available for this configuration.

Troubleshoot

If EIGRP is used to accomplish ECMP, refer to Cisco bug ID CSCti54545 (registered customers only) , EIGRP metrics will not update properly on ASA.

Related Information

Updated: Mar 21, 2013
Document ID: 115986