Guidelines and Limitations for ECMP

Firewall Mode Guidelines

ECMP zones are supported on routed firewall mode only.

Interface Guidelines

Additional Guidelines

  • A device can have a maximum of 256 ECMP zones.

  • You can associate only 8 interfaces per ECMP zone.

  • An interface can be a member of only one ECMP zone.

  • You cannot remove an interface that is associated with an equal cost static route from the ECMP zone.

  • You cannot delete an ECMP zone if its interface has equal cost static routes associated with it.

  • Only routed interfaces can be associated with an ECMP zone.

  • The following interfaces cannot be associated with an ECMP zone:

    • BVI interface.

    • Member interfaces in an EtherChannel.

    • Failover or state link interface.

    • Management-only or management-access interfaces.

    • Cluster control link interface.

    • VNIs.

    • VLAN interfaces.

    • Interfaces in a remote access VPN configuration with SSL enabled.

  • DHCP Relay is not supported on interfaces in an ECMP zone.

  • Dual ISP/WAN threat defense Deployment—Create a single ECMP zone for the primary and secondary data interfaces. This configuration enables creation of static routes for both the interfaces with same metric values.

  • The threat defense does not support ECMP with NAT in IPsec sessions—a standard IPsec virtual private network (VPN) tunnel does not work with NAT points in the delivery path of IPsec packets.