Guidelines and limitations for ECMP

Follow these principles for effective ECMP zones configuration:

Firewall mode limitations

Use ECMP zones only in routed firewall mode.

Interface restrictions

Do not use dVTI or Loopback interfaces with ECMP zones.

ECMP zone configuration limits

Follow these limits when configuring ECMP zones:

  • Devices can have a maximum of 256 ECMP zones.

  • You can associate only 8 interfaces per ECMP zone.

  • An interface can be a member of only one ECMP zone.

Interface management limitations

Do not remove interfaces or delete zones actively used for routing:

  • You cannot remove an interface that is associated with an equal cost static route from the ECMP zone.

  • You cannot delete an ECMP zone if its interface has equal cost static routes associated with it.

Supported interface types

Use only routed interfaces for ECMP zones. Do not associate these interface types with an ECMP zone:

  • BVI interface.

  • Member interfaces in an EtherChannel.

  • Failover or state link interface.

  • Management-only or management-access interfaces.

  • Cluster control link interface.

  • VNIs.

  • VLAN interfaces.

  • Interfaces in a remote access VPN configuration with SSL enabled.

Feature compatibility limitations

Consider these feature limitations when using ECMP zones:

  • DHCP Relay is not supported on interfaces in an ECMP zone.

  • Dual ISP/WAN Firewall Threat Defense Deployment—Create a single ECMP zone for the primary and secondary data interfaces, enabling static routes with identical metric values.

  • The Firewall Threat Defense does not support ECMP with NAT in IPsec sessions—a standard IPsec virtual private network (VPN) tunnel does not work with NAT points in the delivery path of IPsec packets.