Skip to main content

ECMP & Flow-Hash Modeling

When multiple equal-cost paths exist to the same destination, Infracast can deterministically predict which path a specific traffic flow will take — matching the hash-based load-balancing behavior of the actual network hardware.

Why this matters

ECMP (Equal-Cost Multi-Path) routing distributes flows across parallel paths. Most platforms use a hash of the flow's packet headers to make a consistent forwarding decision — so:

  • The same TCP connection always takes the same path
  • Different flows may take different paths
  • A misconfiguration on one ECMP leg affects only the flows hashed to that leg (~1/N of traffic)

Without ECMP modeling, path-tracer would arbitrarily report one path and miss that other flows take a different route — possibly through a misconfigured firewall or an ACL that blocks a specific protocol.

Flow-aware path queries

The path-tracer accepts an optional 5-tuple:

{
  "src_ip": "10.0.1.5",
  "dst_ip": "10.0.10.20",
  "protocol": "tcp",
  "src_port": 52341,
  "dst_port": 443
}

When provided, Infracast uses the platform's documented hash algorithm to select a deterministic path from the ECMP group. The result includes:

{
  "ecmp_total": 2,
  "ecmp_selected_index": 1,
  "ecmp_hash_policy": "cisco_cef",
  "path": [ ... ]
}

Without a 5-tuple, all ECMP paths are enumerated (Build 90 behavior).

Platform hash policies

Infracast supports the documented load-balancing hash algorithms for major platforms including Cisco IOS/NX-OS, Linux, AWS, and Azure. Where the hash policy cannot be determined, Infracast falls back to the platform default and flags the result as estimated.

Finding rules

Rule IDSeverityDescription
NETWORK-ECMP-001MEDIUMECMP path with asymmetric MTU — one leg will fragment, others won't
NETWORK-ECMP-002HIGHECMP legs have different ACL rules — inconsistent policy enforcement
NETWORK-ECMP-003LOWECMP across paths with significantly different latency (jitter risk for latency-sensitive workloads)

Limitations

  • Hash polarization analysis (multi-tier ECMP where flows concentrate on one leg) is not currently modeled
  • Per-flow telemetry correlation is out of scope — we model the hash, we don't observe actual flows
  • Some platforms hash only on L3 headers by default — L4 port inputs are ignored for those platforms