topic Re: BGP configuration for Expressroute in Cloud Firewall

BGP configuration for Expressroute

HBK — Tue, 25 Apr 2023 07:09:36 GMT

Looking for advice on BGP configuration on checkpoint for Azure ExpressRoute, we are using two checkpoint devices and it is working as a cluster

Re: BGP configuration for Expressroute

Chris_Atkinson — Tue, 25 Apr 2023 07:43:01 GMT

With or without VPN and are there specific elements of the config that you need help with or all of it?

Note the BGP Router-ID needs to be configured with the same value on both cluster members, also Graceful restart is recommended.

Re: BGP configuration for Expressroute

HBK — Tue, 25 Apr 2023 07:50:24 GMT

Thank you Chis for your quick response.

I am looking for complete steps, it is without VPN.

Some of the points I have noted. RID should be the VIP and configure eBGP multi-hop option and define the TTL value...

Re: BGP configuration for Expressroute

Chris_Atkinson — Wed, 26 Apr 2023 00:10:40 GMT

For those reading and able to offer assistance, which side of the connection are the Check Point gateways located: on-prem | cloud | both ?

Re: BGP configuration for Expressroute

the_rock — Wed, 26 Apr 2023 00:13:58 GMT

We have customer using exact this setup and has been working for 2 years without issues. I can give you some screenshots of how its configured, will just need to blur out the sensitive info.

Re: BGP configuration for Expressroute

the_rock — Wed, 26 Apr 2023 00:16:40 GMT

Btw, to add to my previous response, we never really followed any special steps, simply whats outlined below and it worked fine.

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Gaia_Advanced_Routing_AdminGuide/Topics-GARG/BGP-Configuring-in-Gaia-Portal-BGP-Remote-Peers.htm

Re: BGP configuration for Expressroute

HBK — Wed, 26 Apr 2023 03:16:23 GMT

Hi Chris,

Gateway is located on-prem.

Re: BGP configuration for Expressroute

HBK — Wed, 26 Apr 2023 02:56:43 GMT

Hi Rock,

Could you please share the screenshots, if possible. Thanks.

Re: BGP configuration for Expressroute

the_rock — Wed, 26 Apr 2023 03:09:29 GMT

I will see what I can send tomorrow.

Re: BGP configuration for Expressroute

the_rock — Wed, 26 Apr 2023 12:43:05 GMT

Heya @HBK

I had a quick look at customer's config and honestly, as I thought, there is no special instructions we followed, its literally from the link I gave you, so I am sure screenshots wont help. You just need to make sure that BGP peer settings match on the other side and then verify by running show bgp commands in clish what the state is. IF you cant get it going, you can run zdebug for affected peer IP and port 179.

If you need help, let me know, happy to do remote.

Andy

Re: BGP configuration for Expressroute

HBK — Mon, 22 May 2023 10:12:34 GMT

We will be considering an ER backup link as well to Azure through BGP. AS number is the same, but we will be having 2 connections to Azure, so how it would be the configuration in this scenario?

Re: BGP configuration for Expressroute

HBK — Mon, 29 May 2023 04:31:57 GMT

@the_rock @Chris_Atkinson

Dears,

Could you please advise me on the above?

Re: BGP configuration for Expressroute

Blason_R — Mon, 29 May 2023 08:23:45 GMT

Should not be a problem and worked well; I configured at least couple scenarios with Express route and DX connectivity with AWS. Yes BGP listens on cluster interface. You need to define a rule specifically open port 179 and this needs to be added above stealth rule. You can can define neighbor IPs though in rule base. And then you will have to add inbound route-filter else CP will not accept and install routes.

Re: BGP configuration for Expressroute

HBK — Mon, 29 May 2023 09:05:19 GMT

Hi Blason,

Thank you very much for your response.

If you don't mind, can I have the relevant screenshots for the same?

The second peer details also we will mentioned in the peer group as a secondary IP ?

what about the peer IP in the CP side, since the CPs are clustered we have to use the VIP as peer IP right.

Re: BGP configuration for Expressroute

Blason_R — Mon, 29 May 2023 09:20:20 GMT

Here is the config - This should give you hint. As I said before ensure to add a rule above stealth rule where source is your Peer IP and destination is your Cluster Object and port is TCP/179

I enabled ECMP here; it may or may not needed in your scenario

set bgp ecmp on set bgp external remote-as 97xxx on set bgp external remote-as 97xxx import-routemap "ACCEPTAWSDX" preference 10 on set bgp external remote-as 97xxx peer 172.43.xx.xx on set bgp external remote-as 97xxx peer 172.43.xx.xx holdtime 15 set bgp external remote-as 97xxx peer 172.43.xx.xx keepalive 5 set bgp external remote-as 65001 on set bgp external remote-as 65001 peer 192.168.xx.xx on set bgp external remote-as 65001 peer 192.168.xx.xx allowas-in-count 5 set bgp external remote-as 65001 peer 192.168.xx.xx holdtime 15 set bgp external remote-as 65001 peer 192.168.xx.xx keepalive 5 set route-redistribution to bgp-as 97xxx from static-route 10.30.10.0/28 on set route-redistribution to bgp-as 97xxx from static-route 172.16.0.0/12 on set route-redistribution to bgp-as 97xxx from static-route 192.168.0.0/16 on set route-redistribution to bgp-as 65001 from static-route 10.30.10.0/28 on set route-redistribution to bgp-as 65001 from static-route 172.16.0.0/12 on set route-redistribution to bgp-as 65001 from static-route 192.168.0.0/16 on set routemap ACCEPTAWSDX id 10 on set routemap ACCEPTAWSDX id 10 allow set routemap ACCEPTAWSDX id 10 match network 10.100.0.0/16 exact set routemap ACCEPTAWSDX id 30 on set routemap ACCEPTAWSDX id 30 allow set routemap ACCEPTAWSDX id 30 match network 10.120.10.0/24 exact set routemap ACCEPTAWSDX id 35 on set routemap ACCEPTAWSDX id 35 allow set routemap ACCEPTAWSDX id 35 match network 10.120.11.0/24 exact set routemap ACCEPTAWSDX id 50 on set routemap ACCEPTAWSDX id 50 restrict set inbound-route-filter bgp-policy 512 based-on-as as 97xxx on set inbound-route-filter bgp-policy 512 accept-all-ipv4 set inbound-route-filter bgp-policy 516 based-on-as as 65001 on set inbound-route-filter bgp-policy 516 accept-all-ipv4

Re: BGP configuration for Expressroute

the_rock — Mon, 29 May 2023 11:18:25 GMT

I also have some examples if needed.

Andy

Re: BGP configuration for Expressroute

HBK — Mon, 29 May 2023 15:06:43 GMT

Hi Blason,

Thank you very much for sharing the configurations.

Currently we are not enabling ECMP and the second link will only for the redundancy if incase of any failure.

As i mentioned in the previous chat, still i have confussion about RID which IP should we need to define, I saw in many post, if the CPs are clusterd the RID must be VIP, in my sceanario i will be having two VIPs. In addition the back up peer ip details where should i need to define. If you will be able to share screen shot, it would be much appreciated.

In cisco I know that, we can create one loop and define the update source as loop back interface, it is bit easy.

Thanks,

Re: BGP configuration for Expressroute

HBK — Tue, 30 May 2023 06:15:26 GMT

@the_rock

Can I have the same?

BR,

Re: BGP configuration for Expressroute

the_rock — Tue, 30 May 2023 11:07:51 GMT

You can, but it all depends what part specifically you need? Prefix-list, routemaps?

Re: BGP configuration for Expressroute

HBK — Tue, 30 May 2023 11:23:47 GMT

As I mentioned in the previous conversation, which IP should be my RID? can I create a loopback and assign the loop back as RID?

Since we have two IP for peering where should I need to add the secondary IP? Advanced routing-> BGP-> under the peer group -> add both peer IPs its it right way ? Screenshot attached.

Thanks.