topic Re: AS Path prepending to two different peers in the same AS in Firewall and Security Management

AS Path prepending to two different peers in the same AS

Paul_Warnagiris — Fri, 29 Oct 2021 02:03:27 GMT

Hello Checkmates. My goal here is to setup BGP with one ISP that is providing me access to two different POPs for diversity. AS12345 in this example is my ISP. My AS is 65001. They have a POP in CHI and NYC that I peer with. I would like to advertise 2.2.2.0 to ISPA in NYC normally and 3.3.3.0 to them as well, but with the AS path prepended 5 times. Then to ISPB in CHI I would like to advertise 3.3.3.0 normally and 2.2.2.0 to them with the AS path prepended 5 times.

In a Cisco world I would use a route map and I would apply it to a neighbor. Looking through all documentation I can find on the Check Point site I can create route maps, and I can advertise them to my neighboring AS, but I can't advertise them to two different peers in the same AS differently. Unless I'm missing something.

In the 8040 Gaia Advanced Routing Guide i I’m only seeing a way to announce a route-map to a AS, not a peer in the AS. In the case of this customer they will have a neighbor AS, but they will have two different routers in that AS that I want to treat differently.

From the example in sk103047 from (IV-3) Configuration of BGP AS PATH Prepend it shows prepending the path 2 times and 10 times. But its prepending it to the same router. And the example can do that because its advertising to an AS, not a neighbor. Am I missing something?

This is what I'm trying to do. The below example uses routers, but assume they are Check Points in an HA cluster. The transit networks will be /29...the basics are covered. The advertising and the path prepends are not.

This is what the SK shows below and I don't see any information anywhere else the says this can be done. I have had SEs tell me it can be done, but no one that can tell me how....

Any thoughts or guidance?

Thanks,
Paul

Re: AS Path prepending to two different peers in the same AS

Peter_Lyndley — Fri, 29 Oct 2021 07:48:42 GMT

Hello Paul,

Luckily , i have done this recently and the below is the configuration I used (peer R1 and peer R2 are the two ISP routers)

set routemap peerR1 id 15 on

set routemap peerR1 id 15 match network x.x.x.x/y all

set routemap peerR1 id 15 match protocol static

set routemap peerR1 id 15 action aspath-prepend-count 10

set routemap peerR2 id 15 on

set routemap peerR2 id 15 match network x.x.x.x/y all

set routemap peerR2 id 15 match protocol static

set routemap peerR2 id 15 action aspath-prepend-count 1 (or leave the line out for the default setting)

Re: AS Path prepending to two different peers in the same AS

Paul_Warnagiris — Fri, 29 Oct 2021 12:37:47 GMT

Thanks for that. That makes complete sense. I guess the question I have is how do you apply it? Is it applied anywhere? I have used route maps like this before:

set routemap bgp-in-65534 id 10 match network 10.0.0.0/8 all

set routemap bgp-in-65534 id 10 match network 172.16.0.0/12 all

set routemap bgp-in-65534 id 10 match network 192.168.0.0/16 all

And then I apply them like this:

set route-redistribution to bgp-as 65534 from bgp-as-number 53XXX network 10.7.0.0/24 action accept

set route-redistribution to bgp-as 65534 from bgp-as-number 53XXX network 10.7.0.0/24 match-type exact on

set route-redistribution to bgp-as 65534 from bgp-as-number 53XXX network 172.16.100.0/24 action accept

set route-redistribution to bgp-as 65534 from bgp-as-number 53XXX network 172.16.100.0/24 match-type exact on

So in the case above as long as my bgp-in-65534 routemap is matched and therefore in the BGP routing table I can then redistribute what I learned from 53XXX into 65534. But in this case I’m learning and announcing routes from AS to AS. My question is how do I advertise routes or redistribute routes to two different peers differently, in the same AS. Does that make sense?

I see in your example below that if peerR1 matches x.x.x.x/y then the AS path should be prepended 10 times and if it matches from peerR2, prepend once. Where in your config do you show who you announce that to? Or do you? I believe what you are doing is determining for yourself which path you should take based on what you learned from which router. But what I'm trying to do is announce what I learned with prepended AS paths. I can see how in your example you may be able to do something like set route-redistribution to bgp-as 11111 from [aggregate bgp-as-number bgp-as-path default-origin interface kernel ospf2 ospf2ase rip static route] but the “TO” part is only options are [bgp ospf rip].

That is where I’m getting stuck. Does my question make sense?

Thanks,
Paul

Re: AS Path prepending to two different peers in the same AS

Paul_Warnagiris — Fri, 29 Oct 2021 12:50:02 GMT

In the Cisco world I would have done it like this:

router bgp xxxxx
bgp log-neighbor-changes
network 65.xxx.xxx.0 mask 255.255.255.0
neighbor 144.xxx.xxx.49 remote-as 9321
neighbor 144.xxx.xxx.49 route-map to-vz out
!
access-list 10 permit 65.xxx.xxx.0 0.0.0.255
access-list 10 deny any
!
route-map to-vz permit 10
match ip address 10
set as-path prepend 53xxx 53xxx 53xxx
!
route-map to-vz permit 20
!

Re: AS Path prepending to two different peers in the same AS

Peter_Lyndley — Fri, 29 Oct 2021 14:13:35 GMT

hi Paul,

set bgp external remote-as 65534 peer 192.168.1.1 export-routemap peerR1 preference 1 on

set bgp external remote-as 65534 peer 192.168.1.1 export-routemap peerR2 preference 2 on

set bgp external remote-as 65534 peer 192.168.1.2 export-routemap peerR2 preference 1 on

set bgp external remote-as 65534 peer 192.168.1.1 export-routemap peerR1 preference 2 on

or similar to suit your environment

Re: AS Path prepending to two different peers in the same AS

Paul_Warnagiris — Fri, 29 Oct 2021 14:29:29 GMT

Boom! You are the man. That was the missing piece. I appreciate your time.