topic Re: What is the best way to redistribute all interfaces and Static routes into BGP? in Firewall and Security Management

What is the best way to redistribute all interfaces and Static routes into BGP?

Austin_Ponten — Wed, 14 Jun 2023 14:04:10 GMT

Hi, looking to optimize this BGP implementation for a customer, and I am doing this for the first time so I read these:

https://dl3.checkpoint.com/paid/f3/f313d7128484db88a73976b2d9e886ae/CP_R77.20.60_600_700_1100_1200R_1400_AdvRoutingGuide.pdf?HashKey=1686736335_e5517a13325bab552475369b61ed1e1d&xtn=.pdf

https://support.checkpoint.com/results/sk/sk100501

https://community.checkpoint.com/t5/Security-Gateways/announcing-Routes-via-BGP/td-p/8154#

But I am having trouble understanding why my route maps and route-redistribution statements are not working and wondering if someone has a better guide to tell me how to simply advertise ALL connected interfaces and ALL static routes and I can work from there.

So far I have tried SEVERAL variations of route maps but this is a general one:

set routemap bgp-inbound id 1 on

set routemap bgp-inbound id 1 allow

set routemap bgp-outbound id 1 on

set routemap bgp-outbound id 1 allow

set bgp external remote-as 65000 export-routemap bgp-outbound preference 1 on

set bgp external remote-as 65000 import-routemap bgp-inbound preference 1 on

set bgp internal import-routemap bgp-inbound preference 1 on

set bgp internal export-routemap bgp-outbound preference 1 on

set route-redistribution to bgp-as 65000 from interface all on

set route-redistribution to bgp-as 65000 from static-route all-ipv4-routes on

This 10.0.0.0/8 is the static route I would like to be distributed into BGP.

I dont see it advertised...

What is the most optimal way to fix this? I don't want to advertise every single static route as per Lesley_Willems2 solution in https://community.checkpoint.com/t5/Security-Gateways/announcing-Routes-via-BGP/td-p/8154#

Any help is appreciated, and Ill try to clarify things that I have overcomplicated 🙂

-A

Re: What is the best way to redistribute all interfaces and Static routes into BGP?

PhoneBoy — Wed, 14 Jun 2023 18:53:10 GMT

Are you also redistributing kernel routes?
Pretty sure this is needed here.
See: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_Gaia_Advanced_Routing_AdminGuide/Topics-GARG/Route-Redistribution-to-IPv4-BGP-Configuring-in-Gaia-Clish.htmv

Re: What is the best way to redistribute all interfaces and Static routes into BGP?

JozkoMrkvicka — Thu, 15 Jun 2023 10:51:55 GMT

If you want to propagate ALL IPv4 directly connected interfaces AND also ALL IPv4 static routes:

set routemap bgp-outbound id 1 on set routemap bgp-outbound id 1 allow set routemap bgp-outbound id 1 match as 65000 on set routemap bgp-outbound id 1 match protocol direct set routemap bgp-outbound id 2 on set routemap bgp-outbound id 2 allow set routemap bgp-outbound id 2 match as 65000 on set routemap bgp-outbound id 2 match protocol static set bgp external remote-as 65000 export-routemap bgp-outbound preference 1 family inet on

Only static routes pointing to nexthop IP address of 0.0.0.0 (in your case only static route 10.0.0.0/8):

set routemap bgp-outbound id 1 on set routemap bgp-outbound id 1 allow set routemap bgp-outbound id 1 match as 65000 on set routemap bgp-outbound id 1 match nexthop 0.0.0.0 on set routemap bgp-outbound id 1 match protocol static set bgp external remote-as 65000 export-routemap bgp-outbound preference 1 family inet on

Best practise is first restrict everything which is not desired to be propagated over BGP (sync, internal networks, default gateway, ...), and after that allow all what is really needed to be propagated.

Re: What is the best way to redistribute all interfaces and Static routes into BGP?

Austin_Ponten — Thu, 15 Jun 2023 13:50:03 GMT

Wow, thanks for the detailed answer!

I will test this and get back on the results when I have time.

-A

Re: What is the best way to redistribute all interfaces and Static routes into BGP?

Austin_Ponten — Fri, 16 Jun 2023 07:29:16 GMT

Works right away! Now I see what you mean by it advertises everything including the sync interface...

So should I then start with the restrictions like this?

set routemap bgp-outbound id 1 on set routemap bgp-outbound id 1 restrict set routemap bgp-outbound id 1 match as 65000 on set routemap bgp-outbound id 1 match interface Sync on

Thanks!