topic Check Point route based VPN with OSPF in Chinese 中文 https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/Check-Point-route-based-VPN-with-OSPF/m-p/17866#M259 <HTML><HEAD></HEAD><BODY><P>大家好,</P><P></P><P>&nbsp;&nbsp;&nbsp; 最近 Vincent 剛好遇到一個架構, 主點與分點之間各有一路 Internet 及 MPLS專線, 通常客戶都會想用 Internet 線路來做 MPLS的備援線路, 而 Check Point 只能對 routing 的 Gateway 做 monitor, 所以要檢查到線路實際上是不是通的會有難度(畢竟 Check Point 不是 WLB)<BR />&nbsp;&nbsp; &nbsp;我在這邊就分享一下以前的一個做法, Internet 及 MPLS 二路都做 route based VPN 再加上 OSPF,讓二端的 routing 資訊自動交換, 而線路實際上通不通就交給 OSPF neighbor hello 來偵測, 附件是四年前做的 SOP 文件, 供大家參考, 雖然當時是 R77.10 版本, 但現在 R80.10 也是一樣的做法</P></BODY></HTML> Tue, 24 Apr 2018 01:10:33 GMT Jacky_Chen 2018-04-24T01:10:33Z Check Point route based VPN with OSPF https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/Check-Point-route-based-VPN-with-OSPF/m-p/17866#M259 <HTML><HEAD></HEAD><BODY><P>大家好,</P><P></P><P>&nbsp;&nbsp;&nbsp; 最近 Vincent 剛好遇到一個架構, 主點與分點之間各有一路 Internet 及 MPLS專線, 通常客戶都會想用 Internet 線路來做 MPLS的備援線路, 而 Check Point 只能對 routing 的 Gateway 做 monitor, 所以要檢查到線路實際上是不是通的會有難度(畢竟 Check Point 不是 WLB)<BR />&nbsp;&nbsp; &nbsp;我在這邊就分享一下以前的一個做法, Internet 及 MPLS 二路都做 route based VPN 再加上 OSPF,讓二端的 routing 資訊自動交換, 而線路實際上通不通就交給 OSPF neighbor hello 來偵測, 附件是四年前做的 SOP 文件, 供大家參考, 雖然當時是 R77.10 版本, 但現在 R80.10 也是一樣的做法</P></BODY></HTML> Tue, 24 Apr 2018 01:10:33 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/Check-Point-route-based-VPN-with-OSPF/m-p/17866#M259 Jacky_Chen 2018-04-24T01:10:33Z Re: Check Point route based VPN with OSPF https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/Check-Point-route-based-VPN-with-OSPF/m-p/17867#M260 <HTML><HEAD></HEAD><BODY><P>OSPF幾個要點:</P><P>1.同一個Area裡的LSA,就是Type 1和Type 2,跨了Area,就是Type 3,跨了Routing protocol(Redistribute進來的),就是Type 5,至於NSSA(No So Stuby Area)就是Type 7。</P><P>2.同一個Area裡,有DR(Designated Router)、BDR(Backup DR)和DROTHER,跨了Area,開始出現ABR(Area Border Router),但如果傳輸媒介是專線或NBMA(None Broadcast Multiple Access),就不會選DR/BDR,建議Check Point和其它網路設備跑OSPF時,不要參與DR/BDR推選</P><P>3.如果和其它廠牌OSPF neighbor建不起來時,如果沒有設定authentication參數,通常是hello interval或者MTU不合,可以用debug或tcpdump方式檢查</P><P>4.OSPF的LSA不能被過濾,因為那是算出最終Routing table的元件,在同Area裡的Router都要同步</P><P></P><P>以上,有錯歡迎指正,我憑空寫的</P></BODY></HTML> Tue, 24 Apr 2018 01:55:59 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/Check-Point-route-based-VPN-with-OSPF/m-p/17867#M260 Neville_Kuo 2018-04-24T01:55:59Z Re: Check Point route based VPN with OSPF https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/Check-Point-route-based-VPN-with-OSPF/m-p/17868#M261 <HTML><HEAD></HEAD><BODY><P>果然要網路大神才能有這麼精闢的見解,謝謝Jacky分享!</P></BODY></HTML> Wed, 25 Apr 2018 17:57:05 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/Check-Point-route-based-VPN-with-OSPF/m-p/17868#M261 Danny_Yang 2018-04-25T17:57:05Z Re: Check Point route based VPN with OSPF https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/Check-Point-route-based-VPN-with-OSPF/m-p/17869#M262 <HTML><HEAD></HEAD><BODY><P>N大語氣中顯露濃濃的傲嬌~</P></BODY></HTML> Wed, 25 Apr 2018 18:02:22 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/Check-Point-route-based-VPN-with-OSPF/m-p/17869#M262 Danny_Yang 2018-04-25T18:02:22Z