This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Jacky_Chen
Participant
‎2018-04-23 06:10 PM

Check Point route based VPN with OSPF

大家好,

    最近 Vincent 剛好遇到一個架構, 主點與分點之間各有一路 Internet 及 MPLS專線, 通常客戶都會想用 Internet 線路來做 MPLS的備援線路, 而 Check Point 只能對 routing 的 Gateway 做 monitor, 所以要檢查到線路實際上是不是通的會有難度(畢竟 Check Point 不是 WLB)
    我在這邊就分享一下以前的一個做法, Internet 及 MPLS 二路都做 route based VPN 再加上 OSPF,讓二端的 routing 資訊自動交換, 而線路實際上通不通就交給 OSPF neighbor hello 來偵測, 附件是四年前做的 SOP 文件, 供大家參考, 雖然當時是 R77.10 版本, 但現在 R80.10 也是一樣的做法

Chechpoint_IPSec_w_OSPF_SOP.pdf
Preview file
2203 KB
3 Replies
Neville_Kuo
Advisor
‎2018-04-23 06:55 PM

OSPF幾個要點:

1.同一個Area裡的LSA,就是Type 1和Type 2,跨了Area,就是Type 3,跨了Routing protocol(Redistribute進來的),就是Type 5,至於NSSA(No So Stuby Area)就是Type 7。

2.同一個Area裡,有DR(Designated Router)、BDR(Backup DR)和DROTHER,跨了Area,開始出現ABR(Area Border Router),但如果傳輸媒介是專線或NBMA(None Broadcast Multiple Access),就不會選DR/BDR,建議Check Point和其它網路設備跑OSPF時,不要參與DR/BDR推選

3.如果和其它廠牌OSPF neighbor建不起來時,如果沒有設定authentication參數,通常是hello interval或者MTU不合,可以用debug或tcpdump方式檢查

4.OSPF的LSA不能被過濾,因為那是算出最終Routing table的元件,在同Area裡的Router都要同步

以上,有錯歡迎指正,我憑空寫的

Danny_Yang
Ambassador
Ambassador
‎2018-04-25 11:02 AM
In response to Neville_Kuo

N大語氣中顯露濃濃的傲嬌~

0 Kudos
Danny_Yang
Ambassador
Ambassador
‎2018-04-25 10:57 AM

果然要網路大神才能有這麼精闢的見解,謝謝Jacky分享!

0 Kudos
Trending Discussions
Chech Pointt 1900
Upcoming Events

    CheckMates Events
    Top