- CheckMates
- :
- Products
- :
- CloudMates Products
- :
- CloudMates General
- :
- Re: Questions about redistribute routes to remote ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Questions about redistribute routes to remote AS with BGP
Hello everyone,
I created this post to ask for your help with some doubts I have for BGP and how to redistribute routes to a remote AS.
I have a scenario on GNS3 server:
Check Point Firewall R81.20 JHF 89 (represented as “Cloud” node)
-eth0 192.168.5.130
-eth1 10.1.0.130
-eth2 192.168.70.130
[Autonomous System 1]
Router 1 (c3600):
-fa0/0 192.168.5.131
-fa0/1 10.50.50.1
-loopback 1.1.1.1.1
[Autonomous system 10]
Router 2 (c3600):
-fa0/0 10.50.50.2
-loopback 2.2.2.2.2
[Autonomous system 20]
R1 and R2 advertise and redistribute their directly connected networks (10.50.50.0/24 and their loopback).
This is what Check Point receives through BGP.
This is the R1 routing table:
This is the R2 routing table:
This is the FW routing table:
However, the question is:
*How do I advertise and redistribute the networks that Check Point knows throught static routes or the networks that Check Point has directly connected to router 1 and router 2?
*Is it a routemap that is needed?
We have been reviewing the documentation but it does not explain in a clear way, how to make Check Point advertise and redistribute networks to the BGP remote AS:
https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Gaia_Advanced_Routing_AdminGuide/T...
https://support.checkpoint.com/results/sk/sk100501
This is the BGP configuration we currently have for check point:
> set as 1
> set bgp external remote-as 10 on
> set bgp external remote-as 10 peer 192.168.5.131 on
> set bgp external remote-as 10 peer 192.168.5.131 accept-routes all
We want to know how to do this before the next step: replicate the lab configuration in the customer environment.
In the customer environment
They have an azure HA cluster on the same version R81.20 JHF 89, and have BGP peer with some Cisco Routers on Azure.
For this environment we have another question:
*How do we advertise and redistribute the office mode VPN c2s network on the Check Point HA cluster in Azure for the BGP?
I hope I have explained myself with these details and if not, I will be glad to complement the information.
Greetings to all!
- Labels:
-
bgp
-
dynamic routing
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, routemaps are best to use in this case.
set nat-pool <office mode VPN c2s network/netmask> on
set routemap DirectStaticNATPool id 100 on
set routemap DirectStaticNATPool id 100 allow
set routemap DirectStaticNATPool id 100 match protocol direct
set routemap DirectStaticNATPool id 200 on
set routemap DirectStaticNATPool id 200 allow
set routemap DirectStaticNATPool id 200 match protocol static
set routemap DirectStaticNATPool id 300 on
set routemap DirectStaticNATPool id 300 allow
set routemap DirectStaticNATPool id 300 match protocol nat-pool
set bgp external remote-as 10 export-routemap DirectStaticNATPool preference 1 on
Jozko Mrkvicka
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Route-maps with the appropriate match protocol statement and other relevant criteria will be needed.
Configure NAT pools to address the office mode bit which can also be used in the route-map matching logic e.g.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, routemaps are best to use in this case.
set nat-pool <office mode VPN c2s network/netmask> on
set routemap DirectStaticNATPool id 100 on
set routemap DirectStaticNATPool id 100 allow
set routemap DirectStaticNATPool id 100 match protocol direct
set routemap DirectStaticNATPool id 200 on
set routemap DirectStaticNATPool id 200 allow
set routemap DirectStaticNATPool id 200 match protocol static
set routemap DirectStaticNATPool id 300 on
set routemap DirectStaticNATPool id 300 allow
set routemap DirectStaticNATPool id 300 match protocol nat-pool
set bgp external remote-as 10 export-routemap DirectStaticNATPool preference 1 on
Jozko Mrkvicka
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Excellent, this worked for us!
thanks for your help
We configure the network 10.0.0.0.0/20 as the office mode network for the nat-pool, create the routemap to export static, direct and nat-pool routes and use the routemap to export those routes to the BGP:
set nat-pool 10.0.0.0/20 on
set routemap RM_exp_rts id 100 on
set routemap RM_exp_rts id 100 allow
set routemap RM_exp_rts id 100 match protocol direct
set routemap RM_exp_rts id 200 on
set routemap RM_exp_rts id 200 allow
set routemap RM_exp_rts id 200 match protocol static
set routemap RM_exp_rts id 300 on
set routemap RM_exp_rts id 300 allow
set routemap RM_exp_rts id 300 match protocol nat-pool
set bgp external remote-as 10 export-routemap RM_exp_rts preference 1 on
With this configuration in the firewall, we see that these routes are already being advertised and injected to the Route Table of R1 and R2:
This is fine, it is what we expect.
However, we see that the firewall advertises all its static routes, including the firewall default route:
How do we prevent this firewall default route from being advertised to the BGP?
Is it possible to make an exclusion for this static route?
Greetings!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
set routemap RM_exp_rts id 200 match nexthop <IP_of_nexthop> on
This will cause only static routes pointing to <IP_of_nexthop> will be advertised.
It is not ideal solution since once new route with different nexthop is added, you need to add new routemap statement.
Better way is to restrict specific routes from propagation (0.0.0.0/0). You will need to create routemap with ID lower than 200 with action restrict:
set routemap RM_exp_rts id 199 on
set routemap RM_exp_rts id 199 restrict
set routemap RM_exp_rts id 199 match network 0.0.0.0/0 exact all
set routemap RM_exp_rts id 199 match protocol static
Jozko Mrkvicka
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @JozkoMrkvicka
Great! it helped me to restrict 0.0.0.0.0
Just a correction in the command:
-instead:
set routemap RM_exp_rts id 199 match network 0.0.0.0.0/0 exact all
-place:
set routemap RM_exp_rts id 199 match network 0.0.0.0.0/0 exact
After this, notice immediately on R1 and R2, that the default route 0.0.0.0.0 is no longer propagated to BGP on the other routers.
Thank you for your help!