Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Brianpiraty_Ale
Contributor

BGP

need to announce the x.x.x.x/x network from firewall to the different AS.

 

Do I need to have x.x.x.x/x in the firewall's routing table.

 

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

The route has to come from somewhere (another routing protocol or a static route).
0 Kudos
vinceneil666
Advisor

Hi,

You will, as  @PhoneBoy say, have the route as either a static or from another routing proto like ospf.

If you want to test something, lets say before things come online or even for some production enviroments, you can add a Null0 route, also known as a blackhole route.

You just add the route as usual, choosing blackhole as gateway - then it will be available for redist in BGP. 

So if you want to redist to another AS, depending on your design of course, you could do a blackhole static to (example) 192.168.22.0/24 ..and then that can be redistributed even if the link providing that interface is down - or some other routing protocoll brings it down. .. Note that looking at metrics and priorites etc etc.. Best to have a wider blackhole route than using the exact same as the one you want to get over - a blackhole pretty much just drop the traffic.

 

If you have eBGP to your ISP and you have gotten a /20 prefix with public ip addresses to use. You would put up a blackhole route on your end for that /20 prefix and use it for redist - then the more specific routes in your IGP would take precedence over the wide blackhole. Thus dropping all traffic that is not explicit routed in your network to blackhole. So if you get an interface or a static route with /24 within the same prefix it will take precedence and route it correctly.. but the redistributed prefix is still the /20 

0 Kudos
Timothy_Hall
Champion
Champion

Up through R80.40, adding a blackhole route for the prefix you want to advertise was the preferred way to make it exist in the routing table.  Can look a bit confusing to someone else but it got the job done.  Starting in R81 Check Point has introduced the concept of "NAT Pools" which is a much more elegant way to accomplish this; here is an excerpt from my Gaia 3.10 Immersion class mentioning this new feature:

NATPools.png

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos