This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Shawn_Fletcher
Contributor
‎2020-07-03 06:01 PM
Jump to solution

BGP help

Hi there

First time BGP setup with checkpoint (r80.40)

I've got a new environment and trying to setup a Cisco VSS with multiple VRFs that terminate to 16000 checkpoint. So multiple internal BGP peers with same AS #, i have received the routes fine from each peer, but i want to share  routes from Peer 1 with Peer 2 for my test setup before i reattempt in production. I was able to share the checkpoint connected networks, as well as static routes fine with combination of route redistribution / route map, but not the BGP routes from

Route redistribution allows to pick same FROM/TO AS# and add a filter, thought that might work but no luck.

How is the way to do this? I'm also stuggling on route distribution with WebUI vs route-map on CLI... when is the right scenario to use each?

0 Kudos
1 Solution

Accepted Solutions
firewall1-gx
Contributor
‎2020-07-03 07:40 PM
Jump to solution

Hi Shawn,

For your enviroment, since all peers are sharing the same AS, I believe you need to enable "as override" and "allowas-in" in your BGP configuration.

Please look the GAIA Advanced Routing to get the commands or to do through WEBUI.

https://dl3.checkpoint.com/paid/69/69d1c6899e768ea0687857ec55d723d9/CP_R80.40_Gaia_Advanced_Routing_...

Regards,

View solution in original post

0 Kudos
8 Replies
firewall1-gx
Contributor
‎2020-07-03 07:40 PM
Jump to solution

Hi Shawn,

For your enviroment, since all peers are sharing the same AS, I believe you need to enable "as override" and "allowas-in" in your BGP configuration.

Please look the GAIA Advanced Routing to get the commands or to do through WEBUI.

https://dl3.checkpoint.com/paid/69/69d1c6899e768ea0687857ec55d723d9/CP_R80.40_Gaia_Advanced_Routing_...

Regards,
0 Kudos
Shawn_Fletcher
Contributor
‎2020-07-03 08:48 PM
In response to firewall1-gx
Jump to solution

Thanks for the suggestion - it looks like to do this i have to change to an "External" group type, instead of Internal. Will see if i can get that working.
Boris_Karnaukh
Contributor
‎2020-12-08 01:32 AM
In response to Shawn_Fletcher
Jump to solution

Hi Shawn,

 

If you wish to keep this purely iBGP setup, you may consider setting up a route refelector. "GAIA Advanced routing" briefly covers this subject.

John_Fleming
Advisor
‎2020-12-08 04:42 AM
In response to Boris_Karnaukh
Jump to solution

Keeping all things BGP this would be the correct BGP term. iBGP assumes all peers to be fully meshed.

Assume we have iBGP talkers A, B and C.

B will not tell A about C routes learned from C.

B will not tell C about A routes learned from A.

The reason for this is since iBGP is assumed to be full mesh then B assumes C and A have BGP sessions with each other. Route reflector is the correct term to overcome this.

Sounds pretty good right? BTW I have no idea how to configure that in Gaia so.. uh.. maybe what firewall1-gx said is how to do that? 😄

 

0 Kudos
Boris_Karnaukh
Contributor
‎2020-12-09 01:42 AM
In response to John_Fleming
Jump to solution

In GAIA it should be rather simple — if you want to make your CheckPoint a reflector:

set bgp internal peer ##.##.##.# peer-type reflector-client

0 Kudos
Shawn_Fletcher
Contributor
‎2020-12-08 08:22 AM
Jump to solution

thanks for the suggestions - I did try route reflector but had no luck with that but in fairness we didn't open a case with TAC for assistance as we got a lot of feedback that OSPF was the more common option and moved on to that.

0 Kudos
John_Fleming
Advisor
‎2020-12-08 08:24 AM
In response to Shawn_Fletcher
Jump to solution

Make sure cluster members have the same router-id. Seems like a common configuration issue. Once its set you can only change it by removing the ospf config.

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2020-12-08 04:04 PM
Jump to solution

That is one of the reasons to use cloning groups when using dynamic routing, so you don't configure things double and with mistakes.

Regards, Maarten
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events