This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
H2-F1
Participant
‎2019-12-31 04:01 AM
Jump to solution

BGP routemaps and match statements

Hello Everyone,

 

I've been working on a small project and have come across an issue with I thought I'd share with the community to get some assistance.

 

I have attached a simplified topology of the setup

 

 

Essentially, I have 2 sites, each with an ISP connection to a CP VSX cluster running in VSX mode, one VS at Site 2 (BFW) is has a BGP Peering with a Juniper SRX appliance. There is also a connection between the 2 sites VSs through a L2 MPLS link.

I have BGP established where I receive a default route from the ISP at each site, I also have local networks connected on the Checkpoint firewalls. I am currently learning the local subnets connected to the SRX and I am sending it a default route as well as specific subnets connected to BFW.

 

BGP state

BGP.JPG

 

BGP Config

BGP-Conf.JPG

 

Routemap Config

Routemap-config.jpg

 

Import/Export routemap

import-export-routemap.png

 

While setting up BGP between the 2 vs, and configuring routemaps, I only want to advertise one local subnet from each vs,  to do this I specifically used the match neighbor statement.

 

BFW should advertise subnet 10.254.132.160/27 only to AFW

AFW should advertise subnet 10.255.132.160/27 only to BFW

 

The idea is that the designated neighbor will receive the route, and all other neighbors will not. However, looking at the advertised routes sent from BFW to AFW it appears that it is applying the routemap destined for the SRX.

advertised route.png

 

The below is the route learnt on AFW (not imported yet, hence the i)

B H i 10.254.131.128/26 via 10.255.132.198,

Can anyone please shed some light if this is expected behaviour, or point out if I've missed something?

 

Thanks

 

0 Kudos
1 Solution

Accepted Solutions
Sundeep_Mudgal
Employee
Employee
‎2020-01-06 02:53 PM
Jump to solution

sk110477 specifies how to configure routemaps per peer. Export routemap per IBGP peer is not supported. You will need to configure routemaps on SRX to not accept routes that are not relevant. Would it be possible to use EBGP instead and configure routemaps as per sk110477?

View solution in original post

0 Kudos
2 Replies
Sundeep_Mudgal
Employee
Employee
‎2020-01-06 02:53 PM
Jump to solution

sk110477 specifies how to configure routemaps per peer. Export routemap per IBGP peer is not supported. You will need to configure routemaps on SRX to not accept routes that are not relevant. Would it be possible to use EBGP instead and configure routemaps as per sk110477?

0 Kudos
H2-F1
Participant
‎2020-01-12 11:58 AM
In response to Sundeep_Mudgal
Jump to solution

Thanks Sundeep.

That answers my question. I will have to change my SRX routemaps.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top