This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Gongya_Yu
Collaborator
‎2024-05-26 07:08 PM
Jump to solution

CP Cluster bgp question

Cluster member A with physical IP 192.168.1.1/24
Cluster member B with physical IP 192.168.1.2/24

Member A with the following for export

set routemap default id 100 on

set routemap default id 100 allow

set routemap default id 100 match network 0.0.0.0/0 exact

set routemap default id 100 match protocol static

set routemap default id 100 action nexthop ip 192.168.1.1

 

Member B with the following for export

set routemap default id 100 on

set routemap default id 100 allow

set routemap default id 100 match network 0.0.0.0/0 exact

set routemap default id 100 match protocol static

set routemap default id 100 action nexthop ip 192.168.1.2

 

When Cluster fails over, a blackhold will occur, right ?

Reason:

Before failover, member B does not have BGP peering, just synced with Member A for all the routes which points 192.168.1.1 as next-hop. When failover occurs and before member B establishes BGP relationship and advertises new next-hop (192.168.1.2), a blackhold occurs.

Am I right ??

 

0 Kudos
1 Solution

Accepted Solutions
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2024-05-26 07:13 PM
Jump to solution

When setting up dynamic routing on a CP cluster, all peers must use the cluster interface VIP to peer with and route to. Routing/peering to individual gateway IPs is not supported. Hence the configuration on each cluster member must be identical. 

Tip: configure the router-id to a cluster VIP before configuring BGP, again identical across the cluster.

View solution in original post

0 Kudos
5 Replies
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2024-05-26 07:13 PM
Jump to solution

When setting up dynamic routing on a CP cluster, all peers must use the cluster interface VIP to peer with and route to. Routing/peering to individual gateway IPs is not supported. Hence the configuration on each cluster member must be identical. 

Tip: configure the router-id to a cluster VIP before configuring BGP, again identical across the cluster.

0 Kudos
Gongya_Yu
Collaborator
‎2024-05-27 02:36 AM
In response to emmap
Jump to solution

thanks so much for clarification !!

0 Kudos
JozkoMrkvicka
Authority
Authority
‎2024-05-26 10:35 PM
Jump to solution

Yes, without BGP Graceful Restart and/or BFD features enabled, once failover occurs, there is short outage for BGP during re-establishment of peering from new member. It is described within sk175923.

Best practise is to enable BGP Graceful Restart (sk100499) and/or Bidirectional Forwarding Detection (BFD) with cBIT detection (sk175923to mitigate this problem.

Kind regards,
Jozko Mrkvicka
0 Kudos
Gongya_Yu
Collaborator
‎2024-05-27 01:00 AM
In response to JozkoMrkvicka
Jump to solution

I think it will be blackheld even with Graceful Restart enabled. 
Graceful Restart only helps when next-hop points to the VIP. This is the way we are doing.
But if standby node uses its own physical IP, a blackhold will occur during the failover.

Right ?

0 Kudos
JozkoMrkvicka
Authority
Authority
‎2024-05-28 12:32 PM
In response to Gongya_Yu
Jump to solution

BGP should be configured to use VIP in cluster. You should also use the same VIP as router-id. Config for BGP within all cluster members should be the same.

I also dont get what is the goal here. You want to propagate only default IPv4 static route ? What is config for BGP peers (show configuration bgp) ?

You should use preference statement within routemaps to specify where to use routemap with "default" name.

Kind regards,
Jozko Mrkvicka
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events