This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
sinapz
Explorer
‎2024-11-21 05:41 PM
Jump to solution

Checkpoint BGP ECMP/Multipath

Hi

I am looking to understand how Checkpoint Cloudguard BGP routing works when ECMP is enabled. I've got 2 equal paths to a destination, and I want to install routes learnt from both paths into the routing table. However, I want to ensure that traffic from the same source IP is always sent to the same path (client persistency). 

Is there a way to configure this sort of hashing (source-IP persistency) within ECMP?

0 Kudos
1 Solution

Accepted Solutions
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2024-11-21 07:21 PM
Jump to solution

Per sk100504: 

  • "Round robin" next hop algorithm is not supported.
  • "Source hash" next hop algorithm is not supported.
  • "Destination hash" next hop algorithm is not supported.
  • ECMP over EBGP supports up to 8 simultaneous routes.

 

CCSM R77/R80/ELITE

View solution in original post

0 Kudos
4 Replies
Duane_Toler
MVP Silver
MVP Silver
‎2024-11-21 07:05 PM
Jump to solution

With two equal cost paths, they both will be installed to the routing table (the FIB).  Routing is based on destinations, not sources.  You need PBR for source based routing (don’t do PBR; it’s an endless pit of trouble unless you absolutely positively must).  Even source NAT doesn’t solve the issue.

If you want to ensure a packet travels via a predetermined path then you don’t have ECMP anymore. You can use BGP path attributes to influence path decisions between ASNs if you need that. Local_Pref, AS_Path, and/or Weight (locally significant to the router only) to exit an AS; MED to enter an AS.

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos
sinapz
Explorer
‎2024-11-21 07:30 PM
In response to Duane_Toler
Jump to solution

Thanks for your feedback. Unfortunately, BGP Attributes will not solve my problem, as I need traffic to be routed across 2 paths. Adding local pref will only make traffic go via one path. What I need is the ability to load balance based on a source-ip-based algorithm

 

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2024-11-21 07:21 PM
Jump to solution

Per sk100504: 

  • "Round robin" next hop algorithm is not supported.
  • "Source hash" next hop algorithm is not supported.
  • "Destination hash" next hop algorithm is not supported.
  • ECMP over EBGP supports up to 8 simultaneous routes.

 

CCSM R77/R80/ELITE
0 Kudos
sinapz
Explorer
‎2024-11-21 09:31 PM
In response to Chris_Atkinson
Jump to solution

That's a shame but thanks for researching

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events