This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Abeja_huhuhu
Contributor
‎2019-01-03 11:35 PM
Jump to solution

How to advertise /48 ipv6 to bgp peers

Hi Guys,

again, i have some question on ipv6. we have /48 prefix of ipv6. we have configured each of our interface with /64 ipv6. the ip's is working fine from internal network but not from external. we try to publish /64 to bgp peers however upstream can only access /48. we have test few scenario but seems like don't find the correct way to do it.

1. scenario 1: set interface ip with /48

  able to get the route advertise successfully to peers and able to ping from external. however, if we use this, we will not able to do subnetting and assign it to another interface as it has overlap with the interface that we have configured with /48.

2. scenario 2: set interface with /64 or other subnet

 not able to advertise to bgp peers as they can only accept /48. i'm trying to use route-agregation but it seems only working for ipv4.

any suggestion on how can we achieved our objective which is to advertise route /48 to bgp peers while maintaining /64 subnet on each interface.

Thanks.

1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2019-01-04 11:12 PM
In response to Abeja_huhuhu
Jump to solution

You can't advertise a route that you don't have or know, so this seems like a reasonable approach.

The /64 routes are more specific and they will apply before the /48 route, which isn't pointing anywhere.

You might be able to set the /48 to blackhole rather than route to a non-existent IP.

View solution in original post

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2019-01-04 12:51 PM
Jump to solution

Exact commands/configuration you tried so far?

Also what version of Gaia are we talking about?

0 Kudos
Abeja_huhuhu
Contributor
‎2019-01-04 07:48 PM
In response to PhoneBoy
Jump to solution

Currently using Gaia R80.20.

as of today i manage to introduce /48 to bgp peers with a little tweak and its able to update all the route. however, to be frank i'm not sure this is the correct way to do it. Below is step that i have taken.

1. Create a /48 static route for IPv6 and point the gateway to some ip. just for the sake of having the static route active.

2. Create a routemap for ipv6 with network match /48 and protocol static

3.  Set bgp export-routemap using the routemap policy that i have created on step 2.

then i can see my /48 network being advertise to bgp peers. Now i can also do the subneting for ipv6 on my firewall interface.

so far, i can see all my servers are pingable from anywhere.

0 Kudos
PhoneBoy
Admin
Admin
‎2019-01-04 11:12 PM
In response to Abeja_huhuhu
Jump to solution

You can't advertise a route that you don't have or know, so this seems like a reasonable approach.

The /64 routes are more specific and they will apply before the /48 route, which isn't pointing anywhere.

You might be able to set the /48 to blackhole rather than route to a non-existent IP.

0 Kudos
Abeja_huhuhu
Contributor
‎2019-01-05 03:28 AM
In response to PhoneBoy
Jump to solution

assigning the route as blackhole is much better idea. i have try change it to blackhole and seems like everything went well. all the route still active even when i try to failover the firewall node. so this should be the correct way.

thanks again Dameon

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events