This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Charles_Palmer
Contributor
‎2023-09-12 11:54 AM

Prefix Lists, Prefix Trees, oh my

I am looking at my routing design between my Cisco and CheckPoint environments. About 4 years ago, I implemented various route maps in my CheckPoint environment, and they have been working fine. I did not use prefix lists or prefix trees at the time of this implementation because I don't think they were supported yet. Since I am redesigning, I figured I would implement prefix lists like I have in my Cisco environment to vastly reduce the size of my existing route maps. Looking for documentation on this is proving much more difficult that I would have thought it would be. The basic documentation provided in the documentation give syntax for Prefix-Lists and Prefix-Trees but there isn't a very good discussion of what the difference between the two is and use cases for each. The following two definitions don't explain anything to me:
Prefix-List:Simulate a sequential lookup and return the first matched entry as the true match.

Prefix-Tree:Return the longest match as the true match.

There is one routemap example that uses prefix list and that looks to be how I would expect it, but it still isn't clear about how it would actually work. If I build a prefix-list with multiple different ip address/subnet mask pairs, is it going to check against each entry until it finds a match for the ip/mask that it is currently testing or something else. I am assuming I would build my prefix-list with a sequence order of frequency of usage to speed up matching, but the above definition doesn't well aid in understanding. And I can't seem to find any discussion or examples where someone has implemented this with the explanation of how it works.

If anyone has worked out the cryptic part of this, I would appreciate enlightening.

 

Thank you,

Charles

 

0 Kudos
5 Replies
Charles_Palmer
Contributor
‎2023-09-12 12:13 PM

An example of what I think might work:

set routemap TestRM id 10 on
set routemap TestRM id 10 allow
set routemap TestRM id 10 match as 65012 on
set routemap TestRM id 10 match neighbor 172.28.1.xx on
set routemap TestRM id 10 match network 192.168.56.0/22 exact
set routemap TestRM id 10 match network 192.168.182.0/23 all
set routemap TestRM id 10 match network 172.22.0.0/16 all
set routemap TestRM id 10 match network 172.23.0.0/16 all
set routemap TestRM id 10 match protocol bgp
set routemap TestRM id 10 action preference 50
set routemap TestRM id 11 on
set routemap TestRM id 11 allow
set routemap TestRM id 11 match as 65012 on
set routemap TestRM id 11 match neighbor 172.28.1.xx on
set routemap TestRM id 11 match network 192.168.56.0/22 exact
set routemap TestRM id 11 match network 192.168.182.0/23 all
set routemap TestRM id 11 match network 172.22.0.0/16 all
set routemap TestRM id 11 match network 172.23.0.0/16 all
set routemap TestRM id 11 match protocol bgp
set routemap TestRM id 11 action preference 100

Is the above routemap equivalent to the following prefix-list/routemap combination?

set prefix-list TestPL sequence-number 10 prefix 192.168.56.0/22 exact
set prefix-list TestPL sequence-number 20 prefix 192.168.182.0/23 all
set prefix-list TestPL sequence-number 30 prefix 172.22.0.0/16 all
set prefix-list TestPL sequence-number 40 prefix 172.23.0.0/16 all
set prefix-list TestPL sequence-number 50 prefix 172.24.0.0/16 all

set routemap RM_TestRM id 10 on
set routemap RM_TestRM id 10 allow
set routemap RM_TestRM id 10 match as 65012 on
set routemap RM_TestRM id 10 match neighbor 172.28.1.18 on
set routemap RM_TestRM id 10 match prefix-list TestPL preference 50 on
set routemap RM_TestRM id 10 match protocol bgp
set routemap RM_TestRM id 11 on
set routemap RM_TestRM id 11 allow
set routemap RM_TestRM id 11 match as 65012 on
set routemap RM_TestRM id 11 match neighbor 172.28.1.28 on
set routemap RM_TestRM id 11 match prefix-list TestPL preference 100 on
set routemap RM_TestRM id 11 match protocol bgp

NOTE: Additional networks being added during redesign

The restrict command that can be at the end of each of those prefix-list lines is not clear as to if I need to provide it or not and is restrict off equivalent of not providing it?

 

0 Kudos
the_rock
Legend
Legend
‎2023-09-12 12:25 PM
In response to Charles_Palmer

That looks right to me. I can check for you, as my colleague and I spent literally 5 months last year with TAC until we finally got it working.

Andy

0 Kudos
Charles_Palmer
Contributor
‎2023-09-12 12:28 PM
In response to the_rock

If you could verify, that would be awesome. Sadly I don't currently have the resources for a test environment (mainly my time to try to get GNS3 working again after another update). I don't have to use prefix lists, but you can see that it saves me a few lines here. But I have more than a dozen other route maps with even more networks that this.

0 Kudos
the_rock
Legend
Legend
‎2023-09-12 12:29 PM
In response to Charles_Palmer

I will reach out to you offline mate.

Cheers,

Andy

the_rock
Legend
Legend
‎2023-09-13 05:52 AM

Just to update quick...Charles and I connected offline and I gave him examples of working setup, so I think that will help. He will update here once everything works.

Cheers,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events