Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Heather_Lewis
Participant

VPN redundancy using BGP

We currently have a Check Point firewall with a single external interface. The Internet routing is done by two separate routers via BGP. We are being asked to terminate the two ISPs directly and run BGP on the firewall. Currently, there are  site-to-site VPNs. How would you run BGP, but also provide VPN redundancy to third party peer? Is ISP redundancy compatible with BGP?

0 Kudos
9 Replies
_Val_
Admin
Admin

Why do you need BGP in the first place? Do you run load sharing? If not, look into ISP redundancy feature, with High Availability config. It does not require BGP

Heather_Lewis
Participant

Thanks Val.  We agree with you.  However, the client wants to move BGP off the existing ISP routers. That's the scope. The customer owns /24 and needs to advertise.

0 Kudos
_Val_
Admin
Admin

Once again, what is BGP for? What exactly do you advertise and to whom? Maybe, a bit mode details about your specific use case would help to start here.

0 Kudos
Heather_Lewis
Participant

We're the PS team.  Client wants to retrofit the the CP HA pair into the current topology and remove the existing ISP routers. Currently, there are two routers doing BGP to dual-homed ISPs. The customer is advertising /24 network to the Internet via two separate ISPs. BGP is used to advertise the /24 space.

0 Kudos
_Val_
Admin
Admin

So they are advertising their own networks to ISP. From where I stand, they/you can put the same advertisement on the FW. What does it have to do with the S2S VPN? I assume VPN domains are on private segments, right? Also, VPN GW IP address is most probably fixed to one of FW external interfaces. Should not be a problem, although you do not give me too much to work with here 🙂

0 Kudos
Heather_Lewis
Participant

Currently, the firewall is behind the BGP routers in the /24 range. The firewall has only one external interface. The ISP redundancy is done by the routers via BGP. The S2S VPN peer has that single IP to peer with, but with redundant path.The challenge is that once we remove the routers and terminate the ISPs directly to the firewall, we'll lose /24 interface IP, and have two separate IP addresses instead.

The question is whether ISP redundancy and BGP config are compatible. My understanding is ISP redundancy overrides the routing table, so BGP routing may be ignored. Since we have redundant paths for S2S VPN today, the client would want to continue to have VPN redundancy after the topology change, but I'm not sure how that works with BGP. Sorry, I don't have more information than that (not my existing client). I don't want to promise something I can't deliver if you know what I mean.

0 Kudos
the_rock
Champion
Champion

Maybe someone more familiar with BGP than myself can confirm this, but I dont believe ISP redundancy would override the routing table, but its possible Im wrong. Are you saying that BGP routes would have to change after the topology change as that /24 subnet would be "broken down" into 2 say /25 subnets (just an example)?

0 Kudos
_Val_
Admin
Admin

@Heather_Lewis as @the_rock said, should not be a problem to run BGP for announcing customer's segments to internet. Redundant VPN should also not be a problem, and you do not need BGP for that, MEP config would do. 

ISP redundancy in LS mode would be an alternative, but with dynamic routing you do not need that either, I think. 

All in all, this sounds doable, but the final design requires much more detailed use case.

0 Kudos
the_rock
Champion
Champion

Yes, its compatible 100%, I have a customer doing so without any issues.

0 Kudos