Gentlemen,
help me choose an option to solve an issue in the following scenario: The topology is as shown below. This company is an ASN and has 2 edge routers that advertise their /23 IP block (I am using private IPs to represent).
Currently, each router has a configured VLAN. However, due to both routers advertising the /23, it can cause packets to return through either of the two routers. The example below better illustrates what I mean.
So what would you do in this case?
Configuring both VLANs on each router would be a solution, right? Regardless of which router the packet returns through, it would be delivered to the originating VLAN and routed back to the correct firewall interface.
To configure VRRP between the routers, it would be necessary to change the addressing of the interfaces because for using a VRRP virtual IP, both routers need to have an interface in the same network, correct? With the current scenario, each router has a /29, a different subnet, and therefore VRRP would not work, right?
It would also be possible to configure BGP on the Check Point, correct?
However, I personally have never done that, so what would be the recommended approach for setting up a BGP peer on the Check Point?
I appreciate your assistance!
After analyzing the possibilities, we have opted for the simplest solution that was not initially considered. Since it is a /23 that both routers will advertise, it doesn't make sense to subnet and create different VLANs on the firewall side.
Instead, we will create a single bond interface, aggregate as many physical interfaces as necessary, and assign an IP from the /29 subnet to this bond interface. This ensures that the same firewall interface will receive the return packets and avoids creating asymmetry.
For routing redundancy, we will configure two default routes and enable ISP redundancy in active/backup mode. For this specific scenario, we believe this is the best option. What do you think?
After analyzing the possibilities, we have opted for the simplest solution that was not initially considered. Since it is a /23 that both routers will advertise, it doesn't make sense to subnet and create different VLANs on the firewall side.
Instead, we will create a single bond interface, aggregate as many physical interfaces as necessary, and assign an IP from the /29 subnet to this bond interface. This ensures that the same firewall interface will receive the return packets and avoids creating asymmetry.
For routing redundancy, we will configure two default routes and enable ISP redundancy in active/backup mode. For this specific scenario, we believe this is the best option. What do you think?
| User | Count |
|---|---|
| 20 | |
| 11 | |
| 9 | |
| 6 | |
| 5 | |
| 4 | |
| 4 | |
| 4 | |
| 3 | |
| 3 |
Thu 13 Feb 2025 @ 03:00 AM (CET)
Navigating the Cyber Frontier: A Check Point Executive Briefing - APACThu 13 Feb 2025 @ 03:00 PM (CET)
Navigating the Cyber Frontier: A Check Point Executive Briefing - EMEAThu 13 Feb 2025 @ 02:00 PM (EST)
Navigating the Cyber Frontier: A Check Point Executive Briefing - AmericasFri 14 Feb 2025 @ 10:00 AM (CET)
CheckMates Live Netherlands - Sessie 33: CPX 2025 terugblik!Tue 18 Feb 2025 @ 03:00 PM (CET)
Why Adding SASE to Your Network Infrastructure is a Win-Win - EMEATue 18 Feb 2025 @ 02:00 PM (EST)
Why Adding SASE to Your Network Infrastructure is a Win-Win - AMERICASThu 13 Feb 2025 @ 03:00 AM (CET)
Navigating the Cyber Frontier: A Check Point Executive Briefing - APACThu 13 Feb 2025 @ 03:00 PM (CET)
Navigating the Cyber Frontier: A Check Point Executive Briefing - EMEAThu 13 Feb 2025 @ 02:00 PM (EST)
Navigating the Cyber Frontier: A Check Point Executive Briefing - AmericasFri 14 Feb 2025 @ 10:00 AM (CET)
CheckMates Live Netherlands - Sessie 33: CPX 2025 terugblik!Tue 18 Feb 2025 @ 03:00 PM (CET)
Why Adding SASE to Your Network Infrastructure is a Win-Win - EMEATue 18 Feb 2025 @ 02:00 PM (EST)
Why Adding SASE to Your Network Infrastructure is a Win-Win - AMERICAS
