This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Bernardes
Advisor
‎2023-05-31 08:17 AM
Jump to solution

Assymetric Routing

Gentlemen,

help me choose an option to solve an issue in the following scenario: The topology is as shown below. This company is an ASN and has 2 edge routers that advertise their /23 IP block (I am using private IPs to represent).

topology.png

Currently, each router has a configured VLAN. However, due to both routers advertising the /23, it can cause packets to return through either of the two routers. The example below better illustrates what I mean.

assym.png

So what would you do in this case?

Configuring both VLANs on each router would be a solution, right? Regardless of which router the packet returns through, it would be delivered to the originating VLAN and routed back to the correct firewall interface.

vlans.png

To configure VRRP between the routers, it would be necessary to change the addressing of the interfaces because for using a VRRP virtual IP, both routers need to have an interface in the same network, correct? With the current scenario, each router has a /29, a different subnet, and therefore VRRP would not work, right?

It would also be possible to configure BGP on the Check Point, correct?

However, I personally have never done that, so what would be the recommended approach for setting up a BGP peer on the Check Point?

I appreciate your assistance!

0 Kudos
1 Solution

Accepted Solutions
Bernardes
Advisor
‎2023-05-31 05:38 PM
Jump to solution

After analyzing the possibilities, we have opted for the simplest solution that was not initially considered. Since it is a /23 that both routers will advertise, it doesn't make sense to subnet and create different VLANs on the firewall side.

Instead, we will create a single bond interface, aggregate as many physical interfaces as necessary, and assign an IP from the /29 subnet to this bond interface. This ensures that the same firewall interface will receive the return packets and avoids creating asymmetry.

top-final.png

For routing redundancy, we will configure two default routes and enable ISP redundancy in active/backup mode. For this specific scenario, we believe this is the best option. What do you think?

View solution in original post

0 Kudos
5 Replies
the_rock
Legend
Legend
‎2023-05-31 08:19 AM
Jump to solution

That sounds right, to configure same VLANs on both routers. Are these Cisco?

Andy

Bernardes
Advisor
‎2023-05-31 09:24 AM
In response to the_rock
Jump to solution

Hello @the_rock ! These routers are Mikrotik

0 Kudos
the_rock
Legend
Legend
‎2023-05-31 09:28 AM
In response to Bernardes
Jump to solution

The only reason I know about that company is because I saw their building in Riga, Latvia : - )

Anyway, does not change the fact they are not Cisco, I still believe in same suggesiton I gave.

Andy

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-05-31 05:19 PM
Jump to solution

Have you considered iBGP between R1 & R2 ?

CCSM R77/R80/ELITE
0 Kudos
Bernardes
Advisor
‎2023-05-31 05:38 PM
Jump to solution

After analyzing the possibilities, we have opted for the simplest solution that was not initially considered. Since it is a /23 that both routers will advertise, it doesn't make sense to subnet and create different VLANs on the firewall side.

Instead, we will create a single bond interface, aggregate as many physical interfaces as necessary, and assign an IP from the /29 subnet to this bond interface. This ensures that the same firewall interface will receive the return packets and avoids creating asymmetry.

top-final.png

For routing redundancy, we will configure two default routes and enable ISP redundancy in active/backup mode. For this specific scenario, we believe this is the best option. What do you think?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    Virtual

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Thu 25 Apr 2024 @ 10:00 AM (CEST)

    The Anatomy of a Cloud Hack by NotSoSecure - EMEA Session

    Thu 25 Apr 2024 @ 06:00 PM (IDT)

    The Anatomy of a Cloud Hack by NotSoSecure - America Session
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Thu 02 May 2024 @ 04:00 PM (CEST)

    CheckMates Live DACH - Keine Kompromisse - Sicheres SD-WAN
    Virtual

    Thu 02 May 2024 @ 05:00 PM (CEST)

    SASE Masters: Deploying Harmony SASE for a 6,000-Strong Workforce in a Single Weekend
    CheckMates Events