Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Brianpiraty_Ale
Contributor

BGP

need to announce the x.x.x.x/x network from firewall to the different AS.

 

Do I need to have x.x.x.x/x in the firewall's routing table.

 

0 Kudos
7 Replies
PhoneBoy
Admin
Admin

The route has to come from somewhere (another routing protocol or a static route).
0 Kudos
vinceneil666
Advisor

Hi,

You will, as  @PhoneBoy say, have the route as either a static or from another routing proto like ospf.

If you want to test something, lets say before things come online or even for some production enviroments, you can add a Null0 route, also known as a blackhole route.

You just add the route as usual, choosing blackhole as gateway - then it will be available for redist in BGP. 

So if you want to redist to another AS, depending on your design of course, you could do a blackhole static to (example) 192.168.22.0/24 ..and then that can be redistributed even if the link providing that interface is down - or some other routing protocoll brings it down. .. Note that looking at metrics and priorites etc etc.. Best to have a wider blackhole route than using the exact same as the one you want to get over - a blackhole pretty much just drop the traffic.

 

If you have eBGP to your ISP and you have gotten a /20 prefix with public ip addresses to use. You would put up a blackhole route on your end for that /20 prefix and use it for redist - then the more specific routes in your IGP would take precedence over the wide blackhole. Thus dropping all traffic that is not explicit routed in your network to blackhole. So if you get an interface or a static route with /24 within the same prefix it will take precedence and route it correctly.. but the redistributed prefix is still the /20 

0 Kudos
Timothy_Hall
Legend Legend
Legend

Up through R80.40, adding a blackhole route for the prefix you want to advertise was the preferred way to make it exist in the routing table.  Can look a bit confusing to someone else but it got the job done.  Starting in R81 Check Point has introduced the concept of "NAT Pools" which is a much more elegant way to accomplish this; here is an excerpt from my Gaia 3.10 Immersion class mentioning this new feature:

NATPools.png

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
CheckPointerXL
Advisor
Advisor

hello timothy,

any impact on the network added to Nat Pools ?

Let's say i wanna redistribute 10.0.0.0/10 to a BGP Peer but i have a lot of smaller networks with different next-hop, can i safely add 10.0.0.0/10 to nat Pools to include them all and redistrute it? or it is better to work with Route aggregation?

 

thank you

 

thanks

0 Kudos
CheckPointerXL
Advisor
Advisor

Hello Timothy,

i tried nat pools and i confirm that it works, i can redistribute to bgp peers. (i tried with a host inside a network)

But something ugly happens in routing tables:

 

Cattura.JPG

 Let's say i wanna enlarge /32 to /25 network, it is safe?

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Why are you using a NAT Pool that overlaps with an existing route in this way, what is the use case?

If you already have a route for the /24 why would you need a NAT pool the same mask length...

CCSM R77/R80/ELITE
0 Kudos
CheckPointerXL
Advisor
Advisor

Hello Chris,

The use case is to redistribute a network not in routing table.

This happens to me in a lot of customer: usually they wanna redistribute one larger network which includes lot of smaller net with different next hop.

please take a look to my example below about 10.0.0.0/10 network.

In other use case i need every time to add a static route to make it elegible for redistribution

 

 

 
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events