This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Rob_Shears
Contributor
‎2022-04-26 04:36 PM

Best method to advertise BGP from ClusterXL VIP?

I have a clusterxl interface setup between 2 gateways.

I have a /30 to advertise (yes, I know. Small for BGP but this is the ISPs requirement).

After arguing with a vendor and doing a bunch of reading, the docs lead me to believe ClusterXL will support BGP just fine.

What is my best option to advertise the /30 from the cluster? 

Since it's a /30 (only allowing 2 ips), I established an interface VIP with 72.131.248.249/30 between members on a private subnet - 172.17.1.5 and 172.17.1.6.

Redistribute interface seems to work perfectly, but I'm unable to filter out the 172.17.x.x on the CP side.

Should I be setting up a static route for 72.131.248.249/30 with an interface gateway only and redistribute that?

Or a NAT pool?

Both of the last two options seemingly don't work for me. BGP is established but the route is not pushed.

 

cp-gw-1> show bgp peer 172.17.0.1 adj-rib-out

 

... shows routes when "Interface" is selected, but not when a static route or NAT pool is used for redistribution in Gaia.

Labels
0 Kudos
9 Replies
Sundeep_Mudgal
Employee
Employee
‎2022-04-26 07:51 PM

You have few options:

1) Using NAT-Pools.

2) Using static routes.

3) Using routemaps and match on an exact prefix and protocol direct. Check sk100501.

Last option is the most standard way of redistributing routes.

0 Kudos
Rob_Shears
Contributor
‎2022-04-27 06:58 AM
In response to Sundeep_Mudgal

For some reason I can't get NAT Pools or static routes to work.

Using "interfaces" works. If I use the same route that "interfaces" pushed but via NAT-Pools or static routes, the bgp session is established but no route is advertised by the CP. Will continue to play.

0 Kudos
Sundeep_Mudgal
Employee
Employee
‎2022-04-27 08:53 AM
In response to Rob_Shears

You will have to explicitly redistribute NAT pools to the destination AS. If you are using routemaps then route-redistribution commands will not work.

0 Kudos
Rob_Shears
Contributor
‎2022-04-27 02:31 PM
In response to Sundeep_Mudgal

No routemap commands issued, so they shouldn't be overriding my attempts.

Using "interfaces" redistribution, the routes 72.131.248.249/30 and 172.17.1.4/30 are redistributed as seen with "show bgp peers adj-rib-out". I would like to use Gaia web ui and find a way to only push 72.131.248.249/30.

I've tried creating a static route blackhole for 72.131.248.249/30 and using the "static" option. "show bgp peers adj-rib-out" says "no route advertised".

I've tried creating a NAT Pool with 72.131.248.249/30 and using the NAT Pool redistribution option. Same. "show bgp peers adj-rib-out" says "no route advertised".

I also tried the "Kernel" option, and it is the same.

 

Nothing stands out in /var/log/routed* to signify a problem and a bgp session IS established, just no routes advertised.

0 Kudos
Sundeep_Mudgal
Employee
Employee
‎2022-04-27 03:01 PM
In response to Rob_Shears

I think I know whats happening.  The C route is the only active route and therefore static and NAT pools do not become active. You can check in "show route". Only active routes get redistributed. 

I don;t think there is any other way besides routemaps to achieve the granularity that you are aiming form.  We will try to get this in next maintrain. Would it be possible for you to open a RFE request?

Rob_Shears
Contributor
‎2022-04-28 06:17 AM
In response to Sundeep_Mudgal

I actually only created the interface (which is actually in the same vmware portgroup) just to have an IP in that range to work with.

So, I think what you're saying is - I can potentially remove the interface all together and use something like NAT Pool - and that will probably work.

I should then be able to create NAT rules for this subset of IPs;

and probably enable automatic proxy arp --> since this is ClusterXL - static arps for the same IP on 2 members probably won't work?

0 Kudos
Sundeep_Mudgal
Employee
Employee
‎2022-04-28 07:27 AM
In response to Rob_Shears

You can try but this is not what I was suggesting. I was trying to reason out why the relevant prefix is not being redistributed. It would just be simpler if you use routemaps. You can open a configuration task so TAC can help you.

Rob_Shears
Contributor
‎2022-04-29 01:39 AM
In response to Sundeep_Mudgal

If I removed the interface, it would no longer be a Connected route is what I was getting at.

 

Would route-maps display on GUI and are they supported on ClusterXL?

Edit: based on your analysis, I removed the interface and the NAT pool instantly started working! Thanks!

0 Kudos
Sundeep_Mudgal
Employee
Employee
‎2022-04-29 08:43 AM
In response to Rob_Shears

I am glad that it works for you. Regarding your questions:

- Routemaps are not on Web-UI. They are only CLI commands.

- Routemaps work with clustering.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top