- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: CP3600 BGP Configuration and advertised networ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
CP3600 BGP Configuration and advertised networks.
Hello. I'm removing a Cisco router from our network and moving the BGP from that to our 3600 cluster on R81.10.
I see how to setup the Router ID and AS number.
Where do I specify what networks are advertised as I would on a Cisco setup? I've looked at some documentation but not seeing anything really on this. And I have never had to setup BGP on a Checkpoint.
For example, here is my Cisco config and I am basically moving this to my cluster.
router bgp 63038
no synchronization
bgp log-neighbor-changes
network 10.1.95.0 mask 255.255.255.0
network 10.95.0.0 mask 255.255.0.0
network 10.88.68.0 mask 255.255.254.0
network 192.168.46.8 mask 255.255.255.248
neighbor 192.168.39.154 remote-as 13955
neighbor 192.168.39.154 next-hop-self
no auto-summary
- Labels:
-
Gaia
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You create a route-map and some conditions to import and export routes into BGP.
for instance:
set routemap bgp_export id 10 on
set routemap bgp_export id 10 match protocol static
set router-id <router-id>
set as <as>
set bgp external remote-as <remote-as> on
set bgp external remote-as peer <peer> on
set bgp external remote-as <remote-as> export-routemap routemap bgp_export preference 10 on
And similar for import routes. You will find the exact syntax in the advanced routing guide for R81.10.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You create a route-map and some conditions to import and export routes into BGP.
for instance:
set routemap bgp_export id 10 on
set routemap bgp_export id 10 match protocol static
set router-id <router-id>
set as <as>
set bgp external remote-as <remote-as> on
set bgp external remote-as peer <peer> on
set bgp external remote-as <remote-as> export-routemap routemap bgp_export preference 10 on
And similar for import routes. You will find the exact syntax in the advanced routing guide for R81.10.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
set routemap bgp_export id 10 match protocol direct
set bgp external remote-as 13979 export-routemap bgp_export preference 10 on
This should be exporting my directly attached routes to my peers or did I get this wrong?
Then on the peer I need to be doing a
set bgp external remote-as 65000 import-routemap bgp_export preference 10 on
I can see both sides showing peering with the other, but no routes are being shared. I've done the config on both sides pretty much identically with the different AS numbers.
EDIT: I didn't realize my two VM were blocking connections to each other. Oops, now I'm getting routes. THANKS to all you fine folks for helping me figure this out.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No problem. Be sure, however, you're not re-exporting things like the static default route. If you're redistributing statics, then specify the interface in the same routemap ID with a second match clause. Same goes for a directly-connected interface; no need to redistribute the external/Internet-facing interface.
Assuming eth0 is your external-facing interface (likely the interface facing your peer as well):
set routemap bgp_export id 10 match protocol direct
set routemap bgp_export id 10 match interface eth1
set routemap bgp_export id 10 match interface eth2
You can see what's being received, but hidden by the local FIB manager when routes are offered by each routing protocol:
show route bgp all
Routes with code 'i' are inactive, usually because a better route is already installed or otherwise available from another routing source (such as an existing local static route).
Otherwise, enjoy! Glad you got it working; nice job!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I will make sure to keep that in mind. And I should say, I figured out the basics of setting up BGP on Checkpoint. and now that i have a Test VM with R81.10, which I'm using in production, and some Cisco VM I can setup and test the config in my lab.
Once again, thanks for all the help.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To add to the comment from @Alex-: Be sure BOTH cluster nodes are set for the SAME ASN, SAME router-id, and be sure they both have the same routemap commands applied. Some vendor HA products want the two nodes to have different Router-IDs, but not ClusterXL. I had a customer try to do different ASN and different router IDs on the ClusterXL nodes; it was as bad as you can imagine. Don't do that.
Check your Cisco router BGP capabilities, too. You may want to enable graceful-restart, route-refresh, and communities. None of these are default on Gaia.
set bgp communities on
set bgp external remote-as PEER_ASN peer PEER_IP graceful-restart on
set bgp external remote-as PEER_ASN peer PEER_IP route-refresh on
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks to both of you. This is a bit different than BGP setup than I'm used to so hopefully I don't run into any issues with this after migrating my end over to the Cluster. I did read that you need to make sure both members of the cluster are configured identically so thank for the confirmation. Much appreciated.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Keep in mind, as with any dynamic routing protocol, it can only originate an advertisement for routes in the FIB ("the route table"), as well as what was learned from other neighbors (the RIB). If you need to advertise a route that is not directly-attached, then you need to add the route as a static route, THEN advertise it with "match protocol static" and "match interface FOO" where FOO is the outgoing interface for said route.
Let us know if you need any help.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All the routes are directly attached routes and this will be my introduction to route maps on the Checkpoint platform. My upgrade got pushed off until Monday so I'm going to look at it more.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In this case you change the protocol to match "direct" in the export route map and all subnets configured on local interfaces should be redistributed.
You can use the following commands to check peering and advertisements
show bgp peer <peer-ip>
show bgp peers #displays all peerings
show bgp peer <peer-ip> received
show bgp peer <peer-ip> advertise
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well I don't want all subnets, just those four. So I make a match statement in my route map config for those networks correct?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can add a prefix-list to match your subnets and add the match prefix-list <name> statement in the corresponding route-map entry.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. I'm going to try this Monday.
Thanks for all the tips. I need to find a way to setup a test system for this so I can test configs and not do them cold on a production system. But I find that outside of Cisco most other vendors don't have as robust a testing environment.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's actually not so complex. Spin up a few VM on your hypervisor of choice and go from there.
All you need is a SMS and two gateways on a virtual network, one in each AS. Load them up with loopback interfaces to simulate local subnets and next-hops for static-routes and play with roadmaps and prefix-lists.
When I need to test something, I often use Hyper-V out of the box on a Windows laptop.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yep, what @Alex- says is 100% spot-on. You can also keep testing with Gaia and routing stuff long after the 15-day eval expires, too. You can't do anything policy-wise and pass traffic across the gateways, but you don't need that to test routing services and advertisements/announcements.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm working on setting up a test lab.