Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
dphonovation
Collaborator

Disable distribution of default route if peer is down

Right now my switches have a static default gateway set statically. Instead I want to redistribute the default route to them from the checkpoint, but only if my WAN Side BGP peer is up (or alternatively, a ping to something like 8.8.8.8).

I'm using BGP not OSPF but this thread still has answers to apply to me:
https://community.checkpoint.com/t5/Security-Gateways/Checkpoint-Advanced-OSPF-Capability/td-p/6467

So i get that I just need to redistribute a static route of 0.0.0.0 from gaia into the switches. There is also a "Ping" checkbox as in the above thread, on my BGP Peer to my ISP (i suppose I can also work with ISP to enable BFD). But how do I disable the redistribution of 0.0.0.0 to my switches after the BGP peer is noticed down?

0 Kudos
6 Replies
the_rock
Legend
Legend

I could be mistaken when I say this (hopefully someone from CP will correct me), but I had never found out a way to disable any route on CP. Its either on or you have to delete it, thats it.

0 Kudos
dphonovation
Collaborator

I have a slightly different need to disable redistribution in a diff scenario. ie: BGP over a S2S tunnel and I want to stop redistribution if a specific IP is down.

I tried faking it by adding a static route to the host x.x.x.x/32 with a monitor ping option enabled.

I setup 2 monitors, one for a live IP and one for a dead IP internally. If I switched to the dead ip I could see the route being removed from the kernel table.

I then setup BGP to redistribute this static route, but now the ping monitoring no longer worked. The route remained in the table permanently. As if redistributing it "stuck" it in place or made it ignore the ping monitor. To the point that if I did a show ip-reachability it marked the ip I KNOW FOR A FACT IS DEAD/DOES NOT EXIST as available.

0 Kudos
G_W_Albrecht
Legend
Legend

In sk34812: ISP Redundancy configuration, this is done by a script for the active cluster node routes. But this is triggered by ISP Redundancy. A croned script should be able to do this - so i would ask TAC!

CCSE CCTE CCSM SMB Specialist
0 Kudos
vinceneil666
Advisor

BFD would probably be the best option - and yeah, you could talk with your ISP about this. But do note that you can run BFD as a multihop setup to. So - if you have an available node somewhere on the internet (a router on another site for example) you could use that one to.

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Why not ask the ISP to advertise you the default route (default originate) and the rest will take care of itself?

CCSM R77/R80/ELITE
the_rock
Legend
Legend

Very good point Chris.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events