This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Harald_Hansen
Advisor
Advisor
‎2020-10-30 03:23 PM

OSPF and routemaps

OSPF routemaps are a bit curious and I cannot understand why these two configurations do not exclude the default gateway.

The goal is to distribute all static routes into a transport VRF, except the default gateway. This is a VPN-Gateway with a couple cores, the main GW is an appliance with a lot more capacity, though we do not want to terminate VPN tunnels due to compatibility issues. The main GW will also announce itself as the default GW with OSPF into the transport VRF.

The network should only know the routes that are going into the VPN enc domains, defined by statically routing them towards the default gw on the gateway external side.

 

set routemap ospfout id 9 on
set routemap ospfout id 9 restrict
set routemap ospfout id 9 match network 0.0.0.0/0 exact
set routemap ospfout id 10 on
set routemap ospfout id 10 allow
set routemap ospfout id 10 match nexthop <default-gw> on
set routemap ospfout id 10 match protocol static
set ospf instance default export-routemap ospfout preference 10 on

 

The above does not work even if the order is reversed.

 

set routemap ospfout id 10 on
set routemap ospfout id 10 allow
set routemap ospfout id 10 match nexthop <default gw> on
set routemap ospfout id 10 match protocol static
set routemap ospfoutrestrict id 10 on
set routemap ospfoutrestrict id 10 restrict
set routemap ospfoutrestrict id 10 match network 0.0.0.0/0 exact
set ospf instance default export-routemap ospfout preference 10 on
set ospf instance default export-routemap ospfoutrestrict preference 9 on

 

This version didn't exclude the default route either, I also tested variants of the above with no luck.

I ended up with a trick, which works since this is a simple setup:

set routemap ospfout id 10 on
set routemap ospfout id 10 allow
set routemap ospfout id 10 match nexthop <default-gw> on
set routemap ospfout id 10 match network 0.0.0.0/0 refines
set routemap ospfout id 10 match protocol static

The trick is that refines is "less than", it covers all routes that are not 0.0.0.0/0, which is the widest mask possible.

Do you have any insight in why the Cisco way in my first couple examples don't work with CP routed? I've seen configuration examples with my second configuration, though is there something new with R80.40 OSPF? 

I tried to get some help from TAC, though they closed the issue as soon as I reported the workaround above. Not at all happy with getting no answers, especially on a premium support contract.

0 Kudos
4 Replies
funkylicious
Advisor
‎2020-10-30 09:48 PM

Hi,
A simpler solution would be to just configure in the routemap the exact routes that you are trying to advertise into OSPF and this way you can be more granular and exempt the default route 0.0.0.0 . 

0 Kudos
Harald_Hansen
Advisor
Advisor
‎2020-10-31 03:01 AM
In response to funkylicious

Hi,

That is not simpler. In stead of doing `set static-route x/y next-hop gateway address <default-gw>` you have to add the static-route (since a larger route could exist from the other peers) and the ospf routemap. That will be 5 times the number of lines in clish, which bloats the database. 

PS! I also noticed the last code snippet was lost, the editor is not good with safari.

Br,
Harald

0 Kudos
RoyS
Employee
Employee
‎2020-11-01 01:58 AM

Hi ,

Please add “match protocol static “ into ID 9 and retest .

set routemap ospfout id 9 restrict

set routemap ospfout id 9 match protocol static

set routemap ospfout id 9 match network 0.0.0.0/0 exact

set routemap ospfout id 10 on

set routemap ospfout id 10 allow

set routemap ospfout id 10 match nexthop <default-gw> on

set routemap ospfout id 10 match protocol static

set ospf instance default export-routemap ospfout preference 10 on

Thanks

Roy

0 Kudos
Harald_Hansen
Advisor
Advisor
‎2020-11-01 11:55 PM
In response to RoyS

Hi,

If it is a requirement to have a match on protocol as well as network, why is that not part of your documentation? I think this document (https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_Gaia_Advanced_Routing_AdminG...) should be the sole source of truth regarding routemaps.

How do I request revisions/suggest improvements to the documentation package like one can do on SKs? The only way to respond to the page above is a yes/no question way down on the page. 

Br,
Harald

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top