CPX 360 Wrap-Up
20th April
Check Point
Knowledge Nuggets
As the Cyber World Turns:
A Strategy to Increase Security Efficiency
The New Era of
Email Security
Check Point Harmony
An In-Depth Look
Hello,
I'll ty to describe my problem.
Wa have 2 DataCenters, connected via Fibre, so that we have a Layer-2 Network.
Now we got a redundant Link to an external provider-network. A VS on our Checkpoint Firewall is the BGP Endpoint.
One Router of the provider is connected to VLAN901 in DC1 and the other one to VLAN902 in DC2.
Both Firewall Cluster-Members should be able to use both links for maximum redundancy.
So we created 2 BGP pairs on the firewall, one for VLAN901 and one for VLAN902.
Both sessions are working without problems.
As the traffic should use the shortest way we set a local preference on each VS for the local peer with the shortest distance.
Both members work as expected, but if we do a failover, we have an outage of more than 30 seconds (I didn't count it)
Have you got any advise to prevent the outage or to reduce it?
Thanks,
Jan
configuration:
DC1:
set bgp external remote-as 15763 on
set bgp external remote-as 15763 description xyz
set bgp external remote-as 15763 export-routemap "xyz_out" preference 10 on
set bgp external remote-as 15763 import-routemap "xyt_in" preference 10 on
set bgp external remote-as 15763 peer 10.255.9.33 on
set bgp external remote-as 15763 peer 10.255.9.37 on
set bgp external remote-as 15763 peer 10.255.9.37 aspath-prepend-count 5
set routemap xyz_in id 10 on
set routemap xyz_in id 10 allow
set routemap xyz_in id 10 match neighbor 10.255.9.33 on
set routemap xyz_in id 10 match prefix-list pf_xyz_in preference 10 on
set routemap xyz_in id 10 match protocol bgp
set routemap xyz_in id 10 action localpref 10
set routemap xyz_in id 20 on
set routemap xyz_in id 20 allow
set routemap xyz_in id 20 match neighbor 10.255.9.37 on
set routemap xyz_in id 20 match prefix-list pf_xyz_in preference 10 on
set routemap xyz_in id 20 match protocol bgp
set routemap xyz_in id 20 action localpref 5
set routemap xyz_out id 20 on
set routemap xyz_out id 20 allow
set routemap xyz_out id 20 match prefix-list pf_xyz_out preference 10 on
set routemap xyz_out id 20 match protocol direct
set prefix-list pf_xyz_in sequence-number 10 prefix 172.16.4.0/22 exact
set prefix-list pf_xyz_out sequence-number 10 prefix 10.255.9.36/30 exact
set prefix-list pf_xyz_out sequence-number 20 prefix 10.255.9.32/30 exact
set prefix-list pf_xyz_out sequence-number 30 prefix 172.16.3.0/24 exact
DC2:
set bgp external remote-as 15763 on
set bgp external remote-as 15763 description xyz
set bgp external remote-as 15763 export-routemap "xyz_out" preference 10 on
set bgp external remote-as 15763 import-routemap "xyz_in" preference 10 on
set bgp external remote-as 15763 peer 10.255.9.33 on
set bgp external remote-as 15763 peer 10.255.9.33 aspath-prepend-count 5
set bgp external remote-as 15763 peer 10.255.9.37 on
set routemap xyz_in id 10 on
set routemap xyz_in id 10 allow
set routemap xyz_in id 10 match neighbor 10.255.9.37 on
set routemap xyz_in id 10 match prefix-list pf_xyz_in preference 10 on
set routemap xyz_in id 10 match protocol bgp
set routemap xyz_in id 10 action localpref 10
set routemap xyz_in id 20 on
set routemap xyz_in id 20 allow
set routemap xyz_in id 20 match neighbor 10.255.9.33 on
set routemap xyz_in id 20 match prefix-list pf_xyz_in preference 10 on
set routemap xyz_in id 20 match protocol bgp
set routemap xyz_in id 20 action localpref 5
set routemap xyz_out id 20 on
set routemap xyz_out id 20 allow
set routemap xyz_out id 20 match prefix-list pf_xyz_out preference 10 on
set routemap xyz_out id 20 match protocol direct
set prefix-list pf_xyz_in sequence-number 10 prefix 172.16.4.0/22 exact
set prefix-list pf_xyz_out sequence-number 10 prefix 10.255.9.36/30 exact
set prefix-list pf_xyz_out sequence-number 20 prefix 10.255.9.32/30 exact
set prefix-list pf_xyz_out sequence-number 30 prefix 172.16.3.0/24 exact
Chris_Atkinson
Configuring graceful-restart for each peer is probably desirable here.
Hello,
I will try this when I have a maintenance window.
bfd ?
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY
.png){kind=link}