Hi all,
Pardon the long winded post, I'm no BGP expert and a bit stuck figuring this out.
We are building out 2 new datacentres with a new ISP peer. I've previously lab'ed this setup at my previous data centre but the ISP peer did things differently. In particular, the /31 I am to broadcast my BGP range from is internal in this new setup, whereas in my lab it was addressable publically. I was initially planning to simply use the /31 to setup a simple Client VPN for me to administer remotely and be able to play with the BGP setup once the Checkpoint is racked/stacked (it's a VM). Below is a basic diagram of what I *thought* it should look like. Direct imgur link: https://i.imgur.com/SgJSrVK.png
There are two ClusterXL Checkpoints (1 per site) running 81.10. My understanding is I cannot use aliases with ClusterXL to assign one of the BGP addresses to the cluster as an alias. Right now, each has it's own mgmt server. Eventually, the ISP will be building a layer 2 circuit between the sites and the plan will be to put them on the same Checkpoint MGMT plane. In the meantime, I need to be able to access both sites independently.
The new ISP peer has given me 2 BGP ranges. (the 82.X.X.X/27s). I envisioned being able to setup BGP at both sites and leverage ASPREPEND to prefer routing to Site 1 (left) unless it goes down, which would then prefer the route to Site 2 (right). In my afromentioned lab, the /31's at each site were publically addressable. I advertised BGP via a NAT Pool. Accessed the checkpoints via the /31 and NAT'ed any customer traffic headed for the /27 BGP range to appropriate back ends. I didn't even need to assign the Checkpoint Cluster any intefaces in the BGP range.
So in this new setup I was hoping to simply rack the kit, use the /31 as my own Client VPN connectivity and tinker with BGP addressing remotely without risking losing connectivity.
However the new ISP peer has just given me the circuit details and they expect my private AS to BGP peer from a 100.64.76.x/31 to their private AS, which they then push to their core.
It now feels like I would have no choice but to marry each BGP range to a site as a result, which is undesirable but I suppose I can find a way to live with it.
But this leads me to the question: How do I go about assigning an address out of my BGP range to the Checkpoint Cluster and expose Client VPN over it? I would usually think to do that as an alias, but that's not supported in Cluster XL. I also need the Checkpoint gateways to talk to the wider internet (for update and such) via one of the BGP addresses.
Any advice and guidance much appreciated. Thanks for reading.
Edit: This seems to have been a similar setup: https://community.checkpoint.com/t5/Security-Gateways/ISP-connection-using-private-IP-with-routed-pu...