This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Hllrdm
Contributor
‎2022-09-02 03:33 AM

VRF in Check Point

We need to isolate the networks of different enterprises.
At the L2 level - there will be a separation of vlan, at the routing level VRF.
Between the L3 switch and the router is a Check Point cluster. OSPF is configured between the switch, the cluster, and the router to receive routing tables.
We want to isolate the routing for each of the networks, in Cisco terminology use VRF. Is Check Point available to create virtual routing tables (VRF) within the cluster or do we need to create a VSX?
We need to build an additional OSPF link (a Check Point cluster with a switch and router), with an isolated routing table, in addition to OSPF with global routing table translation.

VRF.jpg

0 Kudos
5 Replies
Chris_Atkinson
Employee Employee
Employee
‎2022-09-02 03:40 AM

You can configure multiple OSPF instances/domains with R81+

Configuring IPv4 OSPFv2 Multiple Instances (checkpoint.com)

But if you require full VRF like separation this is what VSX (Virtual Systems) is used for within Check Point.

 

CCSM R77/R80/ELITE
0 Kudos
Hllrdm
Contributor
‎2022-09-02 03:42 AM
In response to Chris_Atkinson

Can you tell me, if we use OSPF instances/domains, can we separate the routing for different area and the tables will not overlap?

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-09-02 04:09 AM
In response to Hllrdm

The Check Point gateway would only have one routing table for it's own forwarding decisions but the OSPF info shared with neighbors/interfaces is specific to the corresponding domains unless specific redistribution is configured.

This may not be sufficient depending on the given scenario but your diagram isn't super detailed in conveying what the objective is. 

CCSM R77/R80/ELITE
0 Kudos
Hllrdm
Contributor
‎2022-09-02 05:07 AM
In response to Chris_Atkinson

I have read the manual for setting up two or more OSPF instances. This solution works for us.
We still do not understand the "You can manually configure route maps to filter and redistribute routes from one domain into another domain" part of the admin guide. Does this need to be configured in the Route Redistributions window?

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-09-02 05:24 AM
In response to Hllrdm

Basic route filters & redistribution can be done in the Web UI.

Advanced policy via route-maps are done in CLISH (CLI) where required refer sk100501 for supplementary info to that in the admin guide amongst other sources.

CCSM R77/R80/ELITE

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events