This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Austin_Ponten
Participant
Participant
‎2023-06-14 07:04 AM
Jump to solution

What is the best way to redistribute all interfaces and Static routes into BGP?

 

BGP_LAB.jpg

 

 

 

Hi, looking to optimize this BGP implementation for a customer, and I am doing this for the first time so I read these:

https://dl3.checkpoint.com/paid/f3/f313d7128484db88a73976b2d9e886ae/CP_R77.20.60_600_700_1100_1200R_...

https://support.checkpoint.com/results/sk/sk100501

https://community.checkpoint.com/t5/Security-Gateways/announcing-Routes-via-BGP/td-p/8154#

 

But I am having trouble understanding why my route maps and route-redistribution statements are not working and wondering if someone has a better guide to tell me how to simply advertise ALL connected interfaces and ALL static routes and I can work from there. 

So far I have tried SEVERAL variations of route maps but this is a general one:

set routemap bgp-inbound id 1 on

set routemap bgp-inbound id 1 allow

set routemap bgp-outbound id 1 on

set routemap bgp-outbound id 1 allow

set bgp external remote-as 65000 export-routemap bgp-outbound preference 1 on

set bgp external remote-as 65000 import-routemap bgp-inbound preference 1 on

set bgp internal import-routemap bgp-inbound preference 1 on

set bgp internal export-routemap bgp-outbound preference 1 on

set route-redistribution to bgp-as 65000 from interface all on

set route-redistribution to bgp-as 65000 from static-route all-ipv4-routes on

 

Show_route.jpg

 

This 10.0.0.0/8 is the static route I would like to be distributed into BGP.

 

Peers_Advertised_Routes.jpg

 

I dont see it advertised... 

 

 

What is the most optimal way to fix this? I don't want to advertise every single static route as per Lesley_Willems2 solution in https://community.checkpoint.com/t5/Security-Gateways/announcing-Routes-via-BGP/td-p/8154# 

 

Any help is appreciated, and Ill try to clarify things that I have overcomplicated 🙂

 

-A

 

0 Kudos
1 Solution

Accepted Solutions
JozkoMrkvicka
Authority
Authority
‎2023-06-15 03:50 AM
Jump to solution

If you want to propagate ALL IPv4 directly connected interfaces AND also ALL IPv4 static routes:

 

set routemap bgp-outbound id 1 on
set routemap bgp-outbound id 1 allow
set routemap bgp-outbound id 1 match as 65000 on
set routemap bgp-outbound id 1 match protocol direct
set routemap bgp-outbound id 2 on
set routemap bgp-outbound id 2 allow
set routemap bgp-outbound id 2 match as 65000 on
set routemap bgp-outbound id 2 match protocol static
set bgp external remote-as 65000 export-routemap bgp-outbound preference 1 family inet on

 

Only static routes pointing to nexthop IP address of 0.0.0.0 (in your case only static route 10.0.0.0/8):

 

set routemap bgp-outbound id 1 on
set routemap bgp-outbound id 1 allow
set routemap bgp-outbound id 1 match as 65000 on
set routemap bgp-outbound id 1 match nexthop 0.0.0.0 on
set routemap bgp-outbound id 1 match protocol static
set bgp external remote-as 65000 export-routemap bgp-outbound preference 1 family inet on

 

Best practise is first restrict everything which is not desired to be propagated over BGP (sync, internal networks, default gateway, ...), and after that allow all what is really needed to be propagated.

Kind regards,
Jozko Mrkvicka

View solution in original post

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2023-06-14 11:53 AM
Jump to solution

Are you also redistributing kernel routes?
Pretty sure this is needed here.
See: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_Gaia_Advanced_Routing_AdminG... 

0 Kudos
JozkoMrkvicka
Authority
Authority
‎2023-06-15 03:50 AM
Jump to solution

If you want to propagate ALL IPv4 directly connected interfaces AND also ALL IPv4 static routes:

 

set routemap bgp-outbound id 1 on
set routemap bgp-outbound id 1 allow
set routemap bgp-outbound id 1 match as 65000 on
set routemap bgp-outbound id 1 match protocol direct
set routemap bgp-outbound id 2 on
set routemap bgp-outbound id 2 allow
set routemap bgp-outbound id 2 match as 65000 on
set routemap bgp-outbound id 2 match protocol static
set bgp external remote-as 65000 export-routemap bgp-outbound preference 1 family inet on

 

Only static routes pointing to nexthop IP address of 0.0.0.0 (in your case only static route 10.0.0.0/8):

 

set routemap bgp-outbound id 1 on
set routemap bgp-outbound id 1 allow
set routemap bgp-outbound id 1 match as 65000 on
set routemap bgp-outbound id 1 match nexthop 0.0.0.0 on
set routemap bgp-outbound id 1 match protocol static
set bgp external remote-as 65000 export-routemap bgp-outbound preference 1 family inet on

 

Best practise is first restrict everything which is not desired to be propagated over BGP (sync, internal networks, default gateway, ...), and after that allow all what is really needed to be propagated.

Kind regards,
Jozko Mrkvicka
0 Kudos
Austin_Ponten
Participant
Participant
‎2023-06-15 06:50 AM
In response to JozkoMrkvicka
Jump to solution

Wow, thanks for the detailed answer! 

I will test this and get back on the results when I have time.

-A

Austin_Ponten
Participant
Participant
‎2023-06-16 12:29 AM
In response to JozkoMrkvicka
Jump to solution

Works right away!  Now I see what you mean by it advertises everything including the sync interface...

So should I then start with the restrictions like this? 

set routemap bgp-outbound id 1 on
set routemap bgp-outbound id 1 restrict
set routemap bgp-outbound id 1 match as 65000 on
set routemap bgp-outbound id 1 match interface Sync on

 

Thanks!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events