Configuring SDWAN, Checkpoint eBGP, and DC Core Networking Setup
Get insights into setting up SDWAN routers with VRFs, establishing eBGP connections between SDWAN, Checkpoint firewall, and DC Core, along with the configuration details of route maps and BGP peers for effective network communication and traffic management.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
Checkpoint eBGP Checkpoint eBGP
Set-up details From the SDWan routers we have two VRF s that are connected as follows: First VRF vrf 2 is directly connected to the DC Core and there is an iBGP session built between SDWan and DC Core Second VRF vrf 840 goes through the Checkpoint FWL as we require to filter that traffic, therefore we built an eBGP from SDWan to Checkpoint and secondly another eBGP from Checkpoint to DC Core. Checkpoint One eBGP with each SDWan routers (vrf 840 on SDWan) We accept the Community 65432:1444 / 65432:2444 / 65432:3444 We don t advertise anything One eBGP with DC Core We want to advertise everything we take from SDWan so 65432:X444 community DC Core One iBGP with each SDWan routers (vrf2 on SDWan) One eBGP with Checkpoint SDWan01 SDWan02 CheckPoint DC Core AS 65002 Vrf2 10.2.2.11/24 Vrf840 10.2.234.51/28 AS 65002 Vrf 2 10.2.2.12/24 Vrf840 10.2.234.51/28 AS65502 (No VRF) Vlan3 10.2.3.1/24 (No VRF) Vlan840 10.2.234.49/28 AS65002 (No VRF) Vlan2 10.2.2.10/24 (No VRF) Vlan3 10.2.3.10/24 BGP Neigh 10.2.2.10 (vrf2) AS65002 - iBGP 10.2.3.1 (vrf840) AS65502 - eBGP BGP Neigh 10.2.2.10 (vrf2) AS65002 - iBGP 10.2.3.1 (vrf840) AS65502 - eBGP BGP Neigh 10.2.3.10 AS65002 - eBGP 10.2.234.51 AS65002 - eBGP 10.2.234.52 AS65002 - eBGP BGP Neigh 10.2.2.21 AS65002 - iBGP 10.2.2.12 AS65002 iBGP 10.2.3.1 AS65502 eBGP
Checkpoint Routemaps USDA-FW01> show bgp peer 10.2.3.10 adj-rib-out route 1.2.3.4/32 ------------------------ EBGP Peer 10.2.3.10 (AS 65002) ------------------------ Route: 1.2.3.4/32 Path Attributes ORIGIN: IGP AS_PATH: 65502 NEXT_HOP: 10.2.3.1 USDA-FW01> show bgp peer 10.2.3.10 adj-rib-out route 10 On Checkpoint we have: USDA-FW01> show configuration routemaps set routemapiBGP-Outbound id 10 on set routemapiBGP-Outbound id 10 allow set routemapiBGP-Outbound id 10 match community 2444 as 65432 on set routemapiBGP-Outbound id 10 match protocol bgp set routemapiBGP-Outbound id 15 on set routemapiBGP-Outbound id 15 allow set routemapiBGP-Outbound id 15 match network 1.2.3.4/32 all set routemapiBGP-Outbound id 15 match protocol static ## The following items are listed under their respective command sets ## (e.g. "set bgp") and are displayed here for informational purposes: # set bgp external remote-as 65002 peer 10.2.3.10 export-routemapiBGP-Outbound preference 1 family inet on USDA-FW01> 10.5.101.24/29 10.160.253.253/32 USDA-FW01> show bgp peer 10.2.3.10 adj-rib-out route 10.5 USDA-FW01> show bgp peer 10.2.3.10 adj-rib-out route 10.5.101.24/29 ------------------------ EBGP Peer 10.2.3.10 (AS 65002) ------------------------ Route: 10.5.101.24/29 Path Attributes ORIGIN: Incomplete AS_PATH: 65502 65002 65002 65002 65002 65002 65002 65444 NEXT_HOP: 10.2.3.1 COMMUNITIES: 65432:2444 ORIGINATOR_ID: 10.2.253.101 USDA-FW01> USDA-FW01> show bgp peer 10.2.3.10 advertise IPv4 Route MED LocalPref Nexthop 1.2.3.4/32 None N/A(EBGP) 10.2.3.1 10.5.101.24/29 None N/A(EBGP) 10.2.3.1 65432:2444 10.160.253.253/32 None N/A(EBGP) 10.2.3.1 65432:2444 Communities MATCH id 15 -> ADVERTISED STATIC MATCH id 10 -> ADVERTISED what we received from SDWan MATCH id 10 -> ADVERTISED what we received from SDWan USDA-FW01>
DC Core On DC Core we have: USDA-DIST-VSS#ship bgp all nei 10.2.3.1 received-routes For address family: IPv4 Unicast BGP table version is 1963794, local router ID is 10.2.2.10 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, t secondary path, L long-lived-stale, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrfWeight Path *> 1.2.3.4/32 10.2.3.1 0 65502 i Total number of prefixes 1 For address family: IPv4 Label-Unicast BGP table version is 1963794, local router ID is 10.2.2.10 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, t secondary path, L long-lived-stale, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrfWeight Path *> 1.2.3.4/32 10.2.3.1 0 65502 i Total number of prefixes 1 USDA-DIST-VSS#
