Dynamic Routing Advice

[staffino]

Hi,

I am a beginner of using Checkpoint products but am highly skilled when it comes to networking products such as Cisco and Extreme networks routers and switches.

Now to my question:

I am working at an enterprise with 87 branch offices all over the world with employees with 1000 ppl to just 2-10 ppl. Aprox half of the offices are connected with a MPLS network that we are leasing from an ISP. You can see the MPLS network as a transparent cloud, what we put in the cloud comes out on the other side.

Today we are doing all this with static "star network" and our HQ is the HUB/Swtich. From our HQ there are VPN-connections over Internet to dark fiber. Branch offices connected to the MPLS network are using the same firewall gateway. But the other sites are using their own firewall gateways.
To make offices communicate directly to each other instead of going by the HQ, I want to implement dynamic routing like OSPF. Is it possible to do this with Checkpoint firewall gateways, does it scale? I know that Checkpoint can handle OSPF but is it efficient enough or must we invest in expensive dedicated routers?

All advices are welcome

Thanx in advance

/Staffan

[bmolnar]

I can't speak for a scale as large as yours, but I'm running BGP on an internal R70.1 cluster with 27 neighbors and about roughly 560 routes and it works great.

[lammbo]

Mr Snakey published how to do your site to site traffic using MPLS and advanced routing somewhere on this forum. It's a good read if this is truly your intent.
EDIT: Here is the link to that White Paper: http://www.snakeoilresearch.com/whit...g_ospf_on.html

Having said that, if you don't mind your traffic to other sites being encrypted on your MPLS cloud and you're using domain based VPN (as opposed to route based), you can use the link selection feature with much greater ease and without purchasing the advanced routing features for SPLAT (SPLAT PRO).
To license SPLAT PRO, it's per gateway (list price):
100 $60,000
50 $40,000
25 $25,000
5 $6,000
1 $1,500


I currently use the link selection method between 4 of my sites and will be adding another 2 in the not so distant future. As long as the MPLS is up (detected by probing), the gateways will use MPLS. If the MPLS link goes down, your traffic will automatically fail over to the public circuit. When the MPLS comes back online, the traffic will fail back to the primary once the probing can sense the gateway(s) on the other side.

In my experience, the AUTOMATIC failovers happen like this:
MPLS -> Public ISP: 0 Downtime, failover is instant
Public ISP -> MPLS: 60 to 90 seconds convergance time for failback

This topic is to be the next "How To" I was planning on publishing here. If you're interested, I'll see what I can do to publish it soon.

[Routerkid1]

Quote:

Originally Posted by lammbo

Mr Snakey published how to do your site to site traffic using MPLS and advanced routing somewhere on this forum. It's a good read if this is truly your intent.
EDIT: Here is the link to that White Paper: White Paper: Running OSPF on Check Point Gateways for WAN failover to VPN | Snake Oil Research

Having said that, if you don't mind your traffic to other sites being encrypted on your MPLS cloud and you're using domain based VPN (as opposed to route based), you can use the link selection feature with much greater ease and without purchasing the advanced routing features for SPLAT (SPLAT PRO).
To license SPLAT PRO, it's per gateway (list price):
100 $60,000
50 $40,000
25 $25,000
5 $6,000
1 $1,500


I currently use the link selection method between 4 of my sites and will be adding another 2 in the not so distant future. As long as the MPLS is up (detected by probing), the gateways will use MPLS. If the MPLS link goes down, your traffic will automatically fail over to the public circuit. When the MPLS comes back online, the traffic will fail back to the primary once the probing can sense the gateway(s) on the other side.

In my experience, the AUTOMATIC failovers happen like this:
MPLS -> Public ISP: 0 Downtime, failover is instant
Public ISP -> MPLS: 60 to 90 seconds convergance time for failback

This topic is to be the next "How To" I was planning on publishing here. If you're interested, I'll see what I can do to publish it soon.

I would like to see your solution for doing this.

[lammbo]

Here is my 1st draft. Should be good enough for anyone skilled with CP. I'll clean it up later to get it posted as an official how to.

Assuming:
SPLAT gateways, single gateway or clustered
Working MPLS network

Not sure what version this came out in, I think all NGX flavors have it available for use.

Note: MPLS networks are NOT part of your encryption domain, this is only a carrier network

Example Site Information: 3 sites with an MPLS cloud/ring available
Site A - Public IP Range: 1.1.1.0 (/24)
Site A - MPLS IP Range: 1.1.2.0 (/28)
Site B - Public IP Range: 1.2.1.0 (/24)
Site B - MPLS IP Range: 1.2.2.0 (/28)
Site C - Public IP Range: 1.3.1.0 (/24)
Site C - MPLS IP Range: 1.3.2.0 (/28)

Task:
With gateways in-place currently using VPN over Public cloud, add MPLS and automatic failover/failback mechanism.

Preparatory work
1) At all 3 sites, identify and configure an unused firewall port

a) Site A: FW Interface = 1.1.2.1 (if clustered, use .2 and .3 as physical gateway IPs)
b) Site B: FW Interface = 1.2.2.1 (if clustered, use .2 and .3 as physical gateway IPs)
c) Site A: FW Interface = 1.3.2.1 (if clustered, use .2 and .3 as physical gateway IPs)

2) At all 3 sites, configure the LAN interface of the MPLS Router

a) Site A: MPLS Interface = 1.1.2.4
b) Site B: MPLS Interface = 1.2.2.4
c) Site C: MPLS Interface = 1.3.2.4

3) In Dashboard, Open each site's gateway/cluster properties. Repeat the steps below for each site.

a) Add the interface topology - YOU MUST DISABLE ANTI-SPOOFING on the interface for the MPLS network (I know of no way around this with domain based routing... yet)
b) Go to VPN -> Link selection
c) Change Link Selection to "Use a probing method:" -> "Using ongoing probing:"
d) Click on the configure button
e) Change method to "Probe using the following addresses:"
f) You can either: retrieve the addresses from topology and delete all except your public and MPLS IP OR manually add the addresses for your public and MPLS interfaces. End result is 2 IPs in your list.
g) Check the "Primary address" box and drop this box down to select your MPLS IP - Hit OK to close this popup box
h) Back at the main VPN -> Link selection properties screen again, Select the routing option to use "Operating system routing table"
g) Click OK to close Gateway/Cluster properties

4) Save changes and repeat step 3 for each site
5) Push Policy to all 3 sites

At this point, the settings are in-place and you are ready to actively cut over

Cutover
WARNING: Sites will automatically migrate to MPLS nets as peered routes are saved, so make sure it's a good time to do this part
1) Via the method of your choosing, CLI or SPLAT Web UI, you will be adding static routes at each site for the other 2 peered sites.
Note: I prefer Web UI because there have been issues with saving routes from CLI mentioned on this site in other posts. I will write as if this is the method used, guru's feel free to diverge.
2) Open Web UI for Site A's gateway(s)

a) At site A, add route for Site B: 1.2.2.0/28 -> 1.1.2.4
b) At site A, add route for Site C: 1.3.2.0/28 -> 1.1.2.4
c) Close Web UI

Since only Site A changes are complete, no failover to MPLS Yet
3) Open Web UI for Site B's gateway(s)

a) At site B, add route for Site A: 1.1.2.0/28 -> 1.2.2.4 <== Tunnel for A <-> B should switch over once applied
b) At site B, add route for Site C: 1.3.2.0/28 -> 1.2.2.4
c) Close Web UI

3) Open Web UI for Site C's gateway(s)

a) At site C, add route for Site A: 1.1.2.0/28 -> 1.3.2.4 <== Tunnel for A <-> C should switch over once applied
b) At site C, add route for Site B: 1.2.2.0/28 -> 1.3.2.4 <== Tunnel for B <-> C should switch over once applied
c) Close Web UI

That's pretty much it in a nutshell... As promised, requires no route based VPN or a purchase of SPLAT PRO to do VTI. If you're willing to accept the traffic on your MPLS being encrypted, then this method is for you. Otherwise, see Mr. Snakey's free white paper for doing this in the clear with VTI and route based VPN.
http://www.snakeoilresearch.com/whit...g_ospf_on.html

[lammbo]

Hmmm... regarding the anti-spoofing configuration on the MPLS interface, I think an RFE is probably in order here to correct this. When you configure your interface properties, it would be nice to be able to define the interface as MPLS so that the anti-spoofing warnings you get when pushing policy would not nag you every time.

So int choices would be:
External
Defined by this network
MPLS
and the customized field where you can use objects

[lammbo]

If anyone out there has now tried this and can give me the thumbs up to publish the official 'How To', that would be great. Also, please let me know if I left something out, I will include it in the stand-alone publishing.