CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it yet again - That's right, the 3rd edition is here!
You can read his announcement post here.
It's a massive upgrade focusing on current versions, and well worth checking out. -E

 

Results 1 to 16 of 16

Thread: Is anyone OSPF expert here? I have lot of doubts about OSPF

  1. #1
    Join Date
    2012-06-13
    Posts
    368
    Rep Power
    8

    Default Is anyone OSPF expert here? I have lot of doubts about OSPF

    Hi Guys,

    Please let me know if any OSPF experts are here? or PM me as I have lot of doubts about running oSPF on CP and scenario that I am considering.

    Thanks and Regards,
    Blason

  2. #2
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    1,030
    Rep Power
    15

    Default Re: Is anyone OSPF expert here? I have lot of doubts about OSPF

    Quote Originally Posted by blason View Post
    Hi Guys,

    Please let me know if any OSPF experts are here? or PM me as I have lot of doubts about running oSPF on CP and scenario that I am considering.

    Thanks and Regards,
    Blason
    What is your concern? Gaia is working rather well with OSPF.
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  3. #3
    Join Date
    2012-06-13
    Posts
    368
    Rep Power
    8

    Default Re: Is anyone OSPF expert here? I have lot of doubts about OSPF

    Hey there,

    In my other thread I had specified the issue however here is my concern. I have HO firewall and Branch firewall with MPLs and Internet Line, have VPN as a Backup which is VTI and built OSPF over MPLs as well as VTI. Internet at remote end is being catered locally however what I need is; if MPLS fails I want that Branch firewall default gateway to be pointed out at MPLS end so that at least they will start getting the internet. So, would it be possible using OSPF or any other alternative is avaiable?

    And can we split the traffic using OSPF as I need some of the traffic should be pushed to MPLS and few through VPN Tunnel.

  4. #4
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    1,030
    Rep Power
    15

    Default Re: Is anyone OSPF expert here? I have lot of doubts about OSPF

    Quote Originally Posted by blason View Post
    Hey there,

    In my other thread I had specified the issue however here is my concern. I have HO firewall and Branch firewall with MPLs and Internet Line, have VPN as a Backup which is VTI and built OSPF over MPLs as well as VTI. Internet at remote end is being catered locally however what I need is; if MPLS fails I want that Branch firewall default gateway to be pointed out at MPLS end so that at least they will start getting the internet. So, would it be possible using OSPF or any other alternative is avaiable?

    And can we split the traffic using OSPF as I need some of the traffic should be pushed to MPLS and few through VPN Tunnel.
    I have a customer using OSPF for just what you have described. No issues.
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  5. #5
    Join Date
    2012-06-13
    Posts
    368
    Rep Power
    8

    Default Re: Is anyone OSPF expert here? I have lot of doubts about OSPF

    Oh no what I wanted to know is how do I push Default route only when Internet link is failed and how do I add that route in OSPF domain then?

  6. #6
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    1,030
    Rep Power
    15

    Default Re: Is anyone OSPF expert here? I have lot of doubts about OSPF

    Quote Originally Posted by blason View Post
    Oh no what I wanted to know is how do I push Default route only when Internet link is failed and how do I add that route in OSPF domain then?
    What you are asking is OSPF basics, nothing to do with Check Point. Check this link, specifically "generating default route" paragraph: http://www.cisco.com/c/en/us/td/docs...html#wp1085967
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  7. #7
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    649
    Rep Power
    7

    Default Re: Is anyone OSPF expert here? I have lot of doubts about OSPF

    Quote Originally Posted by blason View Post
    Oh no what I wanted to know is how do I push Default route only when Internet link is failed and how do I add that route in OSPF domain then?
    That will prove tricky, but not impossible. You also have to mention the OS you attempt this. Is it Gaia or Gaia Embedded? Gaia clearly gives you more room and using route-maps with redistribution would help you do that.
    I think there's a general consensus here on the forum that for "advanced routing scenarios" CP boxes are not recommended still this will also depend on your skill and flexibility to learn the protocol (if the case). When I had to deploy it internally I aimed for a virtual lab. Trouble was that I had to use Gaia Embedded and there's no virtualization available at this time for that. So I asked our CP vendor to send me 4 1100 appliance and played with them for couple weeks until I could achieve our business requirements.

  8. #8
    Join Date
    2012-06-13
    Posts
    368
    Rep Power
    8

    Default Re: Is anyone OSPF expert here? I have lot of doubts about OSPF

    right and completely agree that this not related to CheckPoint but since I have CP 12000 and CP 1100 appliance which has Gaia and Gaia Embedded respectively considering the options. Again I feel its tricky because when Branch firewall has Internet link up it will continue to carry the Internet based traffic when ILL [Internet Lease Line] fails and since I have MPLS up I need a move my default GW to my HO firewall so that Internet will keep on Flowing from there?

  9. #9
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    649
    Rep Power
    7

    Default Re: Is anyone OSPF expert here? I have lot of doubts about OSPF

    Quote Originally Posted by blason View Post
    right and completely agree that this not related to CheckPoint but since I have CP 12000 and CP 1100 appliance which has Gaia and Gaia Embedded respectively considering the options. Again I feel its tricky because when Branch firewall has Internet link up it will continue to carry the Internet based traffic when ILL [Internet Lease Line] fails and since I have MPLS up I need a move my default GW to my HO firewall so that Internet will keep on Flowing from there?
    You can do that; ask for a maintenance window: manually kill Internet connection on a branch, then redistribute static route on the 4800 into OSPF.
    Make a routing table picture on 1100:
    - now
    - after you kill Internet connection
    - after you redistribute default route over OSPF (with local IC down)
    - after you redistribute default route over OSPF (with local IC up)

    Based on those 4 pictures, we can tweak protocol rank on CP boxes and solve this.

  10. #10
    Join Date
    2012-06-13
    Posts
    368
    Rep Power
    8

    Default Re: Is anyone OSPF expert here? I have lot of doubts about OSPF

    hmmm..seems to be complicated :(

    Any way let me do that and get back to you on my findings.

  11. #11
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    649
    Rep Power
    7

    Default Re: Is anyone OSPF expert here? I have lot of doubts about OSPF

    Quote Originally Posted by blason View Post
    hmmm..seems to be complicated :(

    Any way let me do that and get back to you on my findings.
    But you will learn a lot!
    I saw you're looking for some quick recipes on how to configure OSPF, but without some OSPF depth what will you do if something doesn't work as expected?

  12. #12
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,658
    Rep Power
    10

    Default Re: Is anyone OSPF expert here? I have lot of doubts about OSPF

    Just so i understand this. Basically you want the remote office to do the following.

    Use local internet for inet access
    User MPLS for internal accccess.

    If inet goes down start using MPLS for internet
    If MPLS goes gown start using VPN for WAN access

    Correct?

  13. #13
    Join Date
    2012-06-13
    Posts
    368
    Rep Power
    8

    Default Re: Is anyone OSPF expert here? I have lot of doubts about OSPF

    you da man ;) this is what I would like to achieve? I mean if MPLS is down any way since remote firewall has Internet working let the internet flow from there only but tunnel should come up for internal access.

    Do you have solution for this?

  14. #14
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,658
    Rep Power
    10

    Default Re: Is anyone OSPF expert here? I have lot of doubts about OSPF

    Quote Originally Posted by blason View Post
    you da man ;) this is what I would like to achieve? I mean if MPLS is down any way since remote firewall has Internet working let the internet flow from there only but tunnel should come up for internal access.

    Do you have solution for this?
    Are you using BGP on the MPLS router?

  15. #15
    Join Date
    2012-06-13
    Posts
    368
    Rep Power
    8

    Default Re: Is anyone OSPF expert here? I have lot of doubts about OSPF

    hmm..I am not sure since that is being owned by MPLS provider and I do not have access to those. Anyways that can be confirmed with them. Will it matter by the way? I am sorry I am not pro in Dynamic Routing

  16. #16
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,658
    Rep Power
    10

    Default Re: Is anyone OSPF expert here? I have lot of doubts about OSPF

    Quote Originally Posted by blason View Post
    hmm..I am not sure since that is being owned by MPLS provider and I do not have access to those. Anyways that can be confirmed with them. Will it matter by the way? I am sorry I am not pro in Dynamic Routing
    So still thinking about this. What makes this a little complicated is ospf over vti to hq firewall.

    This is what i'm thinking so far.

    Remote MPLS router advertising all routes as external type 2. This include default route (technically maybe only needed on default route).

    Have Remote firewall advertise default route based on default route existing in route table (normal ospf route so its taken over mpls default route). You can use the monitor internet connection i think to make the firewall drop default route is inet connection dies.

    So this should make the remote site take MPLS for all known internal network routes and go to firewall for default route.

    This also assumes MPLS is talking BGP and BGP routes are put into OSPF area. This also assumes OSPF area doesn't exist beyond the Remote's network. Also that OSPF learned routes are NOT put back into BGP.



    Now ...if BGP dies default route at remote should land traffic on Remote firewall.

    Now.. the question is what to do about MPLS network. Without VTI its a little more simple because you're basically done. If remote network MPLS goes down then HQ loses route also and everyone hits VPN firewall via default route. If you want you could also make the vpn full mesh, just make sure its set to 1 vpn per gateway other wise you might end up with a crazy amount of vpn tunnels.


    Still thinking how to add ospf over vti. The problem is you don't want to create a sym route path (mpls out, vpn in example).

Similar Threads

  1. OSPF need some help
    By ehilden in forum Dynamic Routing
    Replies: 8
    Last Post: 2010-01-17, 14:22
  2. OSPF Windows and OSPF SecurePlatform
    By urasov in forum Dynamic Routing
    Replies: 1
    Last Post: 2009-11-03, 02:08
  3. OSPF: Show IP ospf
    By sroghen in forum Dynamic Routing
    Replies: 1
    Last Post: 2009-10-01, 13:26
  4. OSPF
    By romura in forum Check Point UTM-1 Edge Appliances
    Replies: 4
    Last Post: 2009-07-24, 10:47
  5. OSPF?
    By kidem in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 4
    Last Post: 2009-04-08, 14:04

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •