Solved

Help Setting up BGP with two ISP providers and 1 Checkpoint Firewall VPN-1 UTM running SPLAT

Posted on 2008-06-24
12
5,011 Views
Last Modified: 2013-12-20
We have a Checkpoint NGX R65 VPN-1 UTM Firewall running SPLAT.   It has 3 interfaces.  1 public interface (to our T1 Router), 1 DMZ interface, 1 Internal Lan Interface.

We are wanting to have another ISP for Internet Redundancy and wanted to implement BGP.   However, I've read conflicting information regarding the physical & Logical implementation.   Here is my understanding of how we can implement BGP with our current configuration.   WE DO NOT have the option of running another firewall.

First some questions to get out of the way:

1.  We don't need to do anything with the Firewall correct?  BGP is done at the router level and then it just hands the packets to the firewall?  So need to change anything on the Checkpoint Firewall?

2.  BGP does not load balance, but I can pre-determine what provider to use as the primary correct?

3.  Packets never flow from both routers at the same time in a BGP setup right?  Its either going to be one ISP's router talking at a time, not both?

Regarding the physical implementation:
Assuming I pick up another provider say XO communication for our 2nd provider and they supply us with a BGP capable router....   Can I then just unplug the cat5 connection from our primary router (verizon) from the Public interface on the firewall... introduce a shared hub... then plug in both Verizon and XO routers into the shared hub, then plug the public interface of the firewall to the shared hub so that all 3 devices can see each other...   then let BGP do its thing.

Regarding the logical routing:
I assume that I can have 1 provider be the primary ISP and be used all the time unless it is unavailable.  In this situation, I'd like the XO provider to take inbound traffic to the IP's that were originally assigned by our verizon provider.  We'd also like to have all outbound traffic always use XO as it is likely going to be a fatter pipe.

I'm to understand that in a nut shell:
1.  apply for an ASN.
2.  setup BGP with each router.
3.  hookup each router to the firewall

Please advise to the above and any things worth noting that maybe an issue from my limited description.  
0
Comment
Question by:rdelrosario
  • 7
  • 5
12 Comments
 
LVL 4

Expert Comment

by:fileinster
ID: 21860354
Hi  rdelrosario,

Firstly, if you want to peer with 2 ISPs using BGP you will indeed need an ASN. This is the only way to peer with multiple ISPs and have routing information given and received to and from both providers.

However, If you had two connections to the same ISP you may come to an agreement wherein you could use a private AS number (from 64512 to 65535) and the ISP would strip this ASN before any traffic left their network onwards towards the big wide world. Theoretically you could do this with multiple ISPs but it would be messy. In any case none of these options are the preferred methods, and ISPs don't usually provide this, unless you are on some sort of private network, not the Internet.

Now to answer your points:

1. You can run BGP on the Checkpoint, but a Cisco router is a lot more clever when it comes to BGP, and will take the processing away from the firewall. All you have to do is make sure the firewall has the appropriate routes for the inside and everything else it sends to the Internet.

2. BGP CAN load balance, or it can not. It depends how you want to configure it. However that is only really true for outgoing traffic. If you are peering to multiple ISPs where the traffic comes from will depend on where the client is on the Internet. For example, if two clients are direct customers of each ISP, when both links are working then the traffic will come from each respective link. However, if one link fails all traffic will route down the existing link, once the Internet routing table has converged.

3. See above. It depends on your setup. You can configure BGP to prefer one link and only use the other if the first goes down, or you can use both. That's one of the great tihngs about BGP is how granular and tweakable it is.


Does that answer your question?
0
 

Author Comment

by:rdelrosario
ID: 21860689
When you say you can run BGP on the Checkpoint, can you elaborate.   I thought BGP is all done at the router level and I need not do anything with the firewall.  Specifically, can I do all the BGP at the router and just hand off to the firewall without making ANY changes to the firewall?

Please re-read the very important section labeled: PHYSICAL IMPLEMENTATION in my original post.  Assuming the above statements are correct in that I need not do anything with my firewall, can I connect the 3 devices (1st ISP, 2nd ISP and Firewall) all to a shared hub and have each router talk to the firewall when it needs to for both inbound and outbound.
0
 
LVL 4

Expert Comment

by:fileinster
ID: 21860740
The Checkpoint SPLATs CAN run BGP, if you want, but this is usually for complicated setups that I won't go into. For your situation yes, just run BGP on the routers no BGP on the firewalls. I probably muddied the waters throwing that in!

You will, however, ideally want to run a dynamic routing protocol between the two BGP speakers and the firewall, so the firewall knows where to send the traffic. Another option would be to use HSRP or GLBP, but these are not as good solutions. The firewall needs to know where to send it's traffic and must have a method to choose between the two routers. Do you wat to load-balance or do you want to have primary/standby setup?

PS, when you say 'shared hub' I hope you mean switch!!!
0
 

Author Comment

by:rdelrosario
ID: 21875153
Fileinster,

I see what your saying about how to tell the Firewall what router to pass the packets to.  How do you deploy a mechinism that tells the firewall what router to talk to?  On that note, I am to understand that BGP doesn't do load balancing so I'm not expecting that, but I do want to have 1 be the primary all the time for inbound/outbound traffic and only have the other one as a standby.   Is this possible and how can you do this.

Worst case scenario, can I just keep 1 router unplugged until we have an outage scenarios (then I can manually plug the other router in).  In this mode I assume all I would have to do is manually change the firewall to route all traffic to the UP router.

Please advise... and thanks for your expertise in advance.
0
 
LVL 4

Expert Comment

by:fileinster
ID: 21877301
You can configure the Checkpoint to talk via a routing protocol (OSPF) to the routers, or you can use a gateway load-balacing protocol (GLBP).

Also, BGP can load balance if you set it up that way.

Your worst case scenario will work, but it won't have dynamic failover which is what you want in that setup. If you were to do it that way you could configure both routers with the same IP, but don't do that: even an HSRP (Hot standby router) solution would be better than that! You would have to configure HSRP to track the interface or a route from that interface.

If you tell me what your preferred option is I coulde bang out a sample config.


0
 

Author Comment

by:rdelrosario
ID: 21878293
Could you give me a little insight to how OSPF and GLBP differ in implementation.  Specifically, am I to assume that these are totally configured as outbound routes on the Checkpoint Firewall.  I don't have to mess with inbound routes on the checkpoint firewall... just have to have that setup on the routers?

Can you give me a little summary on HSRP and more importantly is HSRP a substitute for the OSPF and GLBP solutions or IN ADDITION TO.

What do you recommend for our setup.  Keeping in mind that we know very little about BGP, but are willing to use whats best.  We would like automated failover.  Any recommendation would be helpful.

Thanks much.  
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 4

Expert Comment

by:fileinster
ID: 21879312
OSPF is a dynamic routing protocol that can be configured on the firewall. Once enabled and you have a neighbour relationship the routers exchange routes to the firewall. On the routers you will have to redistribute BGP into OSPF, using a route-map that only redistributes routes recieved from the ISP's AS. All that has to be done on the firewalls is to enable OSPF on the appropriate interface. This is thebest solution.

GLBP and HSRP are not routing protocols, but instead are a way for two routers to share an IP address. With this method you would configure the firewall's default route to point to the virtual IP address. This is the easiest soltuion, but also the least flexible. They are slightly different, in the GLBP shares the load using a weighting algoritim, while HSRP uses a primary/secondary model. You can use tracking to lower the priority should either ISP connection be lost.
0
 

Author Comment

by:rdelrosario
ID: 21879956
So in essence is OSPF deployment synonymous with BGP deployment? Back to my original physical implementation below..

'snip
Regarding the physical implementation:
Assuming I pick up another provider say XO communication for our 2nd provider and they supply us with a BGP capable router....   Can I then just unplug the cat5 connection from our primary router (verizon) from the Public interface on the firewall... introduce a shared hub... then plug in both Verizon and XO routers into the shared hub, then plug the public interface of the firewall to the shared hub so that all 3 devices can see each other...   then let BGP do its thing.

Assuming we have it configured with a shared hub as described above, can you 'bang' out a config with examples for me.  Specifically, if we own a class C from verizon say 208.213.134.* and all traffic routes to our public interface in our firewall 208.213.134.1 and then we purchase another T1 from say XO with a handful of IP's (enough to cover all of our servers for inbound).

With your recommendation in this scenario, you mentioned OSPF enabled on firewall.  In a previous comment we identified that we can opt not to do anything on the firewall.   Is the OSPF thingy just to handle how to handle packets to get to the appropriate T1 router on the outbound only?   You also mentioned that we could do everything on the router end and not touch the firewall..   What configuration would that be... meaning is this the same thing you are suggesting (albeit, OSPF is still doing something on the firewall)

Thanks so much
0
 
LVL 4

Expert Comment

by:fileinster
ID: 21880165
This is an extremely advanced and complex setup. I would advise that if you don't know what you're doing that you pay for some consultancy. They should be able to sit round a table with you and then go away and design the solution for you. I can give you all the advice in the world, but without getting into details and providing you with a full design I could be leading you up the garden path.

The more I think about this the more I think this is the way to approach this.

However, BGP is not synonymous to OSPF. They are both routing protocols, yes, but that's where the similarity ends. The point of putting OSPF on the SPLAT is for simplicity as BGP is extremely complex.

If you're absolutely sure you would still like me to supply a sample I will, but I'll have to dedicate an hour or so to it tomorrow night (I'm on GMT+0100). I can't supply sample conifg to the SPLAT, but I do know that enabling OSPF is fairly straight forward.
0
 

Author Comment

by:rdelrosario
ID: 21880293
I was thinking that we'd have to hire a consultant, but I still like to get a handle on everything I can.   If you could spare a little time on an example based on my sample IP base and description above, I'll be sure to aware you the 500 points.   Thanks in advance.  I appreciate your time.
0
 
LVL 4

Accepted Solution

by:
fileinster earned 500 total points
ID: 21903566
Sorry for the delay... hectic weekend!!!!

OK, Two Scenarios. ScenarioA is using OSPF, while ScenarioB will use HSRP. This is a basic config that will get you up and running; obviously change the variables to suit your environment.

Here's the common config to both scenarios:

ROUTER1
-------
interface <ISP1>
 ip address 1.1.1.1 255.255.255.252
interface <inside>
 ip address 208.213.134.2 255.255.255.0
router bgp 65001
 neighbor 1.1.1.2 remote-as 65002
 neighbor 1.1.1.2 route-map TO-65002
 network 208.213.134.0 mask 255.255.255.0
route-map TO-65002
 match route-type local

ROUTER2
-------
interface <ISP2>
 ip address 2.2.2.1 255.255.255.252
interface <inside>
 ip address 208.213.134.3 255.255.255.0
router bgp 65001
 neighbor 2.2.2.2 remote-as 65003
 neighbor 2.2.2.2 route-map TO-65003 out
 network 208.213.134.0 mask 255.255.255.0
route-map TO-65003
 match  route-type local

-----------------------------------------------
SCENARIOA - OSPF

ROUTER1
-------
router ospf 1
 network 208.213.134.0 0.0.0.255 area 0
 redistribute bgp 65001 route-map FROM-65002
ip as-path access-list 1 permit ^65002_
route-map FROM-65002
 match as-path 1

ROUTER2
-------
router ospf 1
 network 208.213.134.0 0.0.0.255 area 0
 redistribute bgp 65001 route-map FROM-65003
ip as-path access-list 1 permit ^65003_
route-map FROM-65003
 match as-path 1


Also, you must enable OSPF on the firewall's outside interface



------------------------------------------------
SCENARIOB - HSRP

ROUTER1
-------
interface <inside>
 standby 1 ip 208.213.134.1
 standby 1 priority 105
 standby 1 preempt delay minimum 60

ROUTER2
-------
interface <inside>
 standby 1 ip 208.213.134.1
 standby 1 priority 95


Here you must set the router's default gateway to the HSRP address (208.213.134.1).


You can get a lot more complicated than this, but that should get you started!!!!
0
 
LVL 4

Expert Comment

by:fileinster
ID: 21903579
Oh, nearly forgot, you must also set a neighbor statement between router A & B:

ROUTERA
router bgp 65001
neighbor 208.213.134.3 remote-as 65001

ROUTERB
router bgp 65001
neighbor 208.213.134.2 remote-as 65001
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Is your computer hacked? learn how to detect and delete malware in your PC
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now