Solved

SLX 9140 bgp port 179 open despite rACL


Hi
SLX 9140 NOS v17s.1.02, active BGP sessions with 2 peers, everything works fine, except port 179 is open on all IP addresses configured on any Layer 3 interface including loopback. Despite a general rACL that specifically allows only connections to port 179 only from the two BGP peers/neighbours.
Is the BGP 179 port not covered by the rACL ? Becouse all other CPU traffic, ssh, telnet, snmp etc is being handled by that rACL without a problem.
I've run a scan with nmap and the only visible and open port is the 179 bgp.
Will be gratefull for any help
icon

Best answer by joergkost 6 December 2018, 13:18

Happy to help! You need to install an access list for IP and IP6 traffic directed to the CPU and only allow your member links or BGP peering network to have access, e.g.

code:
ip access-list extended PROTECT_RE
seq 10 permit tcp host $JUMP_HOST any eq 22
seq 70 permit udp host $SNMP_HOST any eq snmp
seq 80 permit tcp $BGP_NETWORK 0.0.0.255 any eq bgp
seq 100 hard-drop tcp any any eq 22
seq 101 hard-drop tcp any any eq 161
seq 102 hard-drop tcp any any eq bgp
seq 250 permit ip any any
ip access-list extended PROTECT_RE



Same for IPv6, but here the access list is called with ipv6-prefix:
code:
ipv6 access-list extended PROTECT_RE6
seq 10 permit tcp host $JUMP_HOST any eq 22
seq 70 permit udp host $SNMP_HOST any eq snmp
seq 80 permit tcp $BGP_NETWORK::/64 any eq bgp
seq 100 hard-drop tcp any any eq 22
seq 101 hard-drop tcp any any eq 161
seq 102 hard-drop tcp any any eq bgp
seq 250 permit ip any any
ipv6 access-list extended PROTECT_RE6



Please change the variables name to reflect your configuration.

Jörg

View original

1 reply

Happy to help! You need to install an access list for IP and IP6 traffic directed to the CPU and only allow your member links or BGP peering network to have access, e.g.

code:
ip access-list extended PROTECT_RE
seq 10 permit tcp host $JUMP_HOST any eq 22
seq 70 permit udp host $SNMP_HOST any eq snmp
seq 80 permit tcp $BGP_NETWORK 0.0.0.255 any eq bgp
seq 100 hard-drop tcp any any eq 22
seq 101 hard-drop tcp any any eq 161
seq 102 hard-drop tcp any any eq bgp
seq 250 permit ip any any
ip access-list extended PROTECT_RE



Same for IPv6, but here the access list is called with ipv6-prefix:
code:
ipv6 access-list extended PROTECT_RE6
seq 10 permit tcp host $JUMP_HOST any eq 22
seq 70 permit udp host $SNMP_HOST any eq snmp
seq 80 permit tcp $BGP_NETWORK::/64 any eq bgp
seq 100 hard-drop tcp any any eq 22
seq 101 hard-drop tcp any any eq 161
seq 102 hard-drop tcp any any eq bgp
seq 250 permit ip any any
ipv6 access-list extended PROTECT_RE6



Please change the variables name to reflect your configuration.

Jörg

Reply