https://community.extremenetworks.com/t5/data-center-slx/slx-9140-bgp-port-179-open-despite-racl/m-p/90882#M383 Happy to help! You need to install an access list for IP and IP6 traffic directed to the CPU and only allow your member links or BGP peering network to have access, e.g.<BR /> <BR /> <DIV class="threadCode"><B>code:</B><PRE spellcheck="false">ip access-list extended PROTECT_RE<BR /> seq 10 permit tcp host $JUMP_HOST any eq 22<BR /> seq 70 permit udp host $SNMP_HOST any eq snmp<BR /> seq 80 permit tcp $BGP_NETWORK 0.0.0.255 any eq bgp<BR /> seq 100 hard-drop tcp any any eq 22<BR /> seq 101 hard-drop tcp any any eq 161<BR /> seq 102 hard-drop tcp any any eq bgp<BR /> seq 250 permit ip any any<BR />ip access-list extended PROTECT_RE<BR /><BR /></PRE></DIV><BR /> <BR /> Same for IPv6, but here the access list is called with ipv6-prefix:<BR /> <DIV class="threadCode"><B>code:</B><PRE spellcheck="false">ipv6 access-list extended PROTECT_RE6<BR /> seq 10 permit tcp host $JUMP_HOST any eq 22<BR /> seq 70 permit udp host $SNMP_HOST any eq snmp<BR /> seq 80 permit tcp $BGP_NETWORK::/64 any eq bgp<BR /> seq 100 hard-drop tcp any any eq 22<BR /> seq 101 hard-drop tcp any any eq 161<BR /> seq 102 hard-drop tcp any any eq bgp<BR /> seq 250 permit ip any any<BR /> ipv6 access-list extended PROTECT_RE6<BR /><BR /></PRE></DIV><BR /> <BR /> Please change the variables name to reflect your configuration. <BR /> <BR /> Jörg Thu, 06 Dec 2018 20:18:20 GMT joergkost 2018-12-06T20:18:20Z https://community.extremenetworks.com/t5/data-center-slx/slx-9140-bgp-port-179-open-despite-racl/m-p/90881#M382 Hi<BR /> SLX 9140 NOS v17s.1.02, active BGP sessions with 2 peers, everything works fine, except port 179 is open on all IP addresses configured on any Layer 3 interface including loopback. Despite a general rACL that specifically allows only connections to port 179 only from the two BGP peers/neighbours.<BR /> Is the BGP 179 port not covered by the rACL ? Becouse all other CPU traffic, ssh, telnet, snmp etc is being handled by that rACL without a problem.<BR /> I've run a scan with nmap and the only visible and open port is the 179 bgp.<BR /> Will be gratefull for any help Mon, 05 Nov 2018 21:38:00 GMT https://community.extremenetworks.com/t5/data-center-slx/slx-9140-bgp-port-179-open-despite-racl/m-p/90881#M382 Bostjan 2018-11-05T21:38:00Z https://community.extremenetworks.com/t5/data-center-slx/slx-9140-bgp-port-179-open-despite-racl/m-p/90882#M383 Happy to help! You need to install an access list for IP and IP6 traffic directed to the CPU and only allow your member links or BGP peering network to have access, e.g.<BR /> <BR /> <DIV class="threadCode"><B>code:</B><PRE spellcheck="false">ip access-list extended PROTECT_RE<BR /> seq 10 permit tcp host $JUMP_HOST any eq 22<BR /> seq 70 permit udp host $SNMP_HOST any eq snmp<BR /> seq 80 permit tcp $BGP_NETWORK 0.0.0.255 any eq bgp<BR /> seq 100 hard-drop tcp any any eq 22<BR /> seq 101 hard-drop tcp any any eq 161<BR /> seq 102 hard-drop tcp any any eq bgp<BR /> seq 250 permit ip any any<BR />ip access-list extended PROTECT_RE<BR /><BR /></PRE></DIV><BR /> <BR /> Same for IPv6, but here the access list is called with ipv6-prefix:<BR /> <DIV class="threadCode"><B>code:</B><PRE spellcheck="false">ipv6 access-list extended PROTECT_RE6<BR /> seq 10 permit tcp host $JUMP_HOST any eq 22<BR /> seq 70 permit udp host $SNMP_HOST any eq snmp<BR /> seq 80 permit tcp $BGP_NETWORK::/64 any eq bgp<BR /> seq 100 hard-drop tcp any any eq 22<BR /> seq 101 hard-drop tcp any any eq 161<BR /> seq 102 hard-drop tcp any any eq bgp<BR /> seq 250 permit ip any any<BR /> ipv6 access-list extended PROTECT_RE6<BR /><BR /></PRE></DIV><BR /> <BR /> Please change the variables name to reflect your configuration. <BR /> <BR /> Jörg Thu, 06 Dec 2018 20:18:20 GMT https://community.extremenetworks.com/t5/data-center-slx/slx-9140-bgp-port-179-open-despite-racl/m-p/90882#M383 joergkost 2018-12-06T20:18:20Z