topic BGP TCP protocol filter/ACL needed? in ExtremeSwitching (EXOS/Switch Engine) https://community.extremenetworks.com/t5/extremeswitching-exos-switch/bgp-tcp-protocol-filter-acl-needed/m-p/62211#M17864 <P>BGP is working fine. I have a VR that’s happily peering with peers. Running EXOS 16.2.5.4 on a BD8800</P> <P>The “problem” is, that this VR handles several connected VLANs, plays default gateway for those vlans/networks. Now someone on the corporate security team went to shodan.io, typed in one of the IPs of a vlan that’s on that VR (not the vlan that has BGP peers), and shodan tells them that, yes, TCP port 179 does listen and declined the connection.<BR /> While I’m OK with that, “Corporate” doesn’t like the fact that it answers to BGP at all.<BR /><BR /> Now, is there a way for me to disable BGP on a per-vlan basis (which I doubt)? I know I could craft some ACL that drops all TCP port 179 packets unless they come from a valid peer, IPv4 and IPv6, but I wonder how “expensive” that is in terms of CPU/throughput, or what to best apply such an ACL to.<BR /><BR /> Any insights would be much appreciated!<BR /> &nbsp;</P> <P>&nbsp;</P> Wed, 26 Feb 2020 18:41:07 GMT Frank 2020-02-26T18:41:07Z BGP TCP protocol filter/ACL needed? https://community.extremenetworks.com/t5/extremeswitching-exos-switch/bgp-tcp-protocol-filter-acl-needed/m-p/62211#M17864 <P>BGP is working fine. I have a VR that’s happily peering with peers. Running EXOS 16.2.5.4 on a BD8800</P> <P>The “problem” is, that this VR handles several connected VLANs, plays default gateway for those vlans/networks. Now someone on the corporate security team went to shodan.io, typed in one of the IPs of a vlan that’s on that VR (not the vlan that has BGP peers), and shodan tells them that, yes, TCP port 179 does listen and declined the connection.<BR /> While I’m OK with that, “Corporate” doesn’t like the fact that it answers to BGP at all.<BR /><BR /> Now, is there a way for me to disable BGP on a per-vlan basis (which I doubt)? I know I could craft some ACL that drops all TCP port 179 packets unless they come from a valid peer, IPv4 and IPv6, but I wonder how “expensive” that is in terms of CPU/throughput, or what to best apply such an ACL to.<BR /><BR /> Any insights would be much appreciated!<BR /> &nbsp;</P> <P>&nbsp;</P> Wed, 26 Feb 2020 18:41:07 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/bgp-tcp-protocol-filter-acl-needed/m-p/62211#M17864 Frank 2020-02-26T18:41:07Z