cancel
Showing results for 
Search instead for 
Did you mean: 

SLX 9140 bgp port 179 open despite rACL

SLX 9140 bgp port 179 open despite rACL

Bostjan
New Contributor
Hi
SLX 9140 NOS v17s.1.02, active BGP sessions with 2 peers, everything works fine, except port 179 is open on all IP addresses configured on any Layer 3 interface including loopback. Despite a general rACL that specifically allows only connections to port 179 only from the two BGP peers/neighbours.
Is the BGP 179 port not covered by the rACL ? Becouse all other CPU traffic, ssh, telnet, snmp etc is being handled by that rACL without a problem.
I've run a scan with nmap and the only visible and open port is the 179 bgp.
Will be gratefull for any help
1 ACCEPTED SOLUTION

joergkost
Contributor II
Happy to help! You need to install an access list for IP and IP6 traffic directed to the CPU and only allow your member links or BGP peering network to have access, e.g.

code:
ip access-list extended PROTECT_RE
seq 10 permit tcp host $JUMP_HOST any eq 22
seq 70 permit udp host $SNMP_HOST any eq snmp
seq 80 permit tcp $BGP_NETWORK 0.0.0.255 any eq bgp
seq 100 hard-drop tcp any any eq 22
seq 101 hard-drop tcp any any eq 161
seq 102 hard-drop tcp any any eq bgp
seq 250 permit ip any any
ip access-list extended PROTECT_RE



Same for IPv6, but here the access list is called with ipv6-prefix:
code:
ipv6 access-list extended PROTECT_RE6
seq 10 permit tcp host $JUMP_HOST any eq 22
seq 70 permit udp host $SNMP_HOST any eq snmp
seq 80 permit tcp $BGP_NETWORK::/64 any eq bgp
seq 100 hard-drop tcp any any eq 22
seq 101 hard-drop tcp any any eq 161
seq 102 hard-drop tcp any any eq bgp
seq 250 permit ip any any
ipv6 access-list extended PROTECT_RE6



Please change the variables name to reflect your configuration.

Jörg

View solution in original post

1 REPLY 1

joergkost
Contributor II
Happy to help! You need to install an access list for IP and IP6 traffic directed to the CPU and only allow your member links or BGP peering network to have access, e.g.

code:
ip access-list extended PROTECT_RE
seq 10 permit tcp host $JUMP_HOST any eq 22
seq 70 permit udp host $SNMP_HOST any eq snmp
seq 80 permit tcp $BGP_NETWORK 0.0.0.255 any eq bgp
seq 100 hard-drop tcp any any eq 22
seq 101 hard-drop tcp any any eq 161
seq 102 hard-drop tcp any any eq bgp
seq 250 permit ip any any
ip access-list extended PROTECT_RE



Same for IPv6, but here the access list is called with ipv6-prefix:
code:
ipv6 access-list extended PROTECT_RE6
seq 10 permit tcp host $JUMP_HOST any eq 22
seq 70 permit udp host $SNMP_HOST any eq snmp
seq 80 permit tcp $BGP_NETWORK::/64 any eq bgp
seq 100 hard-drop tcp any any eq 22
seq 101 hard-drop tcp any any eq 161
seq 102 hard-drop tcp any any eq bgp
seq 250 permit ip any any
ipv6 access-list extended PROTECT_RE6



Please change the variables name to reflect your configuration.

Jörg
GTM-P2G8KFN