Showing results for 
Search instead for 
Did you mean: 

BGP TCP protocol filter/ACL needed?

BGP TCP protocol filter/ACL needed?


BGP is working fine. I have a VR that’s happily peering with peers. Running EXOS on a BD8800

The “problem” is, that this VR handles several connected VLANs, plays default gateway for those vlans/networks. Now someone on the corporate security team went to, typed in one of the IPs of a vlan that’s on that VR (not the vlan that has BGP peers), and shodan tells them that, yes, TCP port 179 does listen and declined the connection.
While I’m OK with that, “Corporate” doesn’t like the fact that it answers to BGP at all.

Now, is there a way for me to disable BGP on a per-vlan basis (which I doubt)? I know I could craft some ACL that drops all TCP port 179 packets unless they come from a valid peer, IPv4 and IPv6, but I wonder how “expensive” that is in terms of CPU/throughput, or what to best apply such an ACL to.

Any insights would be much appreciated!