Welcome Guest, Not a member yet? Create Account  




BGP advertisement on all IP addresses

#1

Hi, When enabling BGP on a single external IP address, the router is listening on port 179 on all the locally configured external IP addresses on the external interface to the internet world, should this only listen to the configured neighbor ips only? is this going to be fixed in the future versions?
Reply

#2

It's common practice to use an internal loopback interface for BGP neighboring, instead of using the interface where your BGP is reachable.
Your suggestion will break that behavior.

If you want to protect your BGP process (which is a good thing to begin with), apply firewall rules
Reply

#3

(27/05/2017, 10:05)16again Wrote: It's common practice to use an internal loopback interface for BGP neighboring, instead of using the interface where your BGP is reachable.
Your suggestion will break that behavior.

If you want to protect your BGP process (which is a good thing to begin with), apply firewall rules
[quote pid='31346' dateline='1495872357']
A common behavior in Cisco or Juniper products are they will listen and accept port 179 on configured neighbours only. I don't understand how that can break the connection as those are the neighbours the router supposed to talk to on BGP. I will have to explore the firewall rules to restrict this, but the firewalling in VyOS is bit a mess.
[/quote]
Reply

#4
(This post was last modified: 12/07/2017, 16:46 by Mystray.)

(02/07/2017, 05:02)dman Wrote: Juniper products are they will listen and accept port 179 on configured neighbours only.

No, when you enable BGP on Juniper router (at least for 14.1 software) - BGP process binds on all interfaces/ips:
Code:
root@qfx:RE:0% netstat -a -n | grep 179 | grep LISTEN
tcp46      0      0  *.179                                         *.*                                           LISTEN
tcp4       0      0  *.179                                         *.*                                           LISTEN
When connection establishes from unconfigured peer - bgp session goes down immediatelly after sending notify:
Code:
Jul 12 17:10:18.315883 BGP SEND Notification code 6 (Cease) subcode 5 (Connection Rejected)
Jul 12 17:10:18.315909 bgp_listen_accept:4781: NOTIFICATION sent to 10.10.10.12+58710 (proto): code 6 (Cease) subcode 5 (Connection Rejected), Reason: Connection attempt from unconfigured neighbor: 10.10.10.12+58710
BUT Juniper ACCEPT connection to ANY local address if connection comes from valid peer.

VyOS/quagga listens on all interfaces but immediately closes connection from invalid peers (without notify).

Juniper gives you some magic with dynamic prefix-lists with apply-path and lo0-attached filter, it discard any unwanted connections without typing firewall rules/addresses for peers. You can use "local" filter on all interfaces in VyOS if you really need such filtering.
Reply





Users browsing this thread:
1 Guest(s)