ACL for BGP?

louis0001 · ‎05-16-2020

I'm just implementing ZBF on a router and trying to secure the SELF zone.

Our router peers to the ISP 's PE router on a /30.

Should we just allow the PE router eg host 1.2.3.4 eq BGP or allow the the BGP subnet 1.2.3.0/24 eq bgp?

paul driver · ‎05-16-2020

Hello

I would say be a specific as possible if you can.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

balaji.bandi · ‎05-16-2020

If you like to work ZBF for the BGP, thinking that Router behind ZBF. ( i would suggest to allow only required IP rather /24 - for security reason)

here is good example :

https://www.802101.com/ccie-security-zone-based-firewalls/

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Giuseppe Larosa · ‎05-16-2020

Hello @louis0001 ,

just to add a side note about ACLs and BGP: the well known BGP port TCP 179 is used on one side so I would permit traffic from host PE router address with destination port BGP AND traffic from host PE address source port BGP using two statements.

Hope to help

Giuseppe

louis0001 · ‎05-16-2020

Thank you. I was thinking of two statements because I'm still not sure if inspect works on the self zone so was going to use the pass statement.

Thanks for the help.

balaji.bandi · ‎05-18-2020

Sure 2 statement good to go, if you are not sure inspect works or not. make the necessary changes and see if the BGP come up or not ( personally i would go with inspect).

if no BGP peer add inspect commands.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help