SRX

last person joined: 17 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  restrict bgp neighbor ip in SRX

    Posted 12-08-2015 23:56

     

     

    SRX1----Router1--Internet

     

    SRX1:

    host-inbound-traffic {
    system-services {
        ping;
        traceroute;                     
    }
    protocols {
        bgp;
        bfd;
    }
}

     

    this means any hosts can reach its tcp 179

    how to restrict it to specific neighbor withouting affecting traffic



  • 2.  RE: restrict bgp neighbor ip in SRX

     
    Posted 12-08-2015 23:57
    Apply a firewall filter allowing only specific IP to connect on TCP 179.


  • 3.  RE: restrict bgp neighbor ip in SRX

    Posted 12-09-2015 00:00

    apply to interface?

     

    do I still need this host-inbound traffic configured under zone framework?



  • 4.  RE: restrict bgp neighbor ip in SRX

     
    Posted 12-09-2015 00:14
    Yes, you can apply to the physical interface or to loopback (it will protect all interfaces). You still need the host-inbound traffic configured under zone framework


  • 5.  RE: restrict bgp neighbor ip in SRX

    Posted 12-09-2015 01:12

    thanks,

    btw:

    how to protect IS-IS neighbor if it is multihop IS-IS neigbhor(am I correct?)



  • 6.  RE: restrict bgp neighbor ip in SRX

    Posted 12-09-2015 07:18

     

    user@router> show configuration firewall family inet filter v4-in-loopback
term accept-bgp {
    from {
        source-prefix-list {
            bgp-peers;
        }
        protocol tcp;
        port bgp;
    }
    then accept;
}

user@router> show configuration policy-options prefix-list bgp-peers
apply-path "protocols bgp group <*> neighbor <*>";

    This firewall filter will punch holes only for the configured BGP peers. So as you add new neighbors you simply add them to protocol>bgp>group and the FW filter will automatically be updated as well. Very handy and keeps things locked down tightly with minmum mangement overhead.

     

    It will provide an additional layer of security to your security stanza configurations. Just remember that the FW filter will be processed before the security stanza configuration. So if you're troubleshooting BGP session problems you might need to add a counter and/or log function to the FW filter term.

     

    NOTE: The FW filter shown will need additional terms or you'll break all other traffic trying to reach the RE. If you're managing all other access using the security stanza you can probably get away with an "allow all" FW filter term at the end.



  • 7.  RE: restrict bgp neighbor ip in SRX

    Posted 12-09-2015 07:30

    thanks, I am doing it now .,(there is a term 100 to accept traffic which not match previous term)

     

    I have one question about multip hop ISIS

     

    do we need to protect it ?

     

    I have forgotten whether ISIS support mulutiple hop

     

    correct me if I am wrong



  • 8.  RE: restrict bgp neighbor ip in SRX
    Best Answer

     
    Posted 12-09-2015 23:25

    HI,

     

    IS-IS is a link-state (routing) protocol. is-is does not support multihop as bgp does