Loading...
Loading...
BGP starts to listen random TCP high ports after adding BMP configuration. RP/0/RSP0/CPU0:asr9904#show bgp bmp summary ID Host Port State Time NBRs 1 [ip] 5000 ESTAB 01:16:09 0 RP/0/RSP0/CPU0:asr9904#show tcp b | inc LISTEN 0x00007f1c800256a0 0x60000000 0 0 :::179 :::0 LISTEN 0x00007f1c2c028490 0x00000000 0 0 :::179 :::0 LISTEN 0x00007f1c2c0281b0 0x60000000 0 0 :::22779 :::0 LISTEN <<<<<<< 0x00007f1c80025a00 0x60000000 0 0 0.0.0.0:20541 0.0.0.0:0 LISTEN <<<<<<< 0x00007f1c400293f0 0x60000000 0 0 0.0.0.0:179 0.0.0.0:0 LISTEN 0x00007f1c30001820 0x00000000 0 0 0.0.0.0:179 0.0.0.0:0 LISTEN RP/0/RSP0/CPU0:asr9904#sho tcp deta pcb 0x00007f1c80025a00 | inc "Local App PID" Local host: 0.0.0.0, Local port: 20541 (Local App PID: 26696) (Local App PID/instance/SPL_APP_ID: 26696/2/0) RP/0/RSP0/CPU0:asr9904#sho processes 26696 | inc "PID|Process name" PID: 26696 Process name: bgp RP/0/RSP0/CPU0:asr9904#sho tcp deta pcb 0x00007f1c2c0281b0 | inc "Local App PID" Local host: ::, Local port: 22779 (Local App PID: 26696) (Local App PID/instance/SPL_APP_ID: 26696/2/0) RP/0/RSP0/CPU0:asr9904#sho processes 26696 | inc "PID|Process name" PID: 26696 Process name: bgp RP/0/RSP0/CPU0:asr9904#show lpts bindings | u egrep 20541 -B 10 -A 4 --------------------------------------------- Location : 0/RSP0/CPU0 Client ID : TCP Cookie : 0x80025a00 Clnt Flags : Layer 3 : IPV4 Layer 4 : TCP 6 VRF-ID : default (0x60000000) Local Addr : any Remote Addr: any Local Port : 20541 Remote Port: any Filters : Type / Intf / Pkt Type / Source Addr / Location xOPx / none --------------------------------------------- RP/0/RSP0/CPU0:asr9904#show lpts bindings | u egrep 22779 -B 10 -A 4 --------------------------------------------- Location : 0/RSP0/CPU0 Client ID : TCP Cookie : 0x2c0281b0 Clnt Flags : Layer 3 : IPV6 Layer 4 : TCP 6
BMP is configured Q: How to check if BMP is configured? A: Use the command "show run bmp" to check if BMP is configured as illustrated below. RP/0/0/CPU0:PE1#show run bmp bmp server all route-monitoring inbound post-policy ! route-monitoring local-rib ! ! bmp server 1 host 12.1.2.1 port 16001 ! bmp server 2 host 12.2.2.1 port 16002 !
As a workaround, adding ACLs would be helpful here to avoid connections in (via telnet or ssh etc), typically they only allow telnet/ssh only from certain trusted IPs. If that is not possible once the BMP port numbers are assigned, they wont change until BGP is restarted ? that could be used
None. *PSIRT Evaluation:* The Cisco PSIRT has evaluated this issue and determined that it does not have a security impact that requires PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: https://tools.cisco.com/security/center/resources/security_vulnerability_policy.html
Click on a version to see all relevant bugs
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.