diff --git a/bcp38.ipset.j2 b/bcp38.ipset.j2
index 3146fd8..d560346 100644
--- a/bcp38.ipset.j2
+++ b/bcp38.ipset.j2
@@ -25,3 +25,21 @@ add tmp-bcp38-else-oface-v6 ::/0,{{ iface }}
 {% endif %}{% endfor %}
 swap tmp-bcp38-else-oface-v6 bcp38-else-oface-v6
 destroy tmp-bcp38-else-oface-v6
+
+{% if salt["pillar.get"]("control-plane-protection:bgp:IPv4",None) != None %}
+create tmp-control-plane-bgp-v4 hash:net family inet hashsize 1024 maxelem 65536
+{% for subnet in salt["pillar.get"]("control-plane-protection:bgp:IPv4",[]) %}
+add tmp-control-plane-bgp-v4 {{ subnet }}
+{% endfor %}
+swap tmp-control-plane-bgp-v4 control-plane-bgp-v4
+destroy tmp-control-plane-bgp-v4
+{% endif %}
+
+{% if salt["pillar.get"]("control-plane-protection:bgp:IPv6",None) != None %}
+create tmp-control-plane-bgp-v6 hash:net family inet6 hashsize 1024 maxelem 65536
+{% for subnet in salt["pillar.get"]("control-plane-protection:bgp:IPv6",[]) %}
+add tmp-control-plane-bgp-v6 {{ subnet }}
+{% endfor %}
+swap tmp-control-plane-bgp-v6 control-plane-bgp-v6
+destroy tmp-control-plane-bgp-v6
+{% endif %}
diff --git a/bcp38.iptables.v4 b/bcp38.iptables.v4
index 9045858..07ea7e8 100644
--- a/bcp38.iptables.v4
+++ b/bcp38.iptables.v4
@@ -1,5 +1,9 @@
 *filter
 :INPUT ACCEPT [0:0]
+{% if salt["pillar.get"]("control-plane-protection:bgp:IPv4",None) != None %}
+-A INPUT -p tcp --dport 179 -m set --match-set control-plane-bgp-v4 src -j ACCEPT
+-A INPUT -p tcp --dport 179 -m tcp -j REJECT --reject-with tcp-reset
+{% endif %}
 :FORWARD ACCEPT [0:0]
 -A FORWARD -m set --match-set bcp38-cone-oface-v4 src,dst -j ACCEPT
 -A FORWARD -m set --match-set bcp38-else-oface-v4 src,dst -j DROP
diff --git a/bcp38.iptables.v6 b/bcp38.iptables.v6
index 8db76d9..861254d 100644
--- a/bcp38.iptables.v6
+++ b/bcp38.iptables.v6
@@ -1,5 +1,9 @@
 *filter
 :INPUT ACCEPT [0:0]
+{% if salt["pillar.get"]("control-plane-protection:bgp:IPv6",None) != None %}
+-A INPUT -p tcp --dport 179 -m set --match-set control-plane-bgp-v6 src -j ACCEPT
+-A INPUT -p tcp --dport 179 -m tcp -j REJECT --reject-with tcp-reset
+{% endif %}
 :FORWARD ACCEPT [0:0]
 -A FORWARD -m set --match-set bcp38-cone-oface-v6 src,dst -j ACCEPT
 -A FORWARD -m set --match-set bcp38-else-oface-v6 src,dst -j DROP
diff --git a/postconfig.sh b/postconfig.sh
index 1eb9ba1..04a6eb0 100644
--- a/postconfig.sh
+++ b/postconfig.sh
@@ -8,6 +8,12 @@ ipset create bcp38-cone-oface-v4 hash:net,iface family inet hashsize 1024 maxele
 ipset create bcp38-else-oface-v4 hash:net,iface family inet hashsize 1024 maxelem 65536 2> /dev/null || /bin/true
 ipset create bcp38-cone-oface-v6 hash:net,iface family inet6 hashsize 1024 maxelem 65536 2> /dev/null || /bin/true
 ipset create bcp38-else-oface-v6 hash:net,iface family inet6 hashsize 1024 maxelem 65536 2> /dev/null || /bin/true
+
+ipset destroy tmp-control-plane-bgp-v4 2> /dev/null || /bin/true
+ipset destroy tmp-control-plane-bgp-v6 2> /dev/null || /bin/true
+ipset create control-plane-bgp-v4 hash:net family inet hashsize 1024 maxelem 65536 2> /dev/null || /bin/true
+ipset create control-plane-bgp-v6 hash:net family inet6 hashsize 1024 maxelem 65536 2> /dev/null || /bin/true
+
 ipset restore < /config/hphr.ipset
 
 iptables-restore /config/hphr.rules.v4