Does eBGP need icmp

Answered Question
Sep 2nd, 2010
User Badges:

I am locking down my router and installed 2 access-lists on my interior and exterior interfaces.  I'm using iBGP to talk to my interior switches and eBGP to communicate with our service provider out.  Once the access-list was configured on my exterior interface, the interface went down.  This didn't happen on the interior interface.  Access-list NET0912 was applied to the exterior interface and NET0911was applied to the interior.  Any help would be appreciated.


"ip access-list extended NET0912
"10 permit icmp any any echo"
"20 permit icmp any any source-quench"
"30 permit icmp any any time-exceeded"
"40 deny icmp any any log"


"ip access-list extended NET0911"
"10 permit icmp any any echo-reply"
"20 permit icmp any any source-quench"
"30 permit icmp any any time-exceeded"
"40 permit icmp any any parameter-problem"
"50 deny icmp any any log"

Correct Answer by Jon Marshall about 6 years 6 months ago

[email protected]


I am locking down my router and installed 2 access-lists on my interior and exterior interfaces.  I'm using iBGP to talk to my interior switches and eBGP to communicate with our service provider out.  Once the access-list was configured on my exterior interface, the interface went down.  This didn't happen on the interior interface.  Access-list NET0912 was applied to the exterior interface and NET0911was applied to the interior.  Any help would be appreciated.


"ip access-list extended NET0912
"10 permit icmp any any echo"
"20 permit icmp any any source-quench"
"30 permit icmp any any time-exceeded"
"40 deny icmp any any log"


"ip access-list extended NET0911"
"10 permit icmp any any echo-reply"
"20 permit icmp any any source-quench"
"30 permit icmp any any time-exceeded"
"40 permit icmp any any parameter-problem"
"50 deny icmp any any log"


Charles


It doesn't need ICMP but you do need to allow it. Remember there is an explicit deny ip any any at the end of each access-list so if you just want to block ICMP then the last line of each acl should be a "permit ip any any".


And i'm not sure why the interior interface allows it as it shouldn't.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Thu, 09/02/2010 - 14:05
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

[email protected]


I am locking down my router and installed 2 access-lists on my interior and exterior interfaces.  I'm using iBGP to talk to my interior switches and eBGP to communicate with our service provider out.  Once the access-list was configured on my exterior interface, the interface went down.  This didn't happen on the interior interface.  Access-list NET0912 was applied to the exterior interface and NET0911was applied to the interior.  Any help would be appreciated.


"ip access-list extended NET0912
"10 permit icmp any any echo"
"20 permit icmp any any source-quench"
"30 permit icmp any any time-exceeded"
"40 deny icmp any any log"


"ip access-list extended NET0911"
"10 permit icmp any any echo-reply"
"20 permit icmp any any source-quench"
"30 permit icmp any any time-exceeded"
"40 permit icmp any any parameter-problem"
"50 deny icmp any any log"


Charles


It doesn't need ICMP but you do need to allow it. Remember there is an explicit deny ip any any at the end of each access-list so if you just want to block ICMP then the last line of each acl should be a "permit ip any any".


And i'm not sure why the interior interface allows it as it shouldn't.


Jon

lamav Thu, 09/02/2010 - 15:13
User Badges:
  • Blue, 1500 points or more

It has nothing to do with icmp.

You need to allow the BGP session.

Allow TCP 179.


Victor

Actions

This Discussion