Solved: Does eBGP need icmp

charles.e.davis · ‎09-02-2010

I am locking down my router and installed 2 access-lists on my interior and exterior interfaces. I'm using iBGP to talk to my interior switches and eBGP to communicate with our service provider out. Once the access-list was configured on my exterior interface, the interface went down. This didn't happen on the interior interface. Access-list NET0912 was applied to the exterior interface and NET0911was applied to the interior. Any help would be appreciated.

"ip access-list extended NET0912
"10 permit icmp any any echo"
"20 permit icmp any any source-quench"
"30 permit icmp any any time-exceeded"
"40 deny icmp any any log"

"ip access-list extended NET0911"
"10 permit icmp any any echo-reply"
"20 permit icmp any any source-quench"
"30 permit icmp any any time-exceeded"
"40 permit icmp any any parameter-problem"
"50 deny icmp any any log"

Jon Marshall · ‎09-02-2010

charles.e.davis@baesystems.com

I am locking down my router and installed 2 access-lists on my interior and exterior interfaces. I'm using iBGP to talk to my interior switches and eBGP to communicate with our service provider out. Once the access-list was configured on my exterior interface, the interface went down. This didn't happen on the interior interface. Access-list NET0912 was applied to the exterior interface and NET0911was applied to the interior. Any help would be appreciated.

"ip access-list extended NET0912
"10 permit icmp any any echo"
"20 permit icmp any any source-quench"
"30 permit icmp any any time-exceeded"
"40 deny icmp any any log"

"ip access-list extended NET0911"
"10 permit icmp any any echo-reply"
"20 permit icmp any any source-quench"
"30 permit icmp any any time-exceeded"
"40 permit icmp any any parameter-problem"
"50 deny icmp any any log"

Charles

It doesn't need ICMP but you do need to allow it. Remember there is an explicit deny ip any any at the end of each access-list so if you just want to block ICMP then the last line of each acl should be a "permit ip any any".

And i'm not sure why the interior interface allows it as it shouldn't.

Jon

View solution in original post

Jon Marshall · ‎09-02-2010

charles.e.davis@baesystems.com

I am locking down my router and installed 2 access-lists on my interior and exterior interfaces. I'm using iBGP to talk to my interior switches and eBGP to communicate with our service provider out. Once the access-list was configured on my exterior interface, the interface went down. This didn't happen on the interior interface. Access-list NET0912 was applied to the exterior interface and NET0911was applied to the interior. Any help would be appreciated.

"ip access-list extended NET0912
"10 permit icmp any any echo"
"20 permit icmp any any source-quench"
"30 permit icmp any any time-exceeded"
"40 deny icmp any any log"

"ip access-list extended NET0911"
"10 permit icmp any any echo-reply"
"20 permit icmp any any source-quench"
"30 permit icmp any any time-exceeded"
"40 permit icmp any any parameter-problem"
"50 deny icmp any any log"

Charles

It doesn't need ICMP but you do need to allow it. Remember there is an explicit deny ip any any at the end of each access-list so if you just want to block ICMP then the last line of each acl should be a "permit ip any any".

And i'm not sure why the interior interface allows it as it shouldn't.

Jon

lamav · ‎09-02-2010

It has nothing to do with icmp.

You need to allow the BGP session.

Allow TCP 179.

Victor