Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Does eBGP need icmp

I am locking down my router and installed 2 access-lists on my interior and exterior interfaces.  I'm using iBGP to talk to my interior switches and eBGP to communicate with our service provider out.  Once the access-list was configured on my exterior interface, the interface went down.  This didn't happen on the interior interface.  Access-list NET0912 was applied to the exterior interface and NET0911was applied to the interior.  Any help would be appreciated.

"ip access-list extended NET0912
"10 permit icmp any any echo"
"20 permit icmp any any source-quench"
"30 permit icmp any any time-exceeded"
"40 deny icmp any any log"

"ip access-list extended NET0911"
"10 permit icmp any any echo-reply"
"20 permit icmp any any source-quench"
"30 permit icmp any any time-exceeded"
"40 permit icmp any any parameter-problem"
"50 deny icmp any any log"

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: Does eBGP need icmp

charles.e.davis@baesystems.com

I am locking down my router and installed 2 access-lists on my interior and exterior interfaces.  I'm using iBGP to talk to my interior switches and eBGP to communicate with our service provider out.  Once the access-list was configured on my exterior interface, the interface went down.  This didn't happen on the interior interface.  Access-list NET0912 was applied to the exterior interface and NET0911was applied to the interior.  Any help would be appreciated.

"ip access-list extended NET0912
"10 permit icmp any any echo"
"20 permit icmp any any source-quench"
"30 permit icmp any any time-exceeded"
"40 deny icmp any any log"

"ip access-list extended NET0911"
"10 permit icmp any any echo-reply"
"20 permit icmp any any source-quench"
"30 permit icmp any any time-exceeded"
"40 permit icmp any any parameter-problem"
"50 deny icmp any any log"

Charles

It doesn't need ICMP but you do need to allow it. Remember there is an explicit deny ip any any at the end of each access-list so if you just want to block ICMP then the last line of each acl should be a "permit ip any any".

And i'm not sure why the interior interface allows it as it shouldn't.

Jon

2 REPLIES
Hall of Fame Super Blue

Re: Does eBGP need icmp

charles.e.davis@baesystems.com

I am locking down my router and installed 2 access-lists on my interior and exterior interfaces.  I'm using iBGP to talk to my interior switches and eBGP to communicate with our service provider out.  Once the access-list was configured on my exterior interface, the interface went down.  This didn't happen on the interior interface.  Access-list NET0912 was applied to the exterior interface and NET0911was applied to the interior.  Any help would be appreciated.

"ip access-list extended NET0912
"10 permit icmp any any echo"
"20 permit icmp any any source-quench"
"30 permit icmp any any time-exceeded"
"40 deny icmp any any log"

"ip access-list extended NET0911"
"10 permit icmp any any echo-reply"
"20 permit icmp any any source-quench"
"30 permit icmp any any time-exceeded"
"40 permit icmp any any parameter-problem"
"50 deny icmp any any log"

Charles

It doesn't need ICMP but you do need to allow it. Remember there is an explicit deny ip any any at the end of each access-list so if you just want to block ICMP then the last line of each acl should be a "permit ip any any".

And i'm not sure why the interior interface allows it as it shouldn't.

Jon

Blue

Re: Does eBGP need icmp

It has nothing to do with icmp.

You need to allow the BGP session.

Allow TCP 179.

Victor

199
Views
0
Helpful
2
Replies
CreatePlease to create content