Solved: Yes that is an accurate

zekebashi · ‎05-02-2017

Hello,

We have a NX7K with two connections(e5/9 and e6/9) to our ISP. We use eBGP peering the two interfaces with the ISP. We tried to implement an iACL to deny ssh and snmp ingress traffic from out ISP to the NX7K but after implementing the iACL we experienced an Internet outage. It seems that the implementation of this iACLs broke the BGP peering for some reason. Here's the iACL we implemented:

IP access list DENY_ACCESS

statistics per-entry

10 deny tcp any any eq 22 log

15 deny udp any any eq snmp log

20 permit tcp any any

interface Ethernet5/9

ip access-group DENY_ACCESS in

exit

interface Ethernet6/9

ip access-group DENY_ACCESS in

exit

Can anyone see why this iACL would cause the bgp peering to break?

Thanks in advance.

~zK

Marvin Rhoads · ‎05-02-2017

BGP should be using tcp/179 and I would expect the neighbor relationship to be unaffected.

I would however change the last line to "20 permit ip any any". Otherwise you will be blocking udp and icmp implicitly.

View solution in original post

Richard Burts · ‎05-11-2017

Yes that is an accurate analysis.

HTH

Rick

HTH

Rick

View solution in original post

Marvin Rhoads · ‎05-02-2017

BGP should be using tcp/179 and I would expect the neighbor relationship to be unaffected.

I would however change the last line to "20 permit ip any any". Otherwise you will be blocking udp and icmp implicitly.

zekebashi · ‎05-03-2017

Thanks, Marvin!

Yes, tcp 179 is allowed in this case and so bgp ingress traffic should be allowed. I'm still puzzled by why bgp was affected by this iAC and still researching to find answer.

I'll change statement "20", good idea!

Thanks, ~zK

Richard Burts · ‎05-04-2017

Are you sure that BGP was affected? Based on what you have told us so far your access list would not have allowed DNS packets. And if DNS is not working then your users would report that Internet access is broken. It might feel like there was a routing problem such as BGP not working. But the issue is DNS and not routing.

HTH

Rick

HTH

Rick

zekebashi · ‎05-11-2017

Hi Rick,

Sorry for the delayed response. I honestly don't think that the BGP peering dropped because when I checked the bgp neighbor status the connection status "drop" didn't show that the connection dropped.

I see what you're saying. So, since the ACL is denying udp services, DNS/UDP is being denied and that's why we experienced the Internet outage? Is that an accurate analysis?

Best, ~zK

Richard Burts · ‎05-11-2017

Yes that is an accurate analysis.

HTH

Rick

HTH

Rick

zekebashi · ‎05-11-2017

Thanks much, Rick!

Best, ~sK

Richard Burts · ‎05-11-2017

You are welcome. I am glad that our answers have been helpful.

HTH

Rick

HTH

Rick

iACL Usage