Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4885
Views
5
Helpful
5
Replies

PING/ICMP works at which layer?

Go to solution
flying.gagan
Level 1
Level 1

‎01-29-2017 12:40 AM - edited ‎03-08-2019 09:06 AM

I have permitted TCP traffic only in extended ACL in-between two hosts, can't ping them. why?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP
In response to flying.gagan

‎01-29-2017 02:14 AM

For questions like these, it's best to look how the headers are "stacked". Wikipedia has pages for every protocol. Here is ICMP: https://en.wikipedia.org/wiki/Ping_(networking_utility)

It's the same layer as TCP and UDP. When you allow IP, all protocols based on IP are allowed which are TCP, UDP, ICMP and many others. When allowing TCP, only services based on TCP are allowed. This are for example HTTP, POP3, IMAP4, FTP ...

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni

‎01-29-2017 12:49 AM

Hi,

The Internet Control Message Protocol (ICMP) is a supporting protocol in the Internet protocol suite. It is used by network devices, like routers, switches, to send error messages and operational information indicating, for example, that a requested service is not available or that a host or router could not be reached.

ICMP differs from transport protocols such as TCP and UDP in that it is not typically used to exchange data between systems, nor is it regularly employed by end-user network applications (with the exception of some diagnostic tools like ping and traceroute).

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

Go to solution
flying.gagan
Level 1
Level 1
In response to Deepak Kumar

‎01-29-2017 12:59 AM

thats more like a definition and the difference between ICMP and TCP which I know. Inbetween I found that ICMP needs help of IP in order to process a request, so when i created an extended ACL and allowed IP traffic inbetween two hosts, i was able to ping, but cannot when I allow TCP so I am trying to find out which layer does ICMP works so that I can relate which one needs help of each other or not. so the question remains still unanswered.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to flying.gagan

‎01-29-2017 02:14 AM

For questions like these, it's best to look how the headers are "stacked". Wikipedia has pages for every protocol. Here is ICMP: https://en.wikipedia.org/wiki/Ping_(networking_utility)

It's the same layer as TCP and UDP. When you allow IP, all protocols based on IP are allowed which are TCP, UDP, ICMP and many others. When allowing TCP, only services based on TCP are allowed. This are for example HTTP, POP3, IMAP4, FTP ...

0 Helpful

Go to solution
ms-cdinoc
Level 1
Level 1
In response to Karsten Iwen

‎07-04-2022 07:37 PM

its a layer 3 protocol operates in network layer and not transport layer

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎07-05-2022 07:00 AM

"I have permitted TCP traffic only in extended ACL in-between two hosts, can't ping them. why?"

Simply because ping doesn't use TCP.

In an extended ACL, if you're blocking all but TCP, you'll need to minimally add an ACE, or ACEs, to allow the ping's echo request and/or echo reply.

e.g.
permit icmp any any echo
permit icmp any any echo-reply

As to what layer (7) ping uses on the network, it's its own (L3) IP protocol (i.e. ICMP).  Since its one of the many IP protocols, this is why ping worked when you permitted all of IP.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card