Posted on October 17, 2019 9:51 pm
 |  Asked by Andrei
 |  84 views
RESOLVED
0
0
Print Friendly, PDF & Email

Hi there, I would like to filter the ICMP messages, like Destination host unreachable in cisco I know that I had the no ip unreach .. but on the arista I cant find any .. I tried doing it with an ACL but the gw ip still respond with that kind of message.

Any help would be appreciated.

Thank you.

0
Answered on October 18, 2019 8:12 am

Hi Andrei.

I believe that it should be possible to block this by using an ACL. Can you share your ACL configuration?

Thanks.

0
Answered on October 18, 2019 9:47 pm

Hi Andrei,

We would like to get a better understanding of the type of unreachable messages that you are looking to filter out from the Arista device that is configured with the gateway IP.

In case you are looking to filter out the ICMP Unreachable(Type 3) code 0 (Network unreachable) to be generated from the device, we have the below command for the same :

ip icmp rate-limit-unreachable 0

If you are looking to filter out the ICMP Unreachable(Type 3) code 1 (Host unreachable) , the above command will not help as it only filters the network unreachable messages. An egress ACL on the interface facing the neighbor devices would have to be configured similar to this :

ip access-list test
10 deny icmp any any host-unreachable
20 permit ip any any
!

This would need to be applied on the egress interface ( for example as in et1 below ) :

interface ethernet1
no switchport
ip address 32.1.1.12/24
ip access-group test out
!

Rule 10 in the above access-list here would only block the host-unreachable messages. In case you would like to block all ICMP messages, rule 10 could just be "deny icmp any any".

Also , in case you already have the above ACL configuration and are still observing the messages making it out of the interface , please do reach out to support@arista.com with the tech-support output from the device by executing the command "show tech-support" and we could assist you further.

Post your Answer

You must be logged in to post an answer.