Hi,
This one is really aimed at Marco, but opinions from anyone who has passed the
TS section welcome.
By now, we know that "thou shalt not remove a feature or existing config" to
fix a problem. The specific example I am thinking of is where an ACL is
blocking the traffic you want.
E.G
R1 f0/0 -> OSPF -> R2 F0/0
Let's call this subnet 10.1.1.0/30.
You find that R2 has the following ACL on its Fast0/0.
ip access-list extended HERE_IS_YOUR_TROUBLE ! If only they were that kind!!
deny ospf any any
permit ip any any
Which of the following is/are acceptable?
A.
ip access-list extended HERE_IS_YOUR_TROUBLE
5 permit ospf host 10.1.1.1 any
B.
ip access-list extended HERE_IS_YOUR_TROUBLE
5 permit ospf any host 224.0.0.5
6 permit ospf any host 224.0.06
7 permit ospf any host 10.1.1.2
C.
ip access-list extended HERE_IS_YOUR_TROUBLE
5 permit ospf host 10.1.1.1 host 224.0.0.5
6 permit ospf host 10.1.1.1 host 224.0.06
7 permit ospf host 10.1.1.1 host 10.1.1.2
I know this is not CCIE Security, but R&S, so do you go for A. as it is quicker
to type, or do you go for C. as it involves punching the fewest holes in the
access list? Or is C in "no style points" territory?
Basically, do you alter an ACL the easiest way to get around the problem, or do
you take the "spirit of why someone put that ACL on there in the first place"
into account?
George
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
http://onlinestudylist.com/mailman/listinfo/ccie_rs
