I think any of those would be fine. I don't think "permit ip any any" flies, but I don't think they are getting that particular on access-lists.
On Thu, Jul 18, 2013 at 5:46 PM, George Leslie <[email protected] > wrote: > Hi, > This one is really aimed at Marco, but opinions from anyone who has passed > the TS section welcome. > > By now, we know that "thou shalt not remove a feature or existing config" > to fix a problem. The specific example I am thinking of is where an ACL is > blocking the traffic you want. > > E.G > > R1 f0/0 -> OSPF -> R2 F0/0 > > Let's call this subnet 10.1.1.0/30. > > You find that R2 has the following ACL on its Fast0/0. > > ip access-list extended HERE_IS_YOUR_TROUBLE ! If only they were that > kind!! > deny ospf any any > permit ip any any > > Which of the following is/are acceptable? > > A. > ip access-list extended HERE_IS_YOUR_TROUBLE > 5 permit ospf host 10.1.1.1 any > > B. > ip access-list extended HERE_IS_YOUR_TROUBLE > 5 permit ospf any host 224.0.0.5 > 6 permit ospf any host 224.0.06 > 7 permit ospf any host 10.1.1.2 > > C. > ip access-list extended HERE_IS_YOUR_TROUBLE > 5 permit ospf host 10.1.1.1 host 224.0.0.5 > 6 permit ospf host 10.1.1.1 host 224.0.06 > 7 permit ospf host 10.1.1.1 host 10.1.1.2 > > I know this is not CCIE Security, but R&S, so do you go for A. as it is > quicker to type, or do you go for C. as it involves punching the fewest > holes in the access list? Or is C in "no style points" territory? > > Basically, do you alter an ACL the easiest way to get around the problem, > or do you take the "spirit of why someone put that ACL on there in the > first place" into account? > > George > > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > http://onlinestudylist.com/mailman/listinfo/ccie_rs > -- Marc Abel CCIE #35470 (Routing and Switching) _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com http://onlinestudylist.com/mailman/listinfo/ccie_rs
