Hi Brandon, I'd have to agree with Scott (and who wouldn't :). From my understanding, it doesn't really matter what you have "extra" as long as your configs satisfy the requirements of the task, aren't breaking the rules of another task (like Scott said - "fewest lines" or "minimal config"), or inhibiting the functionality (or lack thereof) of other tasks. After speaking with the proctors (ahem)... a few times at RTP, I get the feeling from them that they really aren't after dinging you for that kind of stuff - contrary to the opinion of a lot of people. They're more concerned with the functionality of your configuration - whether it works or not, breaks any rules, and did you exhibit expert level knowledge of the technology presented in the task (versus configuring some bass-ackwards workaround). I'm sure you've heard by now that "the proctors are there to help you... now screw with you." I would totally agree. Just talk to them if you're ever in doubt. A lot of the time, they'll flat out tell you - "Yes that's fine" or "Nope - you'll want to remove that." And remember, if it doesn't say you *cant* do it in the overall guidelines to the lab - it's fair game! This includes extra configuration IMHO. Like Scott said though - If you want to be ultra careful, just make a note to remove it at the end of the lab. HTH and good luck! Aaron
________________________________ From: [EMAIL PROTECTED] on behalf of Brandon Carroll Sent: Tue 9/9/2008 5:18 PM To: Black, Peter Cc: [email protected]; Cisco certification; [EMAIL PROTECTED] Subject: Re: [OSL | CCIE_Security] ACLs on the lab I guess the reason I was adding TCP and UDP was so that in the log messages i could see what TCP was dropped including the port and what UDP was dropped including the port. I didn't think they were redundant. Maybe I'm wrong. Totally Understand the time constraint. Brandon Carroll Senior Instructor Ascolta 606 120th Ave NE D-201 Bellevue, Wa. 98056 ph.206-850-2384 [EMAIL PROTECTED] http://www.ascolta.com <http://www.ascolta.com/> http://www.globalconfig.net <http://www.globalconfig.net/> http://ccieprep.me <http://ccieprep.me/> On Sep 9, 2008, at 2:12 PM, Black, Peter wrote: > Brandon, > > I believe that when you include 'ip' in an access-list, it includes > all > protocols above layer 3 (tcp & udp). Therefore, adding the deny tcp > and > deny udp statements are redundant. > > You shouldn't get 'dinged' for having extra statements in your > access-list, as long as all task requirements are met. > > Having said that, a proctor might question your expert level of > knowledge if you add in those two redundant statements. > > Just to satisfy your curiosity, add in a 'deny ip any any log' > statement > at the end of an acl, then try to telnet through the PIX/ASA. Make > sure > to turn on logging to the console at the debug level.... for example: > > logging console debug > access-list infilter permit icmp any any > access-list infilter deny ip any any log > > Even though you haven't added a 'deny tcp' statement, you should see > the > denial in the firewall's log. > > In addition, time in the lab is very limited and you're under quite a > bit of pressure. I learned to avoid any unnecessary configurations. > The 'deny ip any any log' statement is enough for troubleshooting. By > the way... I WOULD definitely make sure to add that statement to every > access-list you do. It saved my bacon during the lab. > > Peter Black, CCIE #20896 (Security) > Senior Network Security Engineer > CCSP, CCDP, CCNP, CEH, CHFI, ECSA, LPT, CCSE > Southern Utes Shared Services > 970-563-5606 > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Brandon > Carroll > Sent: Tuesday, September 09, 2008 12:38 PM > To: Cisco certification; [email protected] > Cc: [EMAIL PROTECTED] > Subject: [OSL | CCIE_Security] ACLs on the lab > > Would the following be ok on the lab? > > R5(config)#access-l 101 deny tcp any any range 1 65535 log > R5(config)#access-l 101 deny udp any any range 1 65535 log > R5(config)#access-l 101 deny ip any any log > > > I like to add it to the end of my ACLs so that I can catch any > protocols that I forget. Assuming the lab doesnt say anything > specific could I get dinged for having it? > > > Brandon Carroll > Senior Instructor > Ascolta > 606 120th Ave NE > D-201 > Bellevue, Wa. 98056 > > ph.206-850-2384 > > [EMAIL PROTECTED] > http://www.ascolta.com <http://www.ascolta.com/> > http://www.globalconfig.net <http://www.globalconfig.net/> > http://ccieprep.me <http://ccieprep.me/>
