It may be too much in the morning for me (pre-caffeine) but I didn't
read Martin's e-mail as anything from atop a pedestal. Most of the time,
when questions come up, they can be approached from a very simple thought
process.
Which, this whole thing with routers and switches... Once we start
understanding HOW they think, then most things become much easier to work
through. Workbooks are great, but don't come up with every single
variant! So someplace along the way, we need to learn to think like the
routers and switches do.
So, the valid question is can I use "permit ip" in an ACL? Sure. But
why?
What about "permit gre"? That's more specific, but again, why? BECAUSE
(as another e-mail listed) the GRE protocol is IP protocol 47. Which
means GRE is a subset of IP. Permitting the larger list/set will always
permit the subsets.
So, concentrating on the answer of WHY is where we get the learning
from. Granted, Martin wasn't very verbose in his note (grin), but at
least in my opinion, he wasn't trying to deride or insult anyone.
The problem with e-mail is that it doesn't carry much of a sense of humor
with it. Let's not read more into things than was actually there though.
My two cents. (Which after taxes is only likely to be 1.1 cents these
days!)
Scott Morris, CCIEx4 (R&S/ISP-Dial/Security/Service Provider) #4713,
CCDE #2009::D, JNCIE-M #153, JNCIS-ER, CISSP, et al.
JNCI-M, JNCI-ER
evil_at_ine.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Outside US: 775-826-4344
Knowledge is power.
Power corrupts.
Study hard and be Eeeeviiiil......
Jitendra Anbu wrote:
Sorry Martin I think you were out of line with your approach! You & some
others who subscribe in this e-mail group need to come down from your
pedestal.
________________________________
From: Martin Hogan [ martin.john.hogan_at_gmail.com ]
Sent: Monday, 1 March 2010 7:24 PM
To: Jitendra Anbu
Cc: CCIE R/S, Groupstudy
Subject: Re: Extended ACL to permit GRE traffic..
Hi Jit,
I was going for the "teach a man to fish" rather than give him a fish
approach.
So yes, I was trying to help more than simply typing out an answer. I like to
think that CCIE's or people who aspire to be would or should be interested in
the how and why things work as they do rather than just the answer.
Glad you got what you were after.
Martin
On Mon, Mar 1, 2010 at 7:11 PM, Jitendra Anbu
< Jitendra.Anbu_at_optus.com.au <mailto:Jitendra.Anbu_at_optus.com.au> > wrote:
Martin, I am not sure whether you're trying to help or just making us guess
what you know????
My understanding was that GRE would be automatically permitted if I permit IP
- that's it.
If that's not the case I was expecting someone to tell me.
________________________________
From: Martin Hogan
[ martin.john.hogan_at_gmail.com <mailto:martin.john.hogan_at_gmail.com> ]
Sent: Monday, 1 March 2010 2:06 PM
To: Jitendra Anbu
Cc: CCIE R/S, Groupstudy
Subject: Re: Extended ACL to permit GRE traffic..
Think back to basics;
What is IP?
What is GRE?
How do they work (together?)?
On Mon, Mar 1, 2010 at 1:49 PM, Jitendra Anbu
< Jitendra.Anbu_at_optus.com.au <mailto:Jitendra.Anbu_at_optus.com.au> > wrote:
Hi All,
If you create a Extended ACL as;
ip access-list extended TUNNEL
permit ip host 203.208.174.93 host 85.115.65.7
Would this permit GRE traffic - for example?
OR
do I need this to permit GRE;
ip access-list extended TUNNEL
permit gre host 203.208.174.93 host 85.115.65.7
Thank you.
Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
_______________________________________________________________________
Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
_______________________________________________________________________
Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Mon Mar 01 2010 - 08:37:59 ART
This archive was generated by hypermail 2.2.0 : Thu Apr 01 2010 - 07:26:34 ART