On Wed, Dec 19, 2018 at 8:32 AM Saku Ytti <saku@ytti.fi> wrote:
On Wed, 19 Dec 2018 at 02:55, Philip Loenneker
<Philip.Loenneker@tasmanet.com.au> wrote:

> I had a heck of a time a few years back trying to troubleshoot an issue where an upstream provider had an ACL with an incorrect mask along the lines of 255.252.255.0. That was really interesting to talk about once we discovered it, though it caused some loss of hair beforehand...

Juniper originally didn't support them even in ACL use-case but were
forced to add later due to customer demand, so people do have
use-cases for them. If we'd still support them in forwarding, I'm sure
someone would come up with solution which depends on it. I am not
advocating we should, I'll rather take my extra PPS out of the HW.

However there is one quite interesting use-case for discontinuous mask
in ACL. If you have, like you should have, specific block for customer
linknetworks, you can in iACL drop all packets to your side of the
links while still allowing packets to customer side of the links,
making attack surface against your network minimal.

And unfortunately is still not supported by IOS-XR for IPv6, which could mean not having a scaleable way on your edge to protect your internal network.

--
Christian

e-mail/xmpp: christian@errxtx.net
PGP Fingerprint: B458 E4D6 7173 A8C4 9C75315B 709C 295B FA53 2318