* On Wed, 19 Dec 2018 at 02:55, Philip Loenneker *>* <Philip.Loenneker at tasmanet.com.au <https://mailman.nanog.org/mailman/listinfo/nanog>> wrote: *>>* > I had a heck of a time a few years back trying to troubleshoot an issue *>* where an upstream provider had an ACL with an incorrect mask along the *>* lines of 255.252.255.0. That was really interesting to talk about once we *>* discovered it, though it caused some loss of hair beforehand... *>>* Juniper originally didn't support them even in ACL use-case but were *>* forced to add later due to customer demand, so people do have *>* use-cases for them. If we'd still support them in forwarding, I'm sure *>* someone would come up with solution which depends on it. I am not *>* advocating we should, I'll rather take my extra PPS out of the HW. *>>* However there is one quite interesting use-case for discontinuous mask *>* in ACL. If you have, like you should have, specific block for customer *>* linknetworks, you can in iACL drop all packets to your side of the *>* links while still allowing packets to customer side of the links, *>* making attack surface against your network minimal.

Hi Christian, Discontinuous mask for IPv6 was supported in IOS-XR in release 5.2.2. You can refer below link for details: https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/ip-addresses/... Regards, Aseem On Wed, Dec 19, 2018 at 8:32 AM Saku Ytti <saku at ytti.fi <https://mailman.nanog.org/mailman/listinfo/nanog>> wrote: * And unfortunately is still not supported by IOS-XR for IPv6, which could mean not having a scaleable way on your edge to protect your internal network. -- Christian e-mail/xmpp: christian at errxtx.net <https://mailman.nanog.org/mailman/listinfo/nanog> PGP Fingerprint: B458 E4D6 7173 A8C4 9C75315B 709C 295B FA53 2318