On Wed, Dec 19, 2018 at 8:32 AM Saku Ytti <s...@ytti.fi> wrote: > On Wed, 19 Dec 2018 at 02:55, Philip Loenneker > <philip.loenne...@tasmanet.com.au> wrote: > > > I had a heck of a time a few years back trying to troubleshoot an issue > where an upstream provider had an ACL with an incorrect mask along the > lines of 255.252.255.0. That was really interesting to talk about once we > discovered it, though it caused some loss of hair beforehand... > > Juniper originally didn't support them even in ACL use-case but were > forced to add later due to customer demand, so people do have > use-cases for them. If we'd still support them in forwarding, I'm sure > someone would come up with solution which depends on it. I am not > advocating we should, I'll rather take my extra PPS out of the HW. > > However there is one quite interesting use-case for discontinuous mask > in ACL. If you have, like you should have, specific block for customer > linknetworks, you can in iACL drop all packets to your side of the > links while still allowing packets to customer side of the links, > making attack surface against your network minimal.
And unfortunately is still not supported by IOS-XR for IPv6, which could mean not having a scaleable way on your edge to protect your internal network. -- Christian e-mail/xmpp: christ...@errxtx.net PGP Fingerprint: B458 E4D6 7173 A8C4 9C75315B 709C 295B FA53 2318