Re: Stupid Question maybe?

[Saku Ytti <saku () ytti fi>]

On Wed, 19 Dec 2018 at 02:55, Philip Loenneker
<Philip.Loenneker () tasmanet com au> wrote:

> I had a heck of a time a few years back trying to troubleshoot an issue where an upstream provider had an ACL with an 
> incorrect mask along the lines of 255.252.255.0. That was really interesting to talk about once we discovered it, 
> though it caused some loss of hair beforehand...

Juniper originally didn't support them even in ACL use-case but were
forced to add later due to customer demand, so people do have
use-cases for them. If we'd still support them in forwarding, I'm sure
someone would come up with solution which depends on it. I am not
advocating we should, I'll rather take my extra PPS out of the HW.

However there is one quite interesting use-case for discontinuous mask
in ACL. If you have, like you should have, specific block for customer
linknetworks, you can in iACL drop all packets to your side of the
links while still allowing packets to customer side of the links,
making attack surface against your network minimal.


-- 
  ++ytti