[c-nsp] Access-list Question
Brian McMahon
brmcmaho at cabrillo.edu
Wed May 16 01:00:59 EDT 2007
Quoth Gert Doering:
>> To borrow a phrase, I would encourage my competition to design
>> solutions
>> based around non-contiguous wildmasks :)
>
> Been that, done that, found it useful
>
> deny ip any 195.30.0.255 0.0.255.0
>
> - drop packets to all .255 addresses inside our /16 (anti-smurf).
Cool example -- but it still doesn't answer the fundamental question:
Why couldn't the same thing have been expressed as "deny ip any
195.30.0.255 255.255.0.255", like you'd do with a noncontiguous netmask?
My personal theory (SWAG) is that, long ago in the Elder Days of
single-digit IOS version numbers, some clever programmer figured out
a way to save a couple of processor cycles per ACL by coding the
bitmask this way around -- an efficiency gain that has been easily
swamped over the years by the confusion it's created, but that is now
WAY TOO LATE to fix.
--
Brian McMahon <brian dot mcmahon at cabrillo dot edu>
More information about the cisco-nsp
mailing list