>Bob Vance wrote,
>IIRC, at least stating at some IOS version level, this is being done
>automatically for you by IOS when it stores the ACL in the
>configuration. Thus, if you typed:
>
> access-list 101 tcp permit any 141.120.128.0 0.0.135.255
>
>it would actually show up via a 'sh run' as
>
> access-list 101 tcp permit any 141.120.0.0 0.0.135.255
>
>I'm not sure about this, though --
>I'm sure that someone else will confirm/debunk it.
I remember the behavior changing in 10-something, 10.2 to the best of
my recollection. That was the first release where access lists had
significant backward compatibility problems. The IOS, for example,
always substituted "telnet" for "23" in TCP extended access list
rules.
It definitely was 10.3 where the behavior of access-group changed.
Prior to 10.3, if you defined "ip access-group 100" but there were no
"access-list 100" lines, all traffic through the interface with the
access group would stop. This is quite consistent with good security
practice, such as the Principle of Least Privilege, but was highly
unpopular.
-----
Going back to the original premise of this thread, using
discontiguous masks to minimize the number of access list
comparisons, writing a general program for doing so would be
straightforward for anyone who has studied (and understood) code
generation optimization in compilers. While it's always hard to
prove that something doesn't exist, I have never heard of such a tool
in the computer-scientist-rich carrier environment.
I can think of a sort-of-reverse-case, not an optimizer but a
code-generating program that used discontiguous masks. When Sean
Doran originally implemented the prefix length policy for Sprint,
prior to the IOS supporting prefix length filters, he wrote a
program that generate about 16 page of access list rules. That
policy, incidentally, was always more complex than a simple "block
anything longer than /19".
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
