https://learningnetwork.cisco.com/s/question/0D53i00000KsxiuCAB/discontigous-wildcard-acls

months ago I try to understand the best way to config the discontigous wildcard for ACL, and I found simple way, check the link.

Thanks A Lot
MHM

Some observations, but unfortunately no solution. If you use extended acl on interfaces to control the http access there are multiple challenges:

- you must be careful not to impact transit traffic which uses the protocol.

- you must apply it on each interface which might receive the traffic.

- you must deal with the possibility that any interface on the device might be the destination so multiple lines in the acl.

The advantage of access-class is that there is no impact on transit traffic, you apply it once, and you don't need to specify destination address so the acl is more simple.

I wish I had some insight about discontiguous masking. It works with some acl using access-group. access-class is a different process and works quite differently so its treatment of discontiguous mask might be different.

What @Richard Burts describes - all true.

Concerning:

"you must deal with the possibility that any interface on the device might be the destination so multiple lines in the acl."

Sort of recreates the problem you're trying to avoid, i.e. multiple ACEs.

Concerning:

"I wish I had some insight about discontiguous masking. It works with some acl using access-group. access-class is a different process and works quite differently so its treatment of discontiguous mask might be different."

Both surprising and not surprising.  One would think a uniform methodology would be used for ACEs regardless of where used, but for likely good reasons (or old, but no longer good reasons), Cisco has different methodologies, and possible for other reasons, has decided to not merge to using just one methodology.

Joseph

The more that I think about it the less surprising it is. A acl is a tool and the tool can be used for multiple purposes: It might be used to filter traffic coming into or going out of a layer 3 device, it might be  used to control routing updates, it might be used to control NAT, it might be used to control access to management functions on the device. Each of those functions uses different (and independent) code to achieve different results and it is logical that they might treat the tool in different ways. There has been a recent discussion in the community about access-class and the fact that access-class does not care about the destination address and how that can produce a surprising result when you use the log parameter in the acl.

"The more that I think about it the less surprising it is."

Rick, laugh, surprise, perhaps like beauty, is in the eye of the beholder.  As my BSc in in software, and having been a software developer for several decades, I might have a slight different view on software components.

What you describe is entirely possible, but from my experience, software that's been in use, with on-going revisions, for decades, internally, can be, ah shall we say, interesting.

As an example, way back early in my career, my employer sent me to a week long "internals" class, for system programmers using IBM 370 systems.  During the course, as we reviewed various control structures that the OS used, some were noted as no longer being used, as having be superseded by newer structures.  So we asked, why are they still present?

The answer was, IBM wasn't sure they successfully migrated all other OS software components from using them, so they left them in place.

Or, at a fairly large bank, they had lost the source code for one of their major subroutines!  Well, how do I get that subroutine into my revised program that uses it?  You use the linkage editor, to pull the module out of the prior program's executable image, and insert it into your revised image. (Well I did learn something new, how to use the linkage editor to edit binary load images.  First and last time ever had to do that, though.)

I tell people, when you get into large scale software, it's not surprising there might be bugs, what's surprising it works at all.  ; )

So, for me, what's surprising is that an ACE mask doesn't work the same across these two functions, as I cannot see a reason why it shouldn't, but it's not surprising because software development can be like making sausage, it's often not a pretty sight.

Let me put in another way, every notice the quantity and/or quality of an Enterprise's network documentation can vary considerably, even when the actual networks are similar and work just as well?  Code "quality", and its supporting documentation, can very much be like that too.

Joseph

I do not disagree with anything that you have said here. In thinking about consistency in how things work I was struck with this: the OP says "It looks like IOS is just looking for the first binary 1 (a.k.a the "don't care bit") in the wildcard mask" which is exactly the behavior of masking used for the IP address. No discontiguous allowed.