The ip address mask is more hierarchical. The reason I think the strange mask works on the access list is that you are trying to accomplish different things. The mask on the ACL seems to allow for 10.0-255.10.100 to get through, which might be a valid list if you decided that on every net your so and so servers would always get a 10.x.10.100 address and you wanted to allow something to or from them...but I don't think that is your intent. You might get a better answer if you tell us what you are trying to do. Buz
-----Original Message----- From: cisco-nsp [mailto:[email protected]] On Behalf Of Gert Doering Sent: Friday, April 19, 2013 3:44 To: sky vader Cc: [email protected] Subject: Re: [c-nsp] subnet mask confusion? Hi, On Thu, Apr 18, 2013 at 10:21:17PM -0700, sky vader wrote: > when using the following mask errors out as bad mask when used on an > interface. > > labasa(config-if)# ip address 10.0.10.100 255.0.255.255 > ERROR: Bad mask 255.0.255.255 for address 10.0.1.100 This is no longer meaningful, and thus not allowed. > works on an access-list, > > labasa(config-if)#access-list 101 extended permit ip any 10.0.10.150 > 255.0.255.255 This is not a netmask, but a "ignore these bits" wildcard mask (and particularily for normal networks, it's the *inverse* of the netmask, so to match everything inside a /24 you'd use 0.0.0.255 in the ACL). > Just wondering what am I missing? Interface config needs to build a strictly hierarchical "longest match first" routing structure, so the netmask needs to be left-contiguous (nowadays, IOS 9 or 10 still permitted discontiguous netmasks). ACLs match by clearing ignore bits and then comparing with the given address, which can operate on any bits in the ACL mask. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany [email protected] fax: +49-89-35655025 [email protected] _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
