[c-nsp] subnet mask confusion?

Harold 'Buz' Dale buz.dale at usg.edu
Fri Apr 19 09:03:42 EDT 2013

The ip address mask is more hierarchical.  The reason I think the strange mask works on the access list is that you are trying to accomplish different things.  
The mask on the ACL seems to allow for 10.0-255.10.100 to get through, which might be a valid list if you decided that on every net your so and so servers would always get a 10.x.10.100 address and you wanted to allow something to or from them...but I don't think that is your intent.
You might get a better answer if you tell us what you are trying to do. 

-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gert Doering
Sent: Friday, April 19, 2013 3:44
To: sky vader
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] subnet mask confusion?


On Thu, Apr 18, 2013 at 10:21:17PM -0700, sky vader wrote:
> when using the following mask errors out as bad mask when used on an 
> interface.
> labasa(config-if)# ip address
> ERROR: Bad mask for address

This is no longer meaningful, and thus not allowed.

> works on an access-list,
> labasa(config-if)#access-list 101 extended permit ip any

This is not a netmask, but a "ignore these bits" wildcard mask (and particularily for normal networks, it's the *inverse* of the netmask, so to match everything inside a /24 you'd use in the ACL).

> Just wondering what am I missing?

Interface config needs to build a strictly hierarchical "longest match first" routing structure, so the netmask needs to be left-contiguous (nowadays, IOS 9 or 10 still permitted discontiguous netmasks).

ACLs match by clearing ignore bits and then comparing with the given address, which can operate on any bits in the ACL mask.


USENET is *not* the non-clickable part of WWW!
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de

More information about the cisco-nsp mailing list