Believe it or not, I did once see (a bug) where the OS didn't allow a
zero in a byte of the host portion of the IP address, even though the
*total* host portion was not zero!! (I can't remember which OS, though
-- I'm thinking an early HP-UX, but possibly Windoze).
E.g., something like,
10.10.10.10 / 16 was valid
but 10.10.10.0 / 16 was *invalid* !
However, this was just in assigning the address -- i.e., it wouldn't
even let me assign it to the interface.
I don't see how this could affect you, though.
>I believe that the problem lies with the zero being used as a third
>octet
ACLs don't have any intelligence.
They don't care about broadcast addresses, subnet masks, DOS or hack
attacks, or anything -- just simple bit matching.
The only intelligence involved is in the ACL's creator :)
Thus
access-list 1 permit host 10.130.0.24
...
ip access-group 1 in
should allow in *only* traffic from that host (assuming that there *is*
any) -- of course that may not be what you *really* want ;>)
The ACL doesn't care about any value of any byte in that address -- he
only matches bits (of course, in this case, the statement told him to
*care* about *every* bit, however :)
More specifically,
access-list 101 permit tcp 10.130.0.24 0.0.0.0 any eq telnet
access-list 101 deny ip 10.130.0.0 0.143.255.255 any
access-list 101 permit ip any any
would
permit telnet in from that host,
deny all other ip traffic from the 10.128.0.0 /12 subnet
permit all other traffic
Of course, it all depends on the details of what you're trying to do.
What's the exact problem?
Is it that *no* traffic is blocked or is it that that host is blocked,
even though you think that you've let it thru?
Let's see the ACLs.
-------------------------------------------------
Tks | <mailto:[EMAIL PROTECTED]>
BV | <mailto:[EMAIL PROTECTED]>
Sr. Technical Consultant, SBM, A Gates/Arrow Co.
Vox 770-623-3430 11455 Lakefield Dr.
Fax 770-623-3429 Duluth, GA 30097-1511
=================================================
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Randy Witt
Sent: Wednesday, January 31, 2001 8:58 AM
To: <
Subject: Zero for a host address
Have an issue, hope many of you don't feel this is too off topic. Many
of =
you have helped me in the past with certification questions, perhaps you
=
can assist with this one as well.
I am trying to establish a connection to the City of Greenville's
network. =
What should be a simple connection is giving me fits.
I'm currently using 2 Cisco 1601 routers, routing RIPv2. From my
network =
to the city's, I pass through a total of 5 routers (2 our mine, 3 belong
=
to the city). Currently I can communicate with each router and vice
versa =
via Telnet or ping. However, the city of Greenville's network has the =
following IP address 10.128.0.0/12 (or 255.240.0.0). The interface =
attached to the city of Greenville's network is 10.130.0.1/12.
Everything =
within this network has 3'd octet of zero. =20
Originally, from his network he could not ping us, however I could ping
=
him (him being the net admin using a PC with an address of
10.130.0.24/12).=
I added a default route on one of my Cisco's pointing back to his =
network and that problem went away. Now I'm trying to add an ACL on our
=
router blocking all but Telnet traffic coming from a host on his network
=
to a host within our network. In testing I can get the ACL's to work
for =
every system except one on the 10.128.0.0 subnet. By work I mean on the
=
networks in between my network and the city's I can setup ICMP or Telnet
=
ACL's permitting traffic and they can get in. This was done for testing
=
purposes only. My goal is to lock everyone out but the host w/ an IP =
address of 10.130.0.24/12.
I believe that the problem lies with the zero being used as a third
octet =
. However I've seen Cisco documentation using zero's as host addresses.
=
I'm a bit confused for I've found plenty of documentation stating that =
zero's in the network/subnet address aren't recommended, however I can =
find nothing stating zero's in the "host" portion aren't recommended.
Any ideas? Has anyone come across a problem like this before?
Simple answer would be to tell the city of Greenville to remove the zero
=
in the third octet and replace it with a one or higher. The answer from
=
them is that it would be too much trouble. This is their default
gateway =
for over 450 machines. So I'm looking for help to see if there's
anything =
else I can try.
Thanks for any and all advice,
rtw
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 5.50.4134.600" name=GENERATOR></HEAD>
<BODY style="MARGIN-TOP: 2px; FONT: 8pt MS Sans Serif; MARGIN-LEFT:
2px">
<DIV><FONT size=1>Have an issue, hope many of you don't feel this is too
off
topic. Many of you have helped me in the past with certification
questions, perhaps you can assist with this one as well.</FONT></DIV>
<DIV><FONT size=1></FONT> </DIV>
<DIV><FONT size=1>I am trying to establish a connection to the City of
Greenville's network. What should be a simple connection is giving
me
fits.</FONT></DIV>
<DIV><FONT size=1></FONT> </DIV>
<DIV><FONT size=1>I'm currently using 2 Cisco 1601 routers, routing
RIPv2.
>From my network to the city's, I pass through a total of 5 routers (2
our mine,
3 belong to the city). Currently I can communicate with each
router and
vice versa via Telnet or ping. However, the city of
Greenville's network has the following IP address 10.128.0.0/12 (or
255.240.0.0). The interface attached to the city of Greenville's
network
is 10.130.0.1/12. Everything within this network has 3'd
octet of
zero. </FONT></DIV>
<DIV><FONT size=1></FONT> </DIV>
<DIV><FONT size=1>Originally, from his network he could not ping
us,
however I could ping him (him being the net admin using a PC
with an
address of 10.130.0.24/12). I added a default route on one of my
Cisco's
pointing back to his network and that problem went away. Now I'm
trying to
add an ACL on our router blocking all but Telnet traffic coming from a
host on
his network to a host within our network. In testing I can get the
ACL's
to work for every system except one on the 10.128.0.0 subnet. By
work I
mean on the networks in between my network and the city's I can setup
ICMP or
Telnet ACL's permitting traffic and they can get in. This was done
for
testing purposes only. My goal is to lock everyone out but the
host w/ an
IP address of 10.130.0.24/12.</FONT></DIV>
<DIV><FONT size=1></FONT> </DIV>
<DIV><FONT size=1>I believe that the problem lies with the zero being
used as
a third octet . However I've seen Cisco documentation
using
zero's as host addresses. I'm a bit confused for I've found plenty
of
documentation stating that zero's in the network/subnet address aren't
recommended, however I can find nothing stating zero's in the "host"
portion
aren't recommended.</FONT></DIV>
<DIV><FONT size=1></FONT> </DIV>
<DIV><FONT size=1>Any ideas? Has anyone come across a problem like
this
before?</FONT></DIV>
<DIV><FONT size=1></FONT> </DIV>
<DIV><FONT size=1>Simple answer would be to tell the city of Greenville
to
remove the zero in the third octet and replace it with a one or
higher. The answer from them is that it would be too much
trouble.
This is their default gateway for over 450 machines. So I'm
looking for
help to see if there's anything else I can try.</FONT></DIV>
<DIV><FONT size=1></FONT> </DIV>
<DIV><FONT size=1>Thanks for any and all advice,</FONT></DIV>
<DIV>rtw</DIV>
<DIV><FONT size=1></FONT> </DIV>
<DIV><FONT size=1></FONT> </DIV></BODY></HTML>
_________________________________
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
