Re: [c-nsp] Loopback IP set to .255 - 6500 responds to ICMP echo-request from wrong interface
I have always avoided .0 and .255 as well, however a few months back I noticed that Amazon ec2 is assigning .0 addresses to servers. My own personal VPS has a .0 public elastic/static IP and seems to work fine. I figure that if they're using .0 at their large scale, surely it can't be too bad. I have since begun using .0 again within my network and haven't run into an issue yet. I don't know that I've specifically used it as a loopback on a router though. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Loopback IP set to .255 - 6500 responds to ICMP echo-request from wrong interface
Hi, been using .0 and .255 addresses (in the proper class-less places eg in middle of a /23 ) for years now. any kit or system that cannot handlesuch addresses as being client/end-station addresses should be dumped onto the recycling pile and got rid of (its likely that such kit cannot do IPv6 either.) alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Loopback IP set to .255 - 6500 responds to ICMP echo-request from wrong interface
And returned for full credit and msrp. Jared Mauch On Jan 6, 2012, at 3:11 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Hi, been using .0 and .255 addresses (in the proper class-less places eg in middle of a /23 ) for years now. any kit or system that cannot handlesuch addresses as being client/end-station addresses should be dumped onto the recycling pile and got rid of (its likely that such kit cannot do IPv6 either.) alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Loopback IP set to .255 - 6500 responds to ICMP echo-request from wrong interface
On Sat, 31 Dec 2011, Eric Rosenberry wrote: Under that logic, the .254 IP on the other router is also the broadcast address since it is in a /32 subnet as well... For laughs I tried to use the highest and lowest address of a class B network as loopback addresses. Some stuff will not work if you choose the highest or lowest address of a classful network, in your case class C. Either you start logging cases against this so they fix the code, or if you value your time, don't use these addresses (.0.0 and .255.255 on 128.0.0.0-191.255.255.255 and .0 and .255 of 192.0.0.0-223.255.255.255). I would imagine the same problem exists with .0.0.0 and .255.255.255 in class A space. -- Mikael Abrahamssonemail: swm...@swm.pp.se ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Loopback IP set to .255 - 6500 responds to ICMP echo-request from wrong interface
Hi For security reasons (Smurf attacks ...) IP packets with destination of classfull broadcast may be filtered by your upstream security devices if any. Mohamed On 1 January 2012 10:05, Mikael Abrahamsson swm...@swm.pp.se wrote: On Sat, 31 Dec 2011, Eric Rosenberry wrote: Under that logic, the .254 IP on the other router is also the broadcast address since it is in a /32 subnet as well... For laughs I tried to use the highest and lowest address of a class B network as loopback addresses. Some stuff will not work if you choose the highest or lowest address of a classful network, in your case class C. Either you start logging cases against this so they fix the code, or if you value your time, don't use these addresses (.0.0 and .255.255 on 128.0.0.0-191.255.255.255 and .0 and .255 of 192.0.0.0-223.255.255.255). I would imagine the same problem exists with .0.0.0 and .255.255.255 in class A space. -- Mikael Abrahamssonemail: swm...@swm.pp.se __**_ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/**mailman/listinfo/cisco-nsphttps://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/**pipermail/cisco-nsp/http://puck.nether.net/pipermail/cisco-nsp/ -- Mohamed Touré 06 38 62 99 07 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Loopback IP set to .255 - 6500 responds to ICMP echo-request from wrong interface
On 01/01/2012, at 4:33 PM, Eric Rosenberry wrote: When pinging the loopback IP's of these devices from the Internet, one responds as expected (from the IP of the loopback), and the other (.255) responds from a *different* IP address (one of it's interface IP's rather than the loopback IP). Yep, ran into this one a few years ago. Its not just ping, SNMP does it too. TAC support request tool is offline at the moment, so I can't look up the bug ID, but we eventually just made a rule to never use .255/32 for loopbacks (along with .0/31 and .254/31 to avoid Windows users complaining about failed traceroutes…). Rgds, - I. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Loopback IP set to .255 - 6500 responds to ICMP echo-request from wrong interface
On Sun, 1 Jan 2012, Mohamed Touré wrote: For security reasons (Smurf attacks ...) IP packets with destination of classfull broadcast may be filtered by your upstream security devices if any. There were none of those involved in this. -- Mikael Abrahamssonemail: swm...@swm.pp.se___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Loopback IP set to .255 - 6500 responds to ICMP echo-request from wrong interface
On Sun, 1 Jan 2012, Mikael Abrahamsson wrote: On Sun, 1 Jan 2012, Mohamed Touré wrote: For security reasons (Smurf attacks ...) IP packets with destination of classfull broadcast may be filtered by your upstream security devices if any. There were none of those involved in this. Having seen IOS versions that refused to forward traffic for .255 destinations, when the .255 was in the IGP as a /32 (even with ip classless in the config), I've since avoided using .0 or .255 addresses. It seems classful routing may be dead, but not entirely forgotten. -- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Loopback IP set to .255 - 6500 responds to ICMP echo-request from wrong interface
On Sat, Dec 31, 2011 at 09:33:19PM -0800, Eric Rosenberry wrote: I am scratching my head here wondering if I have run into a Cisco bug, or somehow intended weird behavior... Bug. I encountered less of them with foo.0/32 than foo.255/32, but an uphill battle to them to DTRT. -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE / NewNOG ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Loopback IP set to .255 - 6500 responds to ICMP echo-request from wrong interface
I am scratching my head here wondering if I have run into a Cisco bug, or somehow intended weird behavior... I set the loopback IP's for a pair of 6500's (Sup720-3CXL's) to adjacent IP's and have *identical* config's on them (sans their interface and loopback IP's). One of them is 216.x.x.254 and the other is 216.x.x.255. When pinging the loopback IP's of these devices from the Internet, one responds as expected (from the IP of the loopback), and the other (.255) responds from a *different* IP address (one of it's interface IP's rather than the loopback IP). I am guessing there is some different code path being exercised here because .255 is normally the broadcast address in classful networking? Somehow the router trying to avoid directed broadcast or something? I am running code rev: 12.2(33)SXI3 ip classless is enabled. Any thoughts? P.S. Changing the router that is .255 to .253 makes it work as expected. I am probably just going to make 216.x.x.252/30 into a routing subnet and move the routers back to .250 and .251... -Eric -- *Eric Rosenberry* Sr. Infrastructure Architect // Chief Bit Plumber Direct: 503.943.6763 Mobile: 503.348.3625 // XMPP: eric.rosenbe...@iovation.com *www.iovation.com* http://www.iovation.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Loopback IP set to .255 - 6500 responds to ICMP echo-request from wrong interface
On 12/31/11 9:33 PM, Eric Rosenberry wrote: I am scratching my head here wondering if I have run into a Cisco bug, or somehow intended weird behavior... I set the loopback IP's for a pair of 6500's (Sup720-3CXL's) to adjacent IP's and have *identical* config's on them (sans their interface and loopback IP's). One of them is 216.x.x.254 and the other is 216.x.x.255. If the mask of 216.x.x is /24 or longer, then .255 will be a broadcast address and the ping response will be from one or more host addresses on the subnet. If the second x of 216.x.x is odd, then the same issue will pertain to shorter masks, binary math will tell you which. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Loopback IP set to .255 - 6500 responds to ICMP echo-request from wrong interface
inline... On Sat, Dec 31, 2011 at 9:57 PM, Jay Hennigan j...@west.net wrote: If the mask of 216.x.x is /24 or longer, then .255 will be a broadcast address and the ping response will be from one or more host addresses on the subnet. If the second x of 216.x.x is odd, then the same issue will pertain to shorter masks, binary math will tell you which. But in this case these single IP's are bound to the loopback interface on the router with a /32 (255.255.255.255) subnet mask... The router should know that it's the only IP on the netblock and not treat it is a normal subnet with a broadcast address... Under that logic, the .254 IP on the other router is also the broadcast address since it is in a /32 subnet as well... -- *Eric Rosenberry* Sr. Infrastructure Architect // Chief Bit Plumber Direct: 503.943.6763 Mobile: 503.348.3625 // XMPP: eric.rosenbe...@iovation.com *www.iovation.com* http://www.iovation.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/