Zero for a host address
Have an issue, hope many of you don't feel this is too off topic. Many of = you have helped me in the past with certification questions, perhaps you = can assist with this one as well. I am trying to establish a connection to the City of Greenville's network. = What should be a simple connection is giving me fits. I'm currently using 2 Cisco 1601 routers, routing RIPv2. From my network = to the city's, I pass through a total of 5 routers (2 our mine, 3 belong = to the city). Currently I can communicate with each router and vice versa = via Telnet or ping. However, the city of Greenville's network has the = following IP address 10.128.0.0/12 (or 255.240.0.0). The interface = attached to the city of Greenville's network is 10.130.0.1/12. Everything = within this network has 3'd octet of zero. =20 Originally, from his network he could not ping us, however I could ping = him (him being the net admin using a PC with an address of 10.130.0.24/12).= I added a default route on one of my Cisco's pointing back to his = network and that problem went away. Now I'm trying to add an ACL on our = router blocking all but Telnet traffic coming from a host on his network = to a host within our network. In testing I can get the ACL's to work for = every system except one on the 10.128.0.0 subnet. By work I mean on the = networks in between my network and the city's I can setup ICMP or Telnet = ACL's permitting traffic and they can get in. This was done for testing = purposes only. My goal is to lock everyone out but the host w/ an IP = address of 10.130.0.24/12. I believe that the problem lies with the zero being used as a third octet = . However I've seen Cisco documentation using zero's as host addresses. = I'm a bit confused for I've found plenty of documentation stating that = zero's in the network/subnet address aren't recommended, however I can = find nothing stating zero's in the "host" portion aren't recommended. Any ideas? Has anyone come across a problem like this before? Simple answer would be to tell the city of Greenville to remove the zero = in the third octet and replace it with a one or higher. The answer from = them is that it would be too much trouble. This is their default gateway = for over 450 machines. So I'm looking for help to see if there's anything = else I can try. Thanks for any and all advice, rtw !DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" HTMLHEAD META http-equiv=Content-Type content="text/html; charset=iso-8859-1" META content="MSHTML 5.50.4134.600" name=GENERATOR/HEAD BODY style="MARGIN-TOP: 2px; FONT: 8pt MS Sans Serif; MARGIN-LEFT: 2px" DIVFONT size=1Have an issue, hope many of you don't feel this is too off topic.nbsp; Many of you have helped me in the past with certification questions, perhaps you can assist with this one as well./FONT/DIV DIVFONT size=1/FONTnbsp;/DIV DIVFONT size=1I am trying to establish a connection to the City of Greenville's network.nbsp; What should be a simple connection is giving me fits./FONT/DIV DIVFONT size=1/FONTnbsp;/DIV DIVFONT size=1I'm currently using 2 Cisco 1601 routers, routing RIPv2.nbsp; From my network to the city's, I pass through a total of 5 routers (2 our mine, 3 belong to the city).nbsp; Currently I can communicate with each router and vice versa via Telnet or ping.nbsp; However, thenbsp;city of Greenville'snbsp;network has the following IP address 10.128.0.0/12 (or 255.240.0.0).nbsp; The interface attached to the city of Greenville's network is 10.130.0.1/12.nbsp; Everything within this network hasnbsp; 3'd octet of zero.nbsp; /FONT/DIV DIVFONT size=1/FONTnbsp;/DIV DIVFONT size=1Originally, fromnbsp;his network he could not ping us, however I could ping him (him beingnbsp;the net admin using anbsp;PC with an address of 10.130.0.24/12).nbsp; I added a default route on one of my Cisco's pointing back to his network and that problem went away.nbsp; Now I'm trying to add an ACL on our router blocking all but Telnet traffic coming from a host on his network to a host within our network.nbsp; In testing I can get the ACL's to work for every system except one on the 10.128.0.0 subnet.nbsp; By work I mean on the networks in between my network and the city's I can setup ICMP or Telnet ACL's permitting traffic and they can get in.nbsp; This was done for testing purposes only.nbsp; My goal is to lock everyone out but the host w/ an IP address of 10.130.0.24/12./FONT/DIV DIVFONT size=1/FONTnbsp;/DIV DIVFONT size=1I believe that the problem lies with the zero being used as anbsp;third octetnbsp;.nbsp; However I've seen Cisco documentation using zero's as host addresses.nbsp; I'm a bit confused for I've found plenty of documentation stating that zero's in the network/subnet address aren't recommended, however I can find nothing stating zero's in the "host" portion aren't recommended./FONT/DIV DIVFONT size=1/FONTnbsp;/DIV DIVFONT size=1Any ideas?nbsp; Has anyone come across a problem
RE: Zero for a host address
Believe it or not, I did once see (a bug) where the OS didn't allow a zero in a byte of the host portion of the IP address, even though the *total* host portion was not zero!! (I can't remember which OS, though -- I'm thinking an early HP-UX, but possibly Windoze). E.g., something like, 10.10.10.10 / 16 was valid but 10.10.10.0 / 16 was *invalid* ! However, this was just in assigning the address -- i.e., it wouldn't even let me assign it to the interface. I don't see how this could affect you, though. I believe that the problem lies with the zero being used as a third octet ACLs don't have any intelligence. They don't care about broadcast addresses, subnet masks, DOS or hack attacks, or anything -- just simple bit matching. The only intelligence involved is in the ACL's creator :) Thus access-list 1 permit host 10.130.0.24 ... ip access-group 1 in should allow in *only* traffic from that host (assuming that there *is* any) -- of course that may not be what you *really* want ;) The ACL doesn't care about any value of any byte in that address -- he only matches bits (of course, in this case, the statement told him to *care* about *every* bit, however :) More specifically, access-list 101 permit tcp 10.130.0.24 0.0.0.0 any eq telnet access-list 101 deny ip 10.130.0.0 0.143.255.255 any access-list 101 permit ip any any would permit telnet in from that host, deny all other ip traffic from the 10.128.0.0 /12 subnet permit all other traffic Of course, it all depends on the details of what you're trying to do. What's the exact problem? Is it that *no* traffic is blocked or is it that that host is blocked, even though you think that you've let it thru? Let's see the ACLs. - Tks | mailto:[EMAIL PROTECTED] BV | mailto:[EMAIL PROTECTED] Sr. Technical Consultant, SBM, A Gates/Arrow Co. Vox 770-623-3430 11455 Lakefield Dr. Fax 770-623-3429 Duluth, GA 30097-1511 = -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Randy Witt Sent: Wednesday, January 31, 2001 8:58 AM To: Subject: Zero for a host address Have an issue, hope many of you don't feel this is too off topic. Many of = you have helped me in the past with certification questions, perhaps you = can assist with this one as well. I am trying to establish a connection to the City of Greenville's network. = What should be a simple connection is giving me fits. I'm currently using 2 Cisco 1601 routers, routing RIPv2. From my network = to the city's, I pass through a total of 5 routers (2 our mine, 3 belong = to the city). Currently I can communicate with each router and vice versa = via Telnet or ping. However, the city of Greenville's network has the = following IP address 10.128.0.0/12 (or 255.240.0.0). The interface = attached to the city of Greenville's network is 10.130.0.1/12. Everything = within this network has 3'd octet of zero. =20 Originally, from his network he could not ping us, however I could ping = him (him being the net admin using a PC with an address of 10.130.0.24/12).= I added a default route on one of my Cisco's pointing back to his = network and that problem went away. Now I'm trying to add an ACL on our = router blocking all but Telnet traffic coming from a host on his network = to a host within our network. In testing I can get the ACL's to work for = every system except one on the 10.128.0.0 subnet. By work I mean on the = networks in between my network and the city's I can setup ICMP or Telnet = ACL's permitting traffic and they can get in. This was done for testing = purposes only. My goal is to lock everyone out but the host w/ an IP = address of 10.130.0.24/12. I believe that the problem lies with the zero being used as a third octet = . However I've seen Cisco documentation using zero's as host addresses. = I'm a bit confused for I've found plenty of documentation stating that = zero's in the network/subnet address aren't recommended, however I can = find nothing stating zero's in the "host" portion aren't recommended. Any ideas? Has anyone come across a problem like this before? Simple answer would be to tell the city of Greenville to remove the zero = in the third octet and replace it with a one or higher. The answer from = them is that it would be too much trouble. This is their default gateway = for over 450 machines. So I'm looking for help to see if there's anything = else I can try. Thanks for any and all advice, rtw !DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" HTMLHEAD META http-equiv=Content-Type content="text/html; charset=iso-8859-1" META content="MSHTML 5.50.4134.600" name=GENERATOR/HEAD BODY style="MARGIN-TOP: 2px; FONT: 8pt MS Sans Serif; MARGIN-LEFT: 2px" DIVFONT size=1Have an
Re: Zero for a host address
The zero in the third octet is fine. -- Neil Schneider MCT MCSE CCNP ""Randy Witt"" [EMAIL PROTECTED] wrote in message news:sa7847cf.076@INETMAIL... Have an issue, hope many of you don't feel this is too off topic. Many of you have helped me in the past with certification questions, perhaps you can assist with this one as well. I am trying to establish a connection to the City of Greenville's network. What should be a simple connection is giving me fits. I'm currently using 2 Cisco 1601 routers, routing RIPv2. From my network to the city's, I pass through a total of 5 routers (2 our mine, 3 belong to the city). Currently I can communicate with each router and vice versa via Telnet or ping. However, thecity of Greenville'snetwork has the following IP address 10.128.0.0/12 (or 255.240.0.0). The interface attached to the city of Greenville's network is 10.130.0.1/12. Everything within this network has 3'd octet of zero. Originally, fromhis network he could not ping us, however I could ping him (him beingthe net admin using aPC with an address of 10.130.0.24/12). I added a default route on one of my Cisco's pointing back to his network and that problem went away. Now I'm trying to add an ACL on our router blocking all but Telnet traffic coming from a host on his network to a host within our network. In testing I can get the ACL's to work for every system except one on the 10.128.0.0 subnet. By work I mean on the networks in between my network and the city's I can setup ICMP or Telnet ACL's permitting traffic and they can get in. This was done for testing purposes only. My goal is to lock everyone out but the host w/ an IP address of 10.130.0.24/12. I believe that the problem lies with the zero being used as athird octet However I've seen Cisco documentation using zero's as host addresses. I'm a bit confused for I've found plenty of documentation stating that zero's in the network/subnet address aren't recommended, however I can find nothing stating zero's in the "host" portion aren't recommended. Any ideas? Has anyone come across a problem like this before? Simple answer would be to tell the city of Greenville to remove the zero in the third octet and replace it with aone or higher. The answer from them is that it would be too much trouble. This is their default gateway for over 450 machines. So I'm looking for help to see if there's anything else I can try. Thanks for any and all advice, rtw _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
