Will ISP Use of 10.0.0.0 Addresses Cause Problems? 43
"The setup is a small network, 6 PC's and one server. The server has Microsoft Small Business Server 4.5 (Proxy Server) loaded. Intermittently the PC's would lose connection to the server and start broadcasting for a master browser reelection. These requests were logged in the server event log. We also found that sometimes the subnet masks of the PC's would change from 255.255.255.0 to 255.0.0.0. The server acts as the DHCP server and the PC's were using DHCP. Rebooting the server would fix the problem for a time, maybe 10 minutes, maybe a day. Sometime the problem would go away without rebooting the server. The network was 10.0.0.0 with subnet 255.255.255.0.
I found that the problem was caused by the dial-up networking connection to the ISP. One of the ISP's servers is configured to use the Class A 10.0.0.0 addresses and network address translation the others use real IP addresses. The problem was intermittent because it would just depend on which of the ISP servers we happen to connect through. I resolved the problem by changing the internal network to 192.168.0.0."
Re:It could be worse... (Score:1)
Re:Use 192.168 not 10 net, the 10 won't summarize (Score:1)
Doubtful (Score:1)
I consider this to be a good practice. (Networking gurus, feel free to disagree.) The network in question doesn't need to be accessible from the outside world, and it didn't confuse my Cisco router.
Now, since you're dealing with Microsoft software, all bets are off...
It's Windows, what do you expect (Score:1)
We have a 16 bit subnet mask (255.255.0.0) with 10.x.x.x addresses for our offices. Our VPN server is Linux, hands out ips and all. Our windows clients assume that everything 10.x.x.x is on the other end of the tunnel... this has really caused minor problems Win2k RRAS at one office, but otherwise, its not really a problem, It's kind of a feature.
I personally see no problems with the using of 10.x.x.x addresses with windows, but if your using 10.x.x.x addresses on two sides, id say be prepared for problems. From experence, I would perfer to use anything but windows for routing data. I think Linux 2.4 might be interresting to see on routers, but I have not the time to see. Windows is a very poor choice for routing data.
Re:Don't use 10.x.x.x (Score:1)
You don't have many problems as long as your subnetted, and your not in the same subnet at two locations.
It becomes stupid when people do 10.0.0.0/8, which not many do anyway. Most people use 192.168.0.0/24 or 192.168.1.0/24 anyway.
Re:It's Windows, what do you expect (Score:1)
how to fix this (Score:1)
2. deny outbound or inbound 10.x.x.x connections at your firewall machine. this will filter out inside and outside traffic and separate the 10.x.x.x addresses. consult your firewall for deny rules.
Two possible problems... (Score:1)
Second, you may have an overlap with static and dynamic IP addresses. If you are assigned an IP address by your DHCP server that is already taken by another computer then it is only a matter of time before you run into a problem like the one you described. Changing your IP subnet may have temporarily fixed the problem because no one has assigned a static IP address from your DHCP pool. Yet.
It is unlikely that using the 10.x.x.x subnet itself (other than the problems I have described above) has had anything to do with the failures. It is very common to use it for internal networking. I won't get into a debate as to whether it is good practice or not.
Re:Correct Private IP Blocks (Score:2)
Don't use 10.x.x.x (Score:3)
If you only have a small network, or a group of small networks, use the 192.168. addresses. This is what the RFC recommends. Yes, I know 10.x.x.x is easier to remember, but it will cause you problems down the road, since everyone thinks they should use it.
Why? You might say, "They are both reserved addresses - why would one have any trouble?" Technically, you are correct. However, the problems come when two private networks connect to each other (you and your friend set up a VPN, your ISP does something like you describe, two companies merge).
To avoid these problems MOST of the time, pick a random number between 0 and 255. Use a net address of 192.168.. Chances are this won't conflict with someone else's network when you merge your networks.
Re:Don't use a quad of zero! (Score:2)
*Any* equipment that doesn't support subnet 0, or the classful-broadcast subnet (eg 10.255.255.0/24) is broken - there should be no reason not to use these. Of course, if you *know* you have broken equipment, not using them is wise
Regards,
Tim.
Re:Don't use a quad of zero! (Score:2)
Mostly those IP stacks went away in the early 90's, but NT 3 was broken, and the mantra of subnet zero lingers on with MCSEs, who may find themselves still working on 3.51 systems. Old SunOS IP stacks, fixed in 1988, didn't like subnet zero as well. And I've seen other broken implementations from time to time, but not on PC/workstation equipment. Even the BSD stack choked, in my distant memory, but was fixed aeons ago.
Cisco used to have "no ip subnet-zero" by default, until 12.0 changed it, meant more as a warning to the network admin to take care about broken stacks. ip subnet-zero and its evil twin, ip classless are two of the most common commands any CCIE enters into a new config. Now in 12.0, cisco believes that there are now few enough NT 3 machines in existence to change the defaults to something reasonable.
I tend to use 10.1.1.0/24 for most of my small networks, its easy to type, easy to remember, and isn't going to break any kit.
[ObOnTopicSection]
ISPs regularly use the RFC1918 addresses internally to keep costs down. Many interfaces internal to an ISP never need to be addressed individually from or to the internet. Management ports, internal point-to-point links, loopback addresses for routing purposes, DSLAMs and DSL routers, and cable modems can all be safely hidden. The traffic to these devices is for internal routing, and is easily non-routed at the limits of the ISPs traffic. Most every ISP I've looked at uses private addresses internally, it saves money and limits skiddies from gaining access too easily to certain things.
An ISP should never present a "private" IP address to a client, it would tend to break things, as Brad found out. This shows the ISP is either clueless, or has run out of money to rent blocks of publically addressable IP addresses. Possibly a combination of both. It could also be that their upstream providers can't deal with any more split, non-agregable ranges of addresses, and they are stuck until they can migrate to a single larger chunk of space. Go read NANOG for various horror stories.
the AC
Re:Don't use a quad of zero! (Score:3)
Note that the quad boundary only matters if you are using subnets in octet size; the Ciscos don't like any subnet with a subnet address of zero. For example:
Suppose your ISP assigns you a chunk of 256 routable IP addresses, say 123.45.67.0/24. You decide you want to split this among four offices using private T1s between your Cisco routers. You break them up this way: But the Ciscos in their default configuration will choke on this; they don't like the top one because its subnet address is all zeros (or, IIRC, the bottom one because it is all ones). The especially ridiculous case is if you try to split the net in half (e.g., 123.45.67.0/25) in that case my recollection is that it won't allow use of either subnet. In this case, the "ip subnet-zero" instruction is vital.
Caveat: It's been a few years since I had to beat a Cisco into submission. But a quick search on the net suggests that things are still the same.
Reframing the problem (Score:2)
No customer facing server should be in the reserved addresses range; if that server has additional interfaces to the internal lan, that information should not be propogated outside of the ISP's internal servers (even if this isn't in the protected LAN ranges, it is still a bad idea to give customers internal structure info they don't need, if only from a security standpoint).
--
Re:Reframing the problem (Score:2)
Using the RFC reserved addresses on your lan is ok - and indeed what they were designed for. but you had better hide those addresses behind a valid IP address or two with NAT/masq before letting them out onto the global net.
There is no reason not to do this as an ISP - assume (for example) a load-balanced mail server; front end router (with valid IP address) assigns you to one of ten 192.168.15.x servers transparently - remembering which one it gave you so that all your packets to router:110 go to the same mail server. it should re-write the reply so it looks like it came from the router, but might get away without doing so. however, an attempt to connect to port 80 on that IP address will take you to a different machine again (say one of three web servers) and a ping/traceroute will do whatever the ISP has defined it as doing.
--
Wrong? (Score:4)
10.0.0.0/8 -- You got that one right.
172.16.0.0/12 -- That right, too
You messed up on the other one, though. It's 192.168.0.0/16. That's right, the full 192.168.0.0 - 192.168.255.255 range is open.
Ref: RCF1918 [faqs.org]
--
reboot (Score:2)
I had a daughter who I caught smoking, so I killed her and had another one. Problem solved.
Re:RFC schmarFC (Score:1)
Ever hear of Multicast IP, it uses 224.0.0.0 up to 239.255.255.255
J
Re:Reframing the problem (Score:1)
Routing (Score:1)
Re:Correct Private IP Blocks (Score:2)
Re:Don't use 10.x.x.x (Score:1)
A chunk.
10.0.n.0/24 where n is some number that you choose. That makes setting up a VPN trivial as long as the other person hasn't done anything
really dumb.
Its also what I plan to trransition my internal
network (all 3 machines) to very soon.
-Steve
Re:RFC schmarFC (Score:1)
With the rfc1918 numbers, you are gauranteed that they will not be used.
Other than that, go ahead and have fun. You can do whatever you like on your internal network man.
-Steve
Why use a 10.x.x.x? (Score:1)
A good class C 192.168.1.x will serve 255 clients... all you need is 6, why use a network that gives you thousands?
10.x.x.x MS does like to use 255.0.0.0 for that... you might consider switching that over too. If its a microsoft network you might as well make it happy, even if there is no compeling reason to do so.
The compeling reason could be your sanity!
Re:Correct Private IP Blocks (Score:1)
RIPv2 has more sophisticated support for route aggregation that CIDR allows for, but RIPv1 works fine (given that it's RIP, of course).
M$ OS's have worked properly with the 0 subnet for a LONG time, since at least mid-95, by the way, and this was BEFORE Cisco properly implemented 1812 (everyone seems stuck on 950).
Regards,
Brian in CA
The IP address range chosen... (Score:1)
Re:Don't use a quad of zero! (Score:1)
i think you're fumbling for the term "octet".
Re:Don't use 10.x.x.x (Score:2)
I can just imagine you sat there waving your hands trying to explain *why* this is the case... like oh so many market droids and salesmen 8-)
Why don't you run along and try selling some dental plans or something and leave the network engineering to the techies?
Regards,
Si
Correct Private IP Blocks (Score:1)
ICQ# : 30269588
"I used to be an idealist, but I got mugged by reality."
Re:Correct Private IP Blocks (Score:2)
RIPv1 has problems with (if I recall correctly) advertising routes not on an even octet boundary. I would have to look at the spec, but as far as I'm concerned you shouldn't use RIP at all in a "real" network. I cringe when I'm forced to use RIP to get link-state information from dialup hardware, but I think I've about got those eliminated from my network at least :)
Private addresses should be hidden. (Score:4)
These can be summarized as follows:
If packets from the IP address will never reach the public internet without it being re-written (NAT'd) to a public address, then it is ok.
Some ISP's think that it's ok to use RFC1918 addresses on their internal point-to-point links. It is not. The reason why is that many ISP's filter anything coming from or going to a RFC1918 address because they generally are bogus packets anyways. However, if the RFC1918 addresses are used on internet visible interfaces, this causes things to break.
A good example of this is MTU path discovery. Basically this works by sending a packet from point a to point b with the don't fragment bit set. If the packet reaches a router which can't handle a packet of that size, the router sends back an ICMP packet which basically tells the "Discovering" machine that it couldn't forward the packet because it was too big for it's MTU setting. If the IP address of the offending router's interface happens to be an RFC1918 address, then you might never see the ICMP back and as such you will have weird problems going on.
Note: This is also why you shouldn't just filter ICMP packets.
In the case above, it sounds like the ISP is using the 10.0.0.0 address internally. As they also had the customer using the 10.0.0.0 address range, this could get weird really fast.
Don't use a quad of zero! (Score:5)
This was the words out of the mouth of a MSCE when I had set up an office environment with network 10. Because the office was rather large, I had thought to use 10.0.0.x/24 for the main office network and 10.0.1.x/24 for the lab. When DSL testing was to go in, the DSL and LAN lab would use 10.0.[234].x/24 for primary DSL, primary LAN, and secondary LAN.
I took the advice, and selected 10.1.[1234].0/24, and things worked swell.
This proved to be excellent advice when we started testing with Cisco router-access servers, because those things do NOT like a zero in any quad. With 10.1.1.0/24, though, everything worked great.
I now continue that practice, using 10.1.1.0/24 for any small private network I set up. Because the gateway to the Internet uses NAT, I'm not concerned about what the numbering is on the other side. In any case, every firewall is configured to not forward the private network addresses.
This works with NT, 2K, 98, 95, 3.1, and Linux. Not to mention BDS, Ascend, Cisco, USRobotics Total Control, Portmaster, and other RAS brands.
Check this out (Score:1)
Re:Don't use 10.x.x.x (Score:1)
It could be worse... (Score:1)
Granted, the network's a mess in a lot of other ways, but this one is one that always gets my goat. The response? "Yes, it's not right, but it works fine and hasn't caused any problems yet".
Re:Doubtful (Score:1)
Leave the past behind (Score:1)
RFC1918 is still valid and should be used where ever possible, and pressure should be put onto those vendors who refuse to accept oddball netmasks just because it wasn't done that way 10 years ago. With modern VPNs, NAT, Squids and the like, many networks have need for only a handful of true addresses. Its not only better for conservation of address space, but also much more secure overall.
Don't let anyone tell you you can't use 10.0.0.0 with a mask of 255.255.0.0 (or a wide variety of other possibilities)
I enjoy the 172.16.0.0-172.31.0.0 range with a 255.255.252.0 mask. This allows 1024 hosts per network. (Ex. 172.16.0.1 - 172.16.3.254) If your vendors cannot get this flexible, then tell them to fuck off...
Scott
Open mouth... insert foot (Score:1)
3. Private Address Space The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets:
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
Re:It's Windows, what do you expect (Score:1)
Slightly offtopic too...
However, in my office environment, I was brought aboard a LAN reconfigure, and have had remarkable luck/utility with WinRoute running (unsuprisingly) on a WinNT box.
The most important caveat I have to offer is that this is -not- an enormously high traffic network. Up to 30 users doing varyingly high bandwith things (through a T1 running out of the office) *shrug*
Like most Win apps, it was designed for ease of use, which I appreciated because I'm not a network engineer (just a guy with a little experience with TCP/IP) but it runs stably and seems adequately configurable, and from a purely second-hand commentary, NT has a multi-threaded TCP/IP stack, unlike (at least older) Linux... (this is not something I have ever payed close enough attention to, to notice)
of course YMMV
Re:Correct Private IP Blocks (question please ) (Score:1)
ONEPOINT
spambait e-mail
my web site artistcorner.tv hip-hop news
please help me make it better
Acceptable? Depends. (Score:1)
DHCP receiving 255.0.0.0 (Score:1)
If there is a patch for this anywhere, let me know
Use 192.168 not 10 net, the 10 won't summarize (Score:1)
On a network with multiple internal class 'C's contiguous 192.168 nets can be summarized by EIGRP or OSPF. The 10 nets cannot. This means that your routing advertisments will be bigger.
Of course for tiny/static networks that's irrelevant. The only consideration is whether the network numbers will conflict with some other use.