172.14 and 172.15 used internally

phoeneousphoeneous Go ping yourself...Member Posts: 2,333 ■■■■■■■□□□
Spoke with a buddy over the weekend who just landed a job with a small company that has about 10 locations throughout the nation. His config on a few of the routers has their ethernet interfaces using 172.14.1.0/24 and 172.15.1.0/24 for the internal lan. Even though this goes against RFC 1918, is there a good reason why these subnets should not be used internally?

Comments

  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    Dude, it's amazing what you find out in the real world. I just came from a place that ran 131.x.x.x internally. Where did that come from?

    Problems can occur when connecting those machines to the internet, but they're usually NAT'd behind a perimeter device, so it really doesn't matter. The ISP shouldn't accept them if they try to directly connect them anyway. It's still a poor practice.
  • tierstentiersten Member Posts: 4,505
    I've been at a place that used the same class B as some university. Thankfully there isn't ever a need for them to connect there and they're natted anyway.

    I considered changing it but the job was just too huge and it would also involve changing settings in their ancient unsupported and undocumented accounting server so I wimped out of that.
  • ZaitsZaits Member Posts: 142
    I also came from a company that had one site using 11.19.x.x for their subnet.
  • networker050184networker050184 Mod Posts: 11,962 Mod
    tiersten wrote: »
    I've been at a place that used the same class B as some university. Thankfully there isn't ever a need for them to connect there and they're natted anyway.

    The real issue would be when an inside user tried to reach an IP on that universities network. Then you end up just routing to one of your internal IPs instead.

    To the OP, those ranges don't look to be currently allocated, but if they do get allocated the site will have issues getting to those IP ranges.
    An expert is a man who has made all the mistakes which can be made.
  • tierstentiersten Member Posts: 4,505
    The real issue would be when an inside user tried to reach an IP on that universities network. Then you end up just routing to one of your internal IPs instead.
    As I said, they had no need business or personal to ever connect to anything hosted by that university.
  • feng.lianfeng.lian Member Posts: 47 ■■□□□□□□□□
    Being on that subject, where exactly do you find which public address is "unused."

    By "unused," I mean either addresses that are still unallocated, which from what I read there are very few left, or addresses that has been allocated to some entity, but they are either not using it or you never need to access them from the Internet.

    The point of this is, you don't want to allocated an address like 72.163.4.161 because no only it has been assigned to Cisco Systems, Inc, but they are using it as a web server accessible from the Internet.
  • tierstentiersten Member Posts: 4,505
    feng.lian wrote: »
    Being on that subject, where exactly do you find which public address is "unused."
    Look it up in the various IP registries like ARIN, RIPE, APNIC etc... ARIN generally tells you where to go to get further information if its been delegated to somebody else.
  • tierstentiersten Member Posts: 4,505
    172.14.0.0 and 172.15.0.0 seem to appear quite a lot in example configs for Cisco and Juniper gear. No idea why they're using that when they're just 1 off 172.16.0.0 anyway...
  • phoeneousphoeneous Go ping yourself... Member Posts: 2,333 ■■■■■■■□□□
    dynamik wrote: »
    Dude, it's amazing what you find out in the real world. I just came from a place that ran 131.x.x.x internally. Where did that come from?

    It's weird at his office because it looks like they started with 172.16.1.0/24, then 172.17, 172.18, 172.19 and then with the newer offices they started with 172.14 and 172.15. wtf? My only guess is they hired a rookie to do the job or someones "friend" that they probably paid under the table.
  • tierstentiersten Member Posts: 4,505
    phoeneous wrote: »
    It's weird at his office because it looks like they started with 172.16.1.0/24, then 172.17, 172.18, 172.19 and then with the newer offices they started with 172.14 and 172.15. wtf? My only guess is they hired a rookie to do the job or someones "friend" that they probably paid under the table.
    I can sort of understand somebody going from 172.16 to 172.17 and above but why suddenly go lower? Weird
  • SubnettingGoddessSubnettingGoddess Member Posts: 108
    Here's the current bogon list: Bogon Dotted Decimal List v6.3 06 August 2010 - Team Cymru

    0.0.0.0 255.0.0.0
    5.0.0.0 255.0.0.0
    10.0.0.0 255.0.0.0
    23.0.0.0 255.0.0.0
    36.0.0.0 254.0.0.0
    39.0.0.0 255.0.0.0
    42.0.0.0 255.0.0.0
    100.0.0.0 255.0.0.0
    102.0.0.0 254.0.0.0
    104.0.0.0 254.0.0.0
    106.0.0.0 255.0.0.0
    127.0.0.0 255.0.0.0
    169.254.0.0 255.255.0.0
    172.16.0.0 255.240.0.0
    179.0.0.0 255.0.0.0

    185.0.0.0 255.0.0.0
    192.0.0.0 255.255.255.0
    192.0.2.0 255.255.255.0
    192.168.0.0 255.255.0.0
    198.18.0.0 255.254.0.0
    198.51.100.0 255.255.255.0
    203.0.113.0 255.255.255.0
    224.0.0.0 224.0.0.0


    When I used to maintain ours, it seemed to change every month though.
    OK, I confess, I do have one certification. I am an ACIA - Arcsight Certified Integrator/Administrator. But it's awarded for attending the class. Woot. And while it's a fine skill to have, my interests lay elsewhere.
  • Paul BozPaul Boz Member Posts: 2,620 ■■■■■■■■□□
    Like Dynamik, I've seen it all. I understand when its a small business that has inexperienced IT staff who don't know any better, but I've seen some big networks using public addressing internally. Other than the occasional (it almost never happens) DNS issues, unless you're routing BGP you don't have anything to worry about. Its just a pain in the butt to troubleshoot or work with.
    CCNP | CCIP | CCDP | CCNA, CCDA
    CCNA Security | GSEC |GCFW | GCIH | GCIA
    [email protected]
    http://twitter.com/paul_bosworth
    Blog: http://www.infosiege.net/
Sign In or Register to comment.