169.254.xx.xx Addresses on network, help

Unanswered Question
Mar 27th, 2006
User Badges:

Rather odd problem...


Our network is all Static IP's in the 10.10.xx.xx range. The other day a problem was arrising with one of our domains.


When pinging MNBlah domain, we'd get replies from some 169.254. address (i forget last 2 octects). I'm no Microsoft Admin, but the SA went in and deleted some entry in the DNS control screen (sorry I'm not more descriptive) that should not have been there, and which he didn't think anyone added manually.


Instantly upon deleting this, pinging MNBlah domain returned the correct 10.10.xx.xx address and clients were able to login once again.



My question is: How in the world does this happen? I always thought that the dreaded 169.254 address was not routable, something like that 127. range, but I guess I'm completely off. And how would this rogue computer become the highest authority in the MNBlah domain?!


Is there something I can do Layer3 wise that would put a halt to any 169.254 traffic?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (2 ratings)
Loading.
pkhatri Mon, 03/27/2006 - 03:13
User Badges:
  • Purple, 4500 points or more

Hi,


Just because the 169.254.x.x range should not be routable does not mean that it can't be routed. That probably sounds like a paradox but is not really so... A router will not implicitly deny the routing of the 169.254.x.x network unless you explicitly configure it not to. Therefore, in a poorly configured network, this network can very well be routed. That is what you were seeing... you can configure ACLs on your routers to deny this and other networks that you don't want routed.


Hope that helps - pls rate the post if it does.

Paresh

Armegeden Mon, 03/27/2006 - 03:58
User Badges:

Thanks for the reply.


Yes, it does sound like a very confusing paradox.


We have two 4500's running as our Cores. Could you point me in the right direction to block or disrupt this unwanted network?

pkhatri Mon, 03/27/2006 - 04:03
User Badges:
  • Purple, 4500 points or more

Well, you could apply L3 access-lists to each L3 interface to block this traffic... If you already have access-lists applied, then you need to add the following line to them:


access-list deny 169.254.0.0 0.0.255.255


You will need to look at the logic of your existing ACLs to see where best to insert this line...


Also, you will have to check that you are not passing routing updates for this network. How to do that depends on the routing protocols you use in your network...


Paresh

Armegeden Mon, 03/27/2006 - 04:54
User Badges:

Ahh, ACL makes sense. I guess I'll just create a simple ACL and apply it to each VLAN (we have > 20) with that simple deny statement.


As far as protocols, we mainly use EIGRP and I don't see any entry for this 169 range.


Thanx again

pkhatri Mon, 03/27/2006 - 04:58
User Badges:
  • Purple, 4500 points or more

Hi,


You will also need an explict permit all at the end of your ACL since there is an implicit deny all at the end of every ACL. For example:


access-list 10 deny 169.254.0.0 0.0.255.255

access-list 10 permit any

!

interface ethernet 0

ip access-group 10 in

!


Hope that helps - pls rate the post if it does.

Paresh

Actions

This Discussion