Windows 2003 Improper Handling of 10.0.0.0 Subnets?

I'm seeing some strange networking behavior I need help understanding under
Windows 2003. I can define a Class C subnet in the 10.0.0.0 network space,
but after doing so the ROUTE PRINT command is showing an incorrect Class A
network broadcast route.

To take a simple case that works first, let's define an adapter to be on a
Class C 192.168.1.0. After you define the IP and network defiinition
255.255.255.0 on the adapter, ROUTE PRINT shows you a correct Class C
broadcast for 192.168.1.255. Correct.

Now try the same thing for a Class C subnet at 10.1.1.0. After you define
this IP and Class C network definition of 255.255.255.0 on the adapter,
ROUTE PRINT shows you a Class A broadcast for 10.255.255.255 on this one
network. Wrong! God forbid you define two Class C subnets in the
10.0.0.0 space on two different adapters, because now Windows shows
duplicate broadcast routes, contradicting each other, pointing to each of
the two Class C subnets in the 10.0.0.0 space. Very Wrong!

Needless to say, once the route table gets screwed up like this, routing
firewalls like ISA go a bit crazy and complain (rightly) about an improper
route table.

Is this a bug in Windows Networking, or is there hard and fast rule in the
RFQs that they do not allow you to subclass the 10.0.0.0 space on two or
more adapters of a single computer? If the designers of this
functionality at Microsoft never wanted to allow smaller than a Class A
network definition on an adapter that attaches to the 10.0.0.0 network
space, then at very least we have a completely misleading user interface
here, because they should not be allowing the definition of the Class C
subnet if they have no intention of handling the routes correctly.

--
Will

It is because 10.0.0.0 is a Class "A" address. Nothing can change that. The
routing table is following Classful Addressing Rules. The mask used plays no
part in the Class.

Classes A through C are used on the Internet (minus the RFC Private Ranges)
Class D is a Multicast address set, and is never found on the Internet
Class E is a Reserved Experimental Range and is never found on the Internet,
It begins with 240.0.0.0, I don't believe you will find any Internet address
higher than 239.255.255.254
There are probably more classes that go up until the fist 7 bits of the first
octet are filled up, but I don't know anything about them (Class F -first 5
bits, Class G - first 6 bits, Class H - first 7 bits)

1.0.0.0 - 127.255.255.255 is Class "A". The mask is irrelvant.
All Class "A" address have the first bit as "0"
00000001.00000000.00000000.00000000

128.0.0.0 - 191.255.255.255 is Class "B" The mask is irrelvant.
All Class "B" address have the first bit as "1" and the second bit is "0"
10000000.00000000.00000000.00000000

192.0.0.0 - 223.255.255.255 is Class "C" The mask is irrelvant.
All Class "C" address have the first 2 bits as "1" and the third bit is "0"
11000000.00000000.00000000.00000000

224.0.0.0 is Class "D" The mask is irrelvant.
All Class "D" address have the first 3 bits as "1" and the fourth bit is "0"
11100000.00000000.00000000.00000000

240.0.0.0 is Class "E" The mask is irrelvant.
All Class "E" address have the first 4 bits as "1" and the fifth bit is "0"
11110000.00000000.00000000.00000000

Here are references so you will know I am not insane :-):
http://www.tcpipguide.com/free/t_IPC...ficationan.htm
http://www.tcpipguide.com/free/t_IPA...Capacities.htm
http://www.tcpipguide.com/free/t_IPC...essClasses.htm

The RFC Private Ranges are never used on the Internet and will not "route" over
Internet Routers.
They are:

Class "A"
10.0.0.0. - 10.255.255.255
10.0.0.0/8 (aka 255.0.0.0)

Class "B"
172.16.0.0 - 172.31.255.255
172.16.0.0/12 (aka 255.240.0.0)

Class "C"
192.168.0.0 - 192.168.255.255
192.168.0.0/16 (aka 255.255.0.0)


--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed (as annoying as they are, and as stupid as they sound), are
my own and not those of my employer, or Microsoft, or anyone else associated
with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/downlo...7/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------

"Will" <westes-(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ...
> I'm seeing some strange networking behavior I need help understanding under
> Windows 2003. I can define a Class C subnet in the 10.0.0.0 network space,
> but after doing so the ROUTE PRINT command is showing an incorrect Class A
> network broadcast route.
>
> To take a simple case that works first, let's define an adapter to be on a
> Class C 192.168.1.0. After you define the IP and network defiinition
> 255.255.255.0 on the adapter, ROUTE PRINT shows you a correct Class C
> broadcast for 192.168.1.255. Correct.
>
> Now try the same thing for a Class C subnet at 10.1.1.0. After you define
> this IP and Class C network definition of 255.255.255.0 on the adapter,
> ROUTE PRINT shows you a Class A broadcast for 10.255.255.255 on this one
> network. Wrong! God forbid you define two Class C subnets in the
> 10.0.0.0 space on two different adapters, because now Windows shows
> duplicate broadcast routes, contradicting each other, pointing to each of
> the two Class C subnets in the 10.0.0.0 space. Very Wrong!
>
> Needless to say, once the route table gets screwed up like this, routing
> firewalls like ISA go a bit crazy and complain (rightly) about an improper
> route table.
>
> Is this a bug in Windows Networking, or is there hard and fast rule in the
> RFQs that they do not allow you to subclass the 10.0.0.0 space on two or
> more adapters of a single computer? If the designers of this
> functionality at Microsoft never wanted to allow smaller than a Class A
> network definition on an adapter that attaches to the 10.0.0.0 network
> space, then at very least we have a completely misleading user interface
> here, because they should not be allowing the definition of the Class C
> subnet if they have no intention of handling the routes correctly.
>
> --
> Will
>
>

By the way...

Stay far far away from the Routing Table on an ISA box.
If you are ever in doubt that you have the Routing Table screwed up do this:

1. Double check (no, triple check) that the TCP/IP config of each nic is correct
2. From a command prompt run "c:\> Route /f" . This clears the table.
3. Reboot the machine, the table will rebuild itself according to the nic's
TCP/IP config
4. Re-add and Static Routes that are required
5. If the table is still wrong, it is because at least one of the nic's TCP/IP
config is still wrong. Correct it, and repeat steps #1 through #4.


--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed (as annoying as they are, and as stupid as they sound), are
my own and not those of my employer, or Microsoft, or anyone else associated
with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/downlo...7/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------

"Phillip Windell" <@.> wrote in message
news:(E-Mail Removed)...
> It is because 10.0.0.0 is a Class "A" address. Nothing can change that.
The
> routing table is following Classful Addressing Rules. The mask used plays
no
> part in the Class.
>
> ...skipping the middle....
>
> Class "A"
> 10.0.0.0. - 10.255.255.255
> 10.0.0.0/8 (aka 255.0.0.0)
>
> Class "B"
> 172.16.0.0 - 172.31.255.255
> 172.16.0.0/12 (aka 255.240.0.0)

Interesting, so even though the routing can be subclassed to any Class you
want to use on these, the broadcast address always inherits from the
intended Class of the parent type?

What is the reason for that? If they are going to let you break down a
Class A or Class B into Class C subclasses for routing, why would they force
you to use a different Class for the broadcast.

I'm learning something here, thanks.

--
Will

"Phillip Windell" <@.> wrote in message
news:#(E-Mail Removed)...
> Stay far far away from the Routing Table on an ISA box.
> If you are ever in doubt that you have the Routing Table screwed up do
this:
>
> 1. Double check (no, triple check) that the TCP/IP config of each nic is
correct
> 2. From a command prompt run "c:\> Route /f" . This clears the table.
> 3. Reboot the machine, the table will rebuild itself according to the
nic's
> TCP/IP config
> 4. Re-add and Static Routes that are required

Well, if I am adding static persistent routes because my default upstream
router does not know how to reach the destination network, then I am not
staying far far away from the Routing table, am I? So it's not clear what
your caution is in the first line.

But in general I do agree that when you first deal with ISA it is very very
tricky how to model a complex network where not all of the subnets are
reachable directly by addresses directly reachable by your NICs. You have
at least two models that I have experimented with and both seem to work
without any complaints from ISA:

1) You can use a larger Class Network on the NIC, then define subnets in ISA
and set static routes to those subnets in the Windows Route table.

2) You can restrict the network of the NIC to just the local addresses
directly on the subnet that the NIC attaches to, then define address ranges
in ISA (not subnets) and set static routes in the Windows Route table.

I'm not sure if there are reasons to prefer 1). The reason I like
approach 2) is that I can set very restrictive network rules on traffic such
that if my network model is violated the packets literally don't even pass
to the firewall rule list.

Example: I have a single timekeeping system on a remote subnet from ISA and
I need to be able to have that remote system travel back into a network
behind ISA to get whatever. I can design the network rules in approach 2)
so that the specific host object routes to a specific host or network object
or address range known to ISA. I write my firewall rules in a similarly
restrictive fashion.

Now, four months later, someone puts an unauthorized device onto the subnet
with the timekeeping system. If they have a different IP on the same
subnet that the timekeeping system attaches to, ISA shows those packets in
the Firewall Rule column with just blank information. In other words no
firewall rule executes because no network rule is matched at all for that
packet and it never even starts to traverse the rule list! Going the
other way, when someone tries to reach the rogue host, the Network rule
going out was written to the target host, and the packets never even travel
through the firewall rule list.

This has proven to be an extremely powerful network modeling feature for us,
and it makes ISA unique among the firewall products I have seen. It's both
flexible and offers an extra safeguard against a sloppily written firewall
ruleset. As long as you are careful to avoid using External objects in
your network rule list for such rules, you can make large sections of the
private address space unreachable, and it's just a small incremental
protection against hackers who get on and start playing with different
source IPs.

--
Will

Why does it matter? A broadcast address is only relevant on the local
segment. Broadcast traffic doesn't go anywhere else.

"Will" <westes-(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ...
> "Phillip Windell" <@.> wrote in message
> news:(E-Mail Removed)...
>> It is because 10.0.0.0 is a Class "A" address. Nothing can change that.
> The
>> routing table is following Classful Addressing Rules. The mask used
>> plays
> no
>> part in the Class.
>>
>> ...skipping the middle....
>>
>> Class "A"
>> 10.0.0.0. - 10.255.255.255
>> 10.0.0.0/8 (aka 255.0.0.0)
>>
>> Class "B"
>> 172.16.0.0 - 172.31.255.255
>> 172.16.0.0/12 (aka 255.240.0.0)
>
> Interesting, so even though the routing can be subclassed to any Class you
> want to use on these, the broadcast address always inherits from the
> intended Class of the parent type?
>
> What is the reason for that? If they are going to let you break down a
> Class A or Class B into Class C subclasses for routing, why would they
> force
> you to use a different Class for the broadcast.
>
> I'm learning something here, thanks.
>
> --
> Will
>
>
>

"Bill Grant" <not.available@online> wrote in message
news:(E-Mail Removed)...
> Why does it matter? A broadcast address is only relevant on the local
> segment. Broadcast traffic doesn't go anywhere else.

I would agree with that, but unfortunately ISA Server sees two Class C
subnets on two local adapters and complains about the overlapping broadcast
routes. My experience with ISA is that when it issues these kinds of
complaints about the routing table, you stand up and take action because
unexpected things happen otherwise (like it might try to pass the broadcasts
across the segment boundaries) without your having a rule to allow it.

--
Will

> What is the reason for that? If they are going to let you break down a
> Class A or Class B into Class C subclasses for routing, why would they force
> you to use a different Class for the broadcast.

They don't let you do that.
A Class A is always.
You cannot "break" it down into another Class.
If you give a Class A network a 24bit mask, then all you have done is divided up
a Class A address into a bunch of "little" Class A networks that are 8 bits wide
(254 hosts). It is still a Class A network.
The Subnet Broadcast Address is always the last address in the "split" and has
all "1"s in the host portion of the Address.
The Class or "Master" Broadcast Address is always the last address in the
Class,...no matter what.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed (as annoying as they are, and as stupid as they sound), are
my own and not those of my employer, or Microsoft, or anyone else associated
with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/downlo...7/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------

Clean your routing table up,..like this:

1. Double check that the TCP/IP config of each nic is correct
2. From a command prompt run "c:\> Route /f" . This clears the table.
3. Reboot the machine, the table will rebuild itself according to the nic's
TCP/IP config
4. If the table is still wrong, it is because at least one of the nic's TCP/IP
config is still wrong. Correct it, and repeat steps #1 through #3.

I need the output of "IPconfig /All". If you are not willing to post that in
the group I will not help you. I need this to verify that #1 above is really
correct.

Then, tell me what Static Routes you think you need,...and why you think you
need them. Then I will tell you what the Static Route really should be.

Taking in all of your posts both here and in the ISA groups into consideration,
I am at the conclusion that you keep misunderstanding how ISA works, why it does
things the way it does them, misinterpreting what you see, and then taking
incorrect actions to correct something that really isn't what is happening.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed (as annoying as they are, and as stupid as they sound), are
my own and not those of my employer, or Microsoft, or anyone else associated
with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/downlo...7/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------


"Will" <westes-(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ...
> "Bill Grant" <not.available@online> wrote in message
> news:(E-Mail Removed)...
>> Why does it matter? A broadcast address is only relevant on the local
>> segment. Broadcast traffic doesn't go anywhere else.
>
> I would agree with that, but unfortunately ISA Server sees two Class C
> subnets on two local adapters and complains about the overlapping broadcast
> routes. My experience with ISA is that when it issues these kinds of
> complaints about the routing table, you stand up and take action because
> unexpected things happen otherwise (like it might try to pass the broadcasts
> across the segment boundaries) without your having a rule to allow it.
>
> --
> Will
>
>

"Phillip Windell" <@.> wrote in message
news:uUE#(E-Mail Removed)...
> They don't let you do that.
> A Class A is always.
> You cannot "break" it down into another Class.
> If you give a Class A network a 24bit mask, then all you have done is
divided up
> a Class A address into a bunch of "little" Class A networks that are 8
bits wide
> (254 hosts). It is still a Class A network.

I guess it is clear now based on the broadcast route that is created being
class A. What is the proper name for the 254 host subnet of the class A
network? It's a bit awkward to have to refer to it as a /24 subnet or
255.255.255.0 subnet. I appreciate your correcting my terminology.

--
Will