203.0.113.1 -Cisco’s use of the 203.0.113.1 IP address in Cisco FTD 4100/9300 devices

Be the first to comment.

If you have a Cisco FTD high end product such as the 4100 and 9300, then you may find this post important, or at least somewhat interesting. First, if  you are in expert mode from your FTD device and perform a ifconfig -a, then you’ll find some IP’s in use for internal management.

When a customer asked me what this 203 address was, I called cisco and the answer was “well just tell them not to type in ifconfig”….the answer seemed a little like this:

However, I did finally push them enough and received an answer. Here is how you see this address and then the answer follows:

Firepower-module1>connect ftd

expert
admin@ftd:~$ifconfig -a

here is the output for int eth0:0

eth0:0    Link encap:Ethernet  HWaddr 00:15:a5:01:01:00

          inet addr:203.0.113.1  Bcast:203.0.113.127  Mask:255.255.255.128

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

So, to begin with, what is this IP address anyway? Check out RFC 5737 for an explanation of this address:

RFC 5737: Pv4 Address Blocks Reserved for Documentation

[some output cut]

3. Documentation Address Blocks

The blocks 192.0.2.0/24 (TEST-NET-1), 198.51.100.0/24 (TEST-NET-2), and 203.0.113.0/24 (TEST-NET-3) are provided for use in documentation.

4. Operational Implications

Addresses within the TEST-NET-1, TEST-NET-2, and TEST-NET-3 blocks SHOULD NOT appear on the public Internet and are used without any coordination with IANA or an Internet registry [RFC2050]. Network operators SHOULD add these address blocks to the list of non- routeable address spaces, and if packet filters are deployed, then this address block SHOULD be added to packet filters. These blocks are not for local use, and the filters may be used in both local and public contexts.

——–

So, what the heck does Cisco use this for? Well, that’s the question de jour for sure.  The answer, which is documented only here now, is that its used for internal NTP clocking of the device (not external). You can obviously just ignore this address, but just make sure you don’t use it somewhere or accidentally advertise it, but if you were wondering what the heck this address is, there you go.

But wait, there’s more. Inside that same output is multiple 127.x.y.z addresses, and these can cause problems as well. For example, Cisco also created headaches for ACI and OTV by also using 127.x.y.z hardcoded for Cluster Control Link (CCL), with no documentation on these addresses either. You will need to create a dedicated VDC on your Nexus xKs for the Firepower CCL and disable ARP inspection on the OTV tunnel to get it to work.

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *