I'm getting similar behavior as Frank. Like Doug, I only have 45.60.73.0/24 from transit connections. So a traceroute from my MICE interface should ARP and die (I would think).... When I traceroute to 45.60.73.16-- my router sends out an ARP request, as expected. But...I get ARP replies for 45.60.73.16 from these Cisco MACs (in the order they came into my interface): 00:23:33:c6:a0:c0 206.108.255.50 Cooperative Network Services (CNS) 32609 e4:aa:5d:83:73:06 206.108.255.47 IVDesk 393639 88:43:e1:00:f2:10 206.108.255.18 Consolidated Communications 12042 b0:aa:77:33:7b:03 206.108.255.79 Gigamonster, LLC 31939 3c:08:f6:81:6e:a5 206.108.255.46 OneNetUSA 46131 00:1d:e5:c0:78:c3 206.108.255.5 Implex 21709 54:75:d0:e6:08:30 206.108.255.106 Nuvera Communications 23465 00:11:5d:82:6c:00 206.108.255.80 Future Technologies 26451 Proxy ARP (or something like it)? CNS seems to be consistently coming in first place when I clear my ARP entry. ~Matthew [log in to unmask] AS13746 On Thu, Aug 16, 2018 at 3:25 PM, Frank Bulk <[log in to unmask]> wrote: > When I force a traceroute to originate from our MICE-facing connection, > the first hop is 206.108.255.50 (AS32609 aka CNS). Any reason why? > > To making things more interesting, Incapsula-destined traffic goes via > Paul Bunyan. Here's just one example: > > traceroute to www.yamaha-dealers.com (45.60.73.16), 30 hops max, 60 byte > packets > 1 AS32609.micemn.net (206.108.255.50) 14.059 ms 14.084 ms 14.076 ms > 2 cns70.cnsllc.net (205.149.150.9) 18.484 ms 18.434 ms 18.507 ms > 3 fg30.ips.cnsllc.net (205.149.150.30) 20.254 ms 20.346 ms 20.267 ms > 4 crss2.PaulBunyan.net (205.149.159.197) 20.527 ms 20.562 ms 20.619 > ms > 5 cra.PaulBunyan.net (205.149.159.181) 23.398 ms > fp233.ips.PaulBunyan.net (205.149.159.233) 22.669 ms cra.PaulBunyan.net > (205.149.159.181) 23.393 ms > 6 * * * > 7 * * * > 8 * * * > 9 * * * > 10 * * * > 11 * * * > 12 * * * > 13 * * * > 14 * * * > 15 * * * > 16 * * * > 17 * * * > 18 * * * > 19 * * * > 20 * * * > 21 * * * > 22 * * * > 23 * * * > 24 * * * > 25 * * * > 26 * * * > 27 * * * > 28 * * * > 29 * * * > 30 * * * > SiouxCenter-Arista-North(s1) > > The reason I stumbled across this is because we've had more than a dozen > customers over the last month complain about access to Incapsula-protected > sites. Packet captures show TCP RSTs coming from the far side. > > Regards, > > Frank Bulk > AS53347 >