LISTSERV 16.0 - MICE-DISCUSS Archives

I'm getting similar behavior as Frank.

Like Doug, I only have 45.60.73.0/24 from transit connections.
So a traceroute from my MICE interface should ARP and die (I would
think)....

When I traceroute to 45.60.73.16-- my router sends out an ARP request, as
expected.
But...I get ARP replies for 45.60.73.16 from these Cisco MACs (in the order
they came into my interface):


00:23:33:c6:a0:c0 206.108.255.50 Cooperative Network Services (CNS) 32609
e4:aa:5d:83:73:06 206.108.255.47 IVDesk 393639
88:43:e1:00:f2:10 206.108.255.18 Consolidated Communications 12042
b0:aa:77:33:7b:03 206.108.255.79 Gigamonster, LLC 31939
3c:08:f6:81:6e:a5 206.108.255.46 OneNetUSA 46131
00:1d:e5:c0:78:c3 206.108.255.5 Implex 21709
54:75:d0:e6:08:30 206.108.255.106 Nuvera Communications 23465
00:11:5d:82:6c:00 206.108.255.80 Future Technologies 26451

Proxy ARP (or something like it)?
CNS seems to be consistently coming in first place when I clear my ARP
entry.

~Matthew
[log in to unmask]
AS13746




On Thu, Aug 16, 2018 at 3:25 PM, Frank Bulk <[log in to unmask]>
wrote:

> When I force a traceroute to originate from our MICE-facing connection,
> the first hop is 206.108.255.50 (AS32609 aka CNS).  Any reason why?
>
> To making things more interesting, Incapsula-destined traffic goes via
> Paul Bunyan.  Here's just one example:
>
> traceroute to www.yamaha-dealers.com (45.60.73.16), 30 hops max, 60 byte
> packets
>  1  AS32609.micemn.net (206.108.255.50)  14.059 ms  14.084 ms  14.076 ms
>  2  cns70.cnsllc.net (205.149.150.9)  18.484 ms  18.434 ms  18.507 ms
>  3  fg30.ips.cnsllc.net (205.149.150.30)  20.254 ms  20.346 ms  20.267 ms
>  4  crss2.PaulBunyan.net (205.149.159.197)  20.527 ms  20.562 ms  20.619
> ms
>  5  cra.PaulBunyan.net (205.149.159.181)  23.398 ms
> fp233.ips.PaulBunyan.net (205.149.159.233)  22.669 ms cra.PaulBunyan.net
> (205.149.159.181)  23.393 ms
>  6  * * *
>  7  * * *
>  8  * * *
>  9  * * *
> 10  * * *
> 11  * * *
> 12  * * *
> 13  * * *
> 14  * * *
> 15  * * *
> 16  * * *
> 17  * * *
> 18  * * *
> 19  * * *
> 20  * * *
> 21  * * *
> 22  * * *
> 23  * * *
> 24  * * *
> 25  * * *
> 26  * * *
> 27  * * *
> 28  * * *
> 29  * * *
> 30  * * *
> SiouxCenter-Arista-North(s1)
>
> The reason I stumbled across this is because we've had more than a dozen
> customers over the last month complain about access to Incapsula-protected
> sites.  Packet captures show TCP RSTs coming from the far side.
>
> Regards,
>
> Frank Bulk
> AS53347
>