Thanks, Matthew, for explaining why ARP might be happening.
Now that CNS has its proxy ARP turned off, it’s AS393639 that’s responding:
SiouxCenter-Arista-North(s1)#traceroute ip www.yamaha-dealers.com source et 3/24
traceroute to www.yamaha-dealers.com (45.60.73.16), 30 hops max, 60 byte packets
1 AS393639.micemn.net (206.108.255.47) 13.936 ms 14.004 ms 13.998 ms
2 v415.core1.msp1.he.net (184.105.25.93) 14.146 ms 14.205 ms 14.274 ms
3 100ge13-1.core2.chi1.he.net (184.105.223.177) 22.533 ms 22.369 ms 22.538 ms
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 *^CSiouxCenter-Arista-North(s1)#
Can an ACL be created on the Arista that discards in/outbound ARP requests for the non-MICE address space?
Frank
From: MICE Discuss <[log in to unmask]> On Behalf Of Steve Howard
Sent: Thursday, August 16, 2018 9:32 PM
To: [log in to unmask]
Subject: Re: [MICE-DISCUSS] Routing of non-IX traffic
I've disabled proxy arp on the CNS router... Has the behavior changed?
On 08/16/2018 05:00 PM, Matthew Beckwell wrote:
I'm getting similar behavior as Frank.
Like Doug, I only have 45.60.73.0/24 from transit connections.
So a traceroute from my MICE interface should ARP and die (I would think)....
When I traceroute to 45.60.73.16-- my router sends out an ARP request, as expected.
But...I get ARP replies for 45.60.73.16 from these Cisco MACs (in the order they came into my interface):
00:23:33:c6:a0:c0
206.108.255.50
Cooperative Network Services (CNS)
32609
e4:aa:5d:83:73:06
206.108.255.47
IVDesk
393639
88:43:e1:00:f2:10
206.108.255.18
Consolidated Communications
12042
b0:aa:77:33:7b:03
206.108.255.79
Gigamonster, LLC
31939
3c:08:f6:81:6e:a5
206.108.255.46
OneNetUSA
46131
00:1d:e5:c0:78:c3
206.108.255.5
Implex
21709
54:75:d0:e6:08:30
206.108.255.106
Nuvera Communications
23465
00:11:5d:82:6c:00
206.108.255.80
Future Technologies
26451
Proxy ARP (or something like it)?
CNS seems to be consistently coming in first place when I clear my ARP entry.
~Matthew
[log in to unmask]
AS13746
On Thu, Aug 16, 2018 at 3:25 PM, Frank Bulk <[log in to unmask]> wrote:
When I force a traceroute to originate from our MICE-facing connection, the first hop is 206.108.255.50 (AS32609 aka CNS). Any reason why?
To making things more interesting, Incapsula-destined traffic goes via Paul Bunyan. Here's just one example:
traceroute to www.yamaha-dealers.com (45.60.73.16), 30 hops max, 60 byte packets
1 AS32609.micemn.net (206.108.255.50) 14.059 ms 14.084 ms 14.076 ms
2 cns70.cnsllc.net (205.149.150.9) 18.484 ms 18.434 ms 18.507 ms
3 fg30.ips.cnsllc.net (205.149.150.30) 20.254 ms 20.346 ms 20.267 ms
4 crss2.PaulBunyan.net (205.149.159.197) 20.527 ms 20.562 ms 20.619 ms
5 cra.PaulBunyan.net (205.149.159.181) 23.398 ms fp233.ips.PaulBunyan.net (205.149.159.233) 22.669 ms cra.PaulBunyan.net (205.149.159.181) 23.393 ms
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
SiouxCenter-Arista-North(s1)
The reason I stumbled across this is because we've had more than a dozen customers over the last month complain about access to Incapsula-protected sites. Packet captures show TCP RSTs coming from the far side.
Regards,
Frank Bulk
AS53347
________________________________
To unsubscribe from the MICE-DISCUSS list, click the following link:
http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
________________________________
To unsubscribe from the MICE-DISCUSS list, click the following link:
http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
