Relavent: https://ripe63.ripe.net/presentations/130-Proxy_ARP_RIPE_Nov2011.pdf <https://ripe63.ripe.net/presentations/130-Proxy_ARP_RIPE_Nov2011.pdf> Seems like quite a few participants on MICE with proxy ARP still on. I know some IX’s toss you in a quarantine VLAN for initial turn-up - maybe this is something that needs to start, so this sort of thing can be checked? — Andrew Hoyos hoyosa@gmail.com
On Aug 16, 2018, at 9:52 PM, Frank Bulk <fbulk@mypremieronline.com> wrote:
Thanks, Matthew, for explaining why ARP might be happening.
Now that CNS has its proxy ARP turned off, it’s AS393639 that’s responding:
SiouxCenter-Arista-North(s1)#traceroute ip www.yamaha-dealers.com <http://www.yamaha-dealers.com/> source et 3/24 traceroute to www.yamaha-dealers.com <http://www.yamaha-dealers.com/> (45.60.73.16), 30 hops max, 60 byte packets 1 AS393639.micemn.net <http://as393639.micemn.net/> (206.108.255.47) 13.936 ms 14.004 ms 13.998 ms 2 v415.core1.msp1.he.net <http://v415.core1.msp1.he.net/> (184.105.25.93) 14.146 ms 14.205 ms 14.274 ms 3 100ge13-1.core2.chi1.he.net <http://100ge13-1.core2.chi1.he.net/> (184.105.223.177) 22.533 ms 22.369 ms 22.538 ms 4 * * * 5 * * * 6 * * * 7 * * * 8 * * * 9 *^CSiouxCenter-Arista-North(s1)#
Can an ACL be created on the Arista that discards in/outbound ARP requests for the non-MICE address space?
Frank
From: MICE Discuss <MICE-DISCUSS@LISTS.IPHOUSE.NET <mailto:MICE-DISCUSS@LISTS.IPHOUSE.NET>> On Behalf Of Steve Howard Sent: Thursday, August 16, 2018 9:32 PM To: MICE-DISCUSS@LISTS.IPHOUSE.NET <mailto:MICE-DISCUSS@LISTS.IPHOUSE.NET> Subject: Re: [MICE-DISCUSS] Routing of non-IX traffic
I've disabled proxy arp on the CNS router... Has the behavior changed?
On 08/16/2018 05:00 PM, Matthew Beckwell wrote: I'm getting similar behavior as Frank.
Like Doug, I only have 45.60.73.0/24 <http://45.60.73.0/24> from transit connections. So a traceroute from my MICE interface should ARP and die (I would think)....
When I traceroute to 45.60.73.16-- my router sends out an ARP request, as expected. But...I get ARP replies for 45.60.73.16 from these Cisco MACs (in the order they came into my interface):
00:23:33:c6:a0:c0 206.108.255.50 Cooperative Network Services (CNS) 32609 e4:aa:5d:83:73:06 206.108.255.47 IVDesk 393639 88:43:e1:00:f2:10 206.108.255.18 Consolidated Communications 12042 b0:aa:77:33:7b:03 206.108.255.79 Gigamonster, LLC 31939 3c:08:f6:81:6e:a5 206.108.255.46 OneNetUSA 46131 00:1d:e5:c0:78:c3 206.108.255.5 Implex 21709 54:75:d0:e6:08:30 206.108.255.106 Nuvera Communications 23465 00:11:5d:82:6c:00 206.108.255.80 Future Technologies 26451
Proxy ARP (or something like it)? CNS seems to be consistently coming in first place when I clear my ARP entry.
~Matthew matthewb@aitech.net <mailto:matthewb@aitech.net> AS13746
On Thu, Aug 16, 2018 at 3:25 PM, Frank Bulk <fbulk@mypremieronline.com <mailto:fbulk@mypremieronline.com>> wrote: When I force a traceroute to originate from our MICE-facing connection, the first hop is 206.108.255.50 (AS32609 aka CNS). Any reason why?
To making things more interesting, Incapsula-destined traffic goes via Paul Bunyan. Here's just one example:
traceroute to www.yamaha-dealers.com <http://www.yamaha-dealers.com/> (45.60.73.16), 30 hops max, 60 byte packets 1 AS32609.micemn.net <http://as32609.micemn.net/> (206.108.255.50) 14.059 ms 14.084 ms 14.076 ms 2 cns70.cnsllc.net <http://cns70.cnsllc.net/> (205.149.150.9) 18.484 ms 18.434 ms 18.507 ms 3 fg30.ips.cnsllc.net <http://fg30.ips.cnsllc.net/> (205.149.150.30) 20.254 ms 20.346 ms 20.267 ms 4 crss2.PaulBunyan.net <http://crss2.paulbunyan.net/> (205.149.159.197) 20.527 ms 20.562 ms 20.619 ms 5 cra.PaulBunyan.net <http://cra.paulbunyan.net/> (205.149.159.181) 23.398 ms fp233.ips.PaulBunyan.net <http://fp233.ips.paulbunyan.net/> (205.149.159.233) 22.669 ms cra.PaulBunyan.net <http://cra.paulbunyan.net/> (205.149.159.181) 23.393 ms 6 * * * 7 * * * 8 * * * 9 * * * 10 * * * 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * * SiouxCenter-Arista-North(s1)
The reason I stumbled across this is because we've had more than a dozen customers over the last month complain about access to Incapsula-protected sites. Packet captures show TCP RSTs coming from the far side.
Regards,
Frank Bulk AS53347
To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1 <http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1>
To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1 <http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1> To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1 <http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1>