When I force a traceroute to originate from our MICE-facing connection, the first hop is 206.108.255.50 (AS32609 aka CNS). Any reason why? To making things more interesting, Incapsula-destined traffic goes via Paul Bunyan. Here's just one example: traceroute to www.yamaha-dealers.com (45.60.73.16), 30 hops max, 60 byte packets 1 AS32609.micemn.net (206.108.255.50) 14.059 ms 14.084 ms 14.076 ms 2 cns70.cnsllc.net (205.149.150.9) 18.484 ms 18.434 ms 18.507 ms 3 fg30.ips.cnsllc.net (205.149.150.30) 20.254 ms 20.346 ms 20.267 ms 4 crss2.PaulBunyan.net (205.149.159.197) 20.527 ms 20.562 ms 20.619 ms 5 cra.PaulBunyan.net (205.149.159.181) 23.398 ms fp233.ips.PaulBunyan.net (205.149.159.233) 22.669 ms cra.PaulBunyan.net (205.149.159.181) 23.393 ms 6 * * * 7 * * * 8 * * * 9 * * * 10 * * * 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * * SiouxCenter-Arista-North(s1) The reason I stumbled across this is because we've had more than a dozen customers over the last month complain about access to Incapsula-protected sites. Packet captures show TCP RSTs coming from the far side. Regards, Frank Bulk AS53347
I am surprised that you are getting any traceroute at all. Your MICE facing interface IP should not exist on the public internet. I am wondering if there is a default route in someone's table (CNS/Paul Bunyan) (or they are originating the MICE subnet internally) that is enabling you to get as much of a trace as you are getting. -----Original Message----- From: MICE Discuss [mailto:MICE-DISCUSS@LISTS.IPHOUSE.NET] On Behalf Of Frank Bulk Sent: Thursday, August 16, 2018 3:26 PM To: MICE-DISCUSS@LISTS.IPHOUSE.NET Subject: [MICE-DISCUSS] Routing of non-IX traffic When I force a traceroute to originate from our MICE-facing connection, the first hop is 206.108.255.50 (AS32609 aka CNS). Any reason why? To making things more interesting, Incapsula-destined traffic goes via Paul Bunyan. Here's just one example: traceroute to www.yamaha-dealers.com (45.60.73.16), 30 hops max, 60 byte packets 1 AS32609.micemn.net (206.108.255.50) 14.059 ms 14.084 ms 14.076 ms 2 cns70.cnsllc.net (205.149.150.9) 18.484 ms 18.434 ms 18.507 ms 3 fg30.ips.cnsllc.net (205.149.150.30) 20.254 ms 20.346 ms 20.267 ms 4 crss2.PaulBunyan.net (205.149.159.197) 20.527 ms 20.562 ms 20.619 ms 5 cra.PaulBunyan.net (205.149.159.181) 23.398 ms fp233.ips.PaulBunyan.net (205.149.159.233) 22.669 ms cra.PaulBunyan.net (205.149.159.181) 23.393 ms 6 * * * 7 * * * 8 * * * 9 * * * 10 * * * 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * * SiouxCenter-Arista-North(s1) The reason I stumbled across this is because we've had more than a dozen customers over the last month complain about access to Incapsula-protected sites. Packet captures show TCP RSTs coming from the far side. Regards, Frank Bulk AS53347
On Thu, Aug 16, 2018 at 08:25:54PM +0000, Frank Bulk wrote:
When I force a traceroute to originate from our MICE-facing connection, the first hop is 206.108.255.50 (AS32609 aka CNS). Any reason why?
To making things more interesting, Incapsula-destined traffic goes via Paul Bunyan. Here's just one example:
traceroute to www.yamaha-dealers.com (45.60.73.16), 30 hops max, 60 byte packets 1 AS32609.micemn.net (206.108.255.50) 14.059 ms 14.084 ms 14.076 ms 2 cns70.cnsllc.net (205.149.150.9) 18.484 ms 18.434 ms 18.507 ms 3 fg30.ips.cnsllc.net (205.149.150.30) 20.254 ms 20.346 ms 20.267 ms 4 crss2.PaulBunyan.net (205.149.159.197) 20.527 ms 20.562 ms 20.619 ms 5 cra.PaulBunyan.net (205.149.159.181) 23.398 ms fp233.ips.PaulBunyan.net (205.149.159.233) 22.669 ms cra.PaulBunyan.net (205.149.159.181) 23.393 ms ...
Hmm, I don't find that route available via MICE. I only see the route from my transit providers as 45.60.73.0/24 originating from AS19551. I do not learn it from MICE. That prefix isn't in the BIRD routing table. -- Doug McIntyre <merlyn@iphouse.net> ~.~ ipHouse ~.~ Network Engineer/Provisioning/Jack of all Trades
I'm getting similar behavior as Frank. Like Doug, I only have 45.60.73.0/24 from transit connections. So a traceroute from my MICE interface should ARP and die (I would think).... When I traceroute to 45.60.73.16-- my router sends out an ARP request, as expected. But...I get ARP replies for 45.60.73.16 from these Cisco MACs (in the order they came into my interface): 00:23:33:c6:a0:c0 206.108.255.50 Cooperative Network Services (CNS) 32609 e4:aa:5d:83:73:06 206.108.255.47 IVDesk 393639 88:43:e1:00:f2:10 206.108.255.18 Consolidated Communications 12042 b0:aa:77:33:7b:03 206.108.255.79 Gigamonster, LLC 31939 3c:08:f6:81:6e:a5 206.108.255.46 OneNetUSA 46131 00:1d:e5:c0:78:c3 206.108.255.5 Implex 21709 54:75:d0:e6:08:30 206.108.255.106 Nuvera Communications 23465 00:11:5d:82:6c:00 206.108.255.80 Future Technologies 26451 Proxy ARP (or something like it)? CNS seems to be consistently coming in first place when I clear my ARP entry. ~Matthew matthewb@aitech.net AS13746 On Thu, Aug 16, 2018 at 3:25 PM, Frank Bulk <fbulk@mypremieronline.com> wrote:
When I force a traceroute to originate from our MICE-facing connection, the first hop is 206.108.255.50 (AS32609 aka CNS). Any reason why?
To making things more interesting, Incapsula-destined traffic goes via Paul Bunyan. Here's just one example:
traceroute to www.yamaha-dealers.com (45.60.73.16), 30 hops max, 60 byte packets 1 AS32609.micemn.net (206.108.255.50) 14.059 ms 14.084 ms 14.076 ms 2 cns70.cnsllc.net (205.149.150.9) 18.484 ms 18.434 ms 18.507 ms 3 fg30.ips.cnsllc.net (205.149.150.30) 20.254 ms 20.346 ms 20.267 ms 4 crss2.PaulBunyan.net (205.149.159.197) 20.527 ms 20.562 ms 20.619 ms 5 cra.PaulBunyan.net (205.149.159.181) 23.398 ms fp233.ips.PaulBunyan.net (205.149.159.233) 22.669 ms cra.PaulBunyan.net (205.149.159.181) 23.393 ms 6 * * * 7 * * * 8 * * * 9 * * * 10 * * * 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * * SiouxCenter-Arista-North(s1)
The reason I stumbled across this is because we've had more than a dozen customers over the last month complain about access to Incapsula-protected sites. Packet captures show TCP RSTs coming from the far side.
Regards,
Frank Bulk AS53347
Why would your router ARP for an address that is not on the same subnet as any of your interfaces? From: MICE Discuss [mailto:MICE-DISCUSS@LISTS.IPHOUSE.NET] On Behalf Of Matthew Beckwell Sent: Thursday, August 16, 2018 5:01 PM To: MICE-DISCUSS@LISTS.IPHOUSE.NET Subject: Re: [MICE-DISCUSS] Routing of non-IX traffic I'm getting similar behavior as Frank. Like Doug, I only have 45.60.73.0/24 from transit connections. So a traceroute from my MICE interface should ARP and die (I would think).... When I traceroute to 45.60.73.16-- my router sends out an ARP request, as expected. But...I get ARP replies for 45.60.73.16 from these Cisco MACs (in the order they came into my interface): 00:23:33:c6:a0:c0206.108.255.50Cooperative Network Services (CNS)32609 e4:aa:5d:83:73:06206.108.255.47IVDesk393639 88:43:e1:00:f2:10206.108.255.18Consolidated Communications12042 b0:aa:77:33:7b:03206.108.255.79Gigamonster, LLC31939 3c:08:f6:81:6e:a5206.108.255.46OneNetUSA46131 00:1d:e5:c0:78:c3206.108.255.5Implex21709 54:75:d0:e6:08:30206.108.255.106Nuvera Communications23465 00:11:5d:82:6c:00206.108.255.80Future Technologies26451 Proxy ARP (or something like it)? CNS seems to be consistently coming in first place when I clear my ARP entry. ~Matthew matthewb@aitech.net AS13746 On Thu, Aug 16, 2018 at 3:25 PM, Frank Bulk <fbulk@mypremieronline.com> wrote: When I force a traceroute to originate from our MICE-facing connection, the first hop is 206.108.255.50 (AS32609 aka CNS). Any reason why? To making things more interesting, Incapsula-destined traffic goes via Paul Bunyan. Here's just one example: traceroute to www.yamaha-dealers.com (45.60.73.16), 30 hops max, 60 byte packets 1 AS32609.micemn.net (206.108.255.50) 14.059 ms 14.084 ms 14.076 ms 2 cns70.cnsllc.net (205.149.150.9) 18.484 ms 18.434 ms 18.507 ms 3 fg30.ips.cnsllc.net (205.149.150.30) 20.254 ms 20.346 ms 20.267 ms 4 crss2.PaulBunyan.net (205.149.159.197) 20.527 ms 20.562 ms 20.619 ms 5 cra.PaulBunyan.net (205.149.159.181) 23.398 ms fp233.ips.PaulBunyan.net (205.149.159.233) 22.669 ms cra.PaulBunyan.net (205.149.159.181) 23.393 ms 6 * * * 7 * * * 8 * * * 9 * * * 10 * * * 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * * SiouxCenter-Arista-North(s1) The reason I stumbled across this is because we've had more than a dozen customers over the last month complain about access to Incapsula-protected sites. Packet captures show TCP RSTs coming from the far side. Regards, Frank Bulk AS53347 To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
Yeah, was just writing this. Your router should see that it’s not a directly connected IP, and back up to routing table/FIB. It may ARP for next hop depending on path. For those with this issue, what say your routing tables for this subnet? And do *you* have proxy arp turned off? — Andrew Hoyos hoyosa@gmail.com
On Aug 16, 2018, at 3:11 PM, Jeremy Lumby <jlumby@MNVOIP.COM> wrote:
Why would your router ARP for an address that is not on the same subnet as any of your interfaces?
From: MICE Discuss [mailto:MICE-DISCUSS@LISTS.IPHOUSE.NET <mailto:MICE-DISCUSS@LISTS.IPHOUSE.NET>] On Behalf Of Matthew Beckwell Sent: Thursday, August 16, 2018 5:01 PM To: MICE-DISCUSS@LISTS.IPHOUSE.NET <mailto:MICE-DISCUSS@LISTS.IPHOUSE.NET> Subject: Re: [MICE-DISCUSS] Routing of non-IX traffic
I'm getting similar behavior as Frank.
Like Doug, I only have 45.60.73.0/24 <http://45.60.73.0/24> from transit connections. So a traceroute from my MICE interface should ARP and die (I would think)....
When I traceroute to 45.60.73.16-- my router sends out an ARP request, as expected. But...I get ARP replies for 45.60.73.16 from these Cisco MACs (in the order they came into my interface):
00:23:33:c6:a0:c0 206.108.255.50 Cooperative Network Services (CNS) 32609 e4:aa:5d:83:73:06 206.108.255.47 IVDesk 393639 88:43:e1:00:f2:10 206.108.255.18 Consolidated Communications 12042 b0:aa:77:33:7b:03 206.108.255.79 Gigamonster, LLC 31939 3c:08:f6:81:6e:a5 206.108.255.46 OneNetUSA 46131 00:1d:e5:c0:78:c3 206.108.255.5 Implex 21709 54:75:d0:e6:08:30 206.108.255.106 Nuvera Communications 23465 00:11:5d:82:6c:00 206.108.255.80 Future Technologies 26451
Proxy ARP (or something like it)? CNS seems to be consistently coming in first place when I clear my ARP entry.
~Matthew matthewb@aitech.net <mailto:matthewb@aitech.net> AS13746
On Thu, Aug 16, 2018 at 3:25 PM, Frank Bulk <fbulk@mypremieronline.com <mailto:fbulk@mypremieronline.com>> wrote: When I force a traceroute to originate from our MICE-facing connection, the first hop is 206.108.255.50 (AS32609 aka CNS). Any reason why?
To making things more interesting, Incapsula-destined traffic goes via Paul Bunyan. Here's just one example:
traceroute to www.yamaha-dealers.com <http://www.yamaha-dealers.com/> (45.60.73.16), 30 hops max, 60 byte packets 1 AS32609.micemn.net <http://as32609.micemn.net/> (206.108.255.50) 14.059 ms 14.084 ms 14.076 ms 2 cns70.cnsllc.net <http://cns70.cnsllc.net/> (205.149.150.9) 18.484 ms 18.434 ms 18.507 ms 3 fg30.ips.cnsllc.net <http://fg30.ips.cnsllc.net/> (205.149.150.30) 20.254 ms 20.346 ms 20.267 ms 4 crss2.PaulBunyan.net <http://crss2.paulbunyan.net/> (205.149.159.197) 20.527 ms 20.562 ms 20.619 ms 5 cra.PaulBunyan.net <http://cra.paulbunyan.net/> (205.149.159.181) 23.398 ms fp233.ips.PaulBunyan.net <http://fp233.ips.paulbunyan.net/> (205.149.159.233) 22.669 ms cra.PaulBunyan.net <http://cra.paulbunyan.net/> (205.149.159.181) 23.393 ms 6 * * * 7 * * * 8 * * * 9 * * * 10 * * * 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * * SiouxCenter-Arista-North(s1)
The reason I stumbled across this is because we've had more than a dozen customers over the last month complain about access to Incapsula-protected sites. Packet captures show TCP RSTs coming from the far side.
Regards,
Frank Bulk AS53347
To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1 <http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1> To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1 <http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1>
Proxy arp enabled by default is the silliest thing Cisco ever did. On Aug 16, 2018, at 5:14 PM, Andrew Hoyos <hoyosa@GMAIL.COM<mailto:hoyosa@GMAIL.COM>> wrote: Yeah, was just writing this. Your router should see that it’s not a directly connected IP, and back up to routing table/FIB. It may ARP for next hop depending on path. For those with this issue, what say your routing tables for this subnet? And do *you* have proxy arp turned off? — Andrew Hoyos hoyosa@gmail.com<mailto:hoyosa@gmail.com> On Aug 16, 2018, at 3:11 PM, Jeremy Lumby <jlumby@MNVOIP.COM<mailto:jlumby@MNVOIP.COM>> wrote: Why would your router ARP for an address that is not on the same subnet as any of your interfaces? From: MICE Discuss [mailto:MICE-DISCUSS@LISTS.IPHOUSE.NET] On Behalf Of Matthew Beckwell Sent: Thursday, August 16, 2018 5:01 PM To: MICE-DISCUSS@LISTS.IPHOUSE.NET<mailto:MICE-DISCUSS@LISTS.IPHOUSE.NET> Subject: Re: [MICE-DISCUSS] Routing of non-IX traffic I'm getting similar behavior as Frank. Like Doug, I only have 45.60.73.0/24<http://45.60.73.0/24> from transit connections. So a traceroute from my MICE interface should ARP and die (I would think).... When I traceroute to 45.60.73.16-- my router sends out an ARP request, as expected. But...I get ARP replies for 45.60.73.16 from these Cisco MACs (in the order they came into my interface): 00:23:33:c6:a0:c0 206.108.255.50 Cooperative Network Services (CNS) 32609 e4:aa:5d:83:73:06 206.108.255.47 IVDesk 393639 88:43:e1:00:f2:10 206.108.255.18 Consolidated Communications 12042 b0:aa:77:33:7b:03 206.108.255.79 Gigamonster, LLC 31939 3c:08:f6:81:6e:a5 206.108.255.46 OneNetUSA 46131 00:1d:e5:c0:78:c3 206.108.255.5 Implex 21709 54:75:d0:e6:08:30 206.108.255.106 Nuvera Communications 23465 00:11:5d:82:6c:00 206.108.255.80 Future Technologies 26451 Proxy ARP (or something like it)? CNS seems to be consistently coming in first place when I clear my ARP entry. ~Matthew matthewb@aitech.net<mailto:matthewb@aitech.net> AS13746 On Thu, Aug 16, 2018 at 3:25 PM, Frank Bulk <fbulk@mypremieronline.com<mailto:fbulk@mypremieronline.com>> wrote: When I force a traceroute to originate from our MICE-facing connection, the first hop is 206.108.255.50 (AS32609 aka CNS). Any reason why? To making things more interesting, Incapsula-destined traffic goes via Paul Bunyan. Here's just one example: traceroute to www.yamaha-dealers.com<http://www.yamaha-dealers.com/> (45.60.73.16), 30 hops max, 60 byte packets 1 AS32609.micemn.net<http://as32609.micemn.net/> (206.108.255.50) 14.059 ms 14.084 ms 14.076 ms 2 cns70.cnsllc.net<http://cns70.cnsllc.net/> (205.149.150.9) 18.484 ms 18.434 ms 18.507 ms 3 fg30.ips.cnsllc.net<http://fg30.ips.cnsllc.net/> (205.149.150.30) 20.254 ms 20.346 ms 20.267 ms 4 crss2.PaulBunyan.net<http://crss2.paulbunyan.net/> (205.149.159.197) 20.527 ms 20.562 ms 20.619 ms 5 cra.PaulBunyan.net<http://cra.paulbunyan.net/> (205.149.159.181) 23.398 ms fp233.ips.PaulBunyan.net<http://fp233.ips.paulbunyan.net/> (205.149.159.233) 22.669 ms cra.PaulBunyan.net<http://cra.paulbunyan.net/> (205.149.159.181) 23.393 ms 6 * * * 7 * * * 8 * * * 9 * * * 10 * * * 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * * SiouxCenter-Arista-North(s1) The reason I stumbled across this is because we've had more than a dozen customers over the last month complain about access to Incapsula-protected sites. Packet captures show TCP RSTs coming from the far side. Regards, Frank Bulk AS53347 ________________________________ To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1 ________________________________ To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1 ________________________________ To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
At one level I agree with you, especially when you are talking about IXPs. However, facing userland, proxy arp plasters over a myriad of silly misconfigurations and typos. Which from a TAC and help desk point of view is a good thing, many tickets that are never opened, because it just works. On Thu, Aug 16, 2018 at 5:25 PM, Ryan Goldberg <RGoldberg@compudyne.com> wrote:
Proxy arp enabled by default is the silliest thing Cisco ever did.
On Aug 16, 2018, at 5:14 PM, Andrew Hoyos <hoyosa@GMAIL.COM> wrote:
Yeah, was just writing this. Your router should see that it’s not a directly connected IP, and back up to routing table/FIB. It may ARP for next hop depending on path.
For those with this issue, what say your routing tables for this subnet? And do *you* have proxy arp turned off?
— Andrew Hoyos hoyosa@gmail.com
On Aug 16, 2018, at 3:11 PM, Jeremy Lumby <jlumby@MNVOIP.COM> wrote:
Why would your router ARP for an address that is not on the same subnet as any of your interfaces?
*From:* MICE Discuss [mailto:MICE-DISCUSS@LISTS.IPHOUSE.NET <MICE-DISCUSS@LISTS.IPHOUSE.NET>] *On Behalf Of *Matthew Beckwell *Sent:* Thursday, August 16, 2018 5:01 PM *To:* MICE-DISCUSS@LISTS.IPHOUSE.NET *Subject:* Re: [MICE-DISCUSS] Routing of non-IX traffic
I'm getting similar behavior as Frank.
Like Doug, I only have 45.60.73.0/24 from transit connections. So a traceroute from my MICE interface should ARP and die (I would think)....
When I traceroute to 45.60.73.16-- my router sends out an ARP request, as expected. But...I get ARP replies for 45.60.73.16 from these Cisco MACs (in the order they came into my interface):
00:23:33:c6:a0:c0 206.108.255.50 Cooperative Network Services (CNS) 32609 e4:aa:5d:83:73:06 206.108.255.47 IVDesk 393639 88:43:e1:00:f2:10 206.108.255.18 Consolidated Communications 12042 b0:aa:77:33:7b:03 206.108.255.79 Gigamonster, LLC 31939 3c:08:f6:81:6e:a5 206.108.255.46 OneNetUSA 46131 00:1d:e5:c0:78:c3 206.108.255.5 Implex 21709 54:75:d0:e6:08:30 206.108.255.106 Nuvera Communications 23465 00:11:5d:82:6c:00 206.108.255.80 Future Technologies 26451
Proxy ARP (or something like it)? CNS seems to be consistently coming in first place when I clear my ARP entry.
~Matthew matthewb@aitech.net AS13746
On Thu, Aug 16, 2018 at 3:25 PM, Frank Bulk <fbulk@mypremieronline.com> wrote: When I force a traceroute to originate from our MICE-facing connection, the first hop is 206.108.255.50 (AS32609 aka CNS). Any reason why?
To making things more interesting, Incapsula-destined traffic goes via Paul Bunyan. Here's just one example:
traceroute to www.yamaha-dealers.com (45.60.73.16), 30 hops max, 60 byte packets 1 AS32609.micemn.net <http://as32609.micemn.net/> (206.108.255.50) 14.059 ms 14.084 ms 14.076 ms 2 cns70.cnsllc.net (205.149.150.9) 18.484 ms 18.434 ms 18.507 ms 3 fg30.ips.cnsllc.net (205.149.150.30) 20.254 ms 20.346 ms 20.267 ms 4 crss2.PaulBunyan.net <http://crss2.paulbunyan.net/> (205.149.159.197) 20.527 ms 20.562 ms 20.619 ms 5 cra.PaulBunyan.net <http://cra.paulbunyan.net/> (205.149.159.181) 23.398 ms fp233.ips.PaulBunyan.net <http://fp233.ips.paulbunyan.net/> (205.149.159.233) 22.669 ms cra.PaulBunyan.net <http://cra.paulbunyan.net/> (205.149.159.181) 23.393 ms 6 * * * 7 * * * 8 * * * 9 * * * 10 * * * 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * * SiouxCenter-Arista-North(s1)
The reason I stumbled across this is because we've had more than a dozen customers over the last month complain about access to Incapsula-protected sites. Packet captures show TCP RSTs coming from the far side.
Regards,
Frank Bulk AS53347
------------------------------
To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
------------------------------
To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
------------------------------
To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
------------------------------
To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
-- =============================================== David Farmer Email:farmer@umn.edu Networking & Telecommunication Services Office of Information Technology University of Minnesota 2218 University Ave SE Phone: 612-626-0815 Minneapolis, MN 55414-3029 Cell: 612-812-9952 ===============================================
On Thu, Aug 16, 2018 at 10:25:13PM +0000, Ryan Goldberg wrote:
Proxy arp enabled by default is the silliest thing Cisco ever did.
I'd say the constant 8:1 overcommit is the silliest thing ever, followed by proxy arp enablement by default. -- Mike Horwath, reachable via drechsau@Geeks.ORG
On some gear, it will ARP for an address that is not directly connected when you force the interface being used. (Basically telling the router "Ignore the forwarding table...use this interface no matter what"). To which the router says "okay, but i'm gonna have to ARP for it, and anyone watching is going to think I don't know what i'm doing...." (And they'd be correct...) Under normal circumstances (not specifying the interface), my traceroutes happily go out the shortest transit path shown in the full BGP feed. No proxy arp here. :) ~Matthew On Thu, Aug 16, 2018 at 5:13 PM, Andrew Hoyos <hoyosa@gmail.com> wrote:
Yeah, was just writing this. Your router should see that it’s not a directly connected IP, and back up to routing table/FIB. It may ARP for next hop depending on path.
For those with this issue, what say your routing tables for this subnet? And do *you* have proxy arp turned off?
— Andrew Hoyos hoyosa@gmail.com
On Aug 16, 2018, at 3:11 PM, Jeremy Lumby <jlumby@MNVOIP.COM> wrote:
Why would your router ARP for an address that is not on the same subnet as any of your interfaces?
*From:* MICE Discuss [mailto:MICE-DISCUSS@LISTS.IPHOUSE.NET <MICE-DISCUSS@LISTS.IPHOUSE.NET>] *On Behalf Of *Matthew Beckwell *Sent:* Thursday, August 16, 2018 5:01 PM *To:* MICE-DISCUSS@LISTS.IPHOUSE.NET *Subject:* Re: [MICE-DISCUSS] Routing of non-IX traffic
I'm getting similar behavior as Frank.
Like Doug, I only have 45.60.73.0/24 from transit connections. So a traceroute from my MICE interface should ARP and die (I would think)....
When I traceroute to 45.60.73.16-- my router sends out an ARP request, as expected. But...I get ARP replies for 45.60.73.16 from these Cisco MACs (in the order they came into my interface):
00:23:33:c6:a0:c0 206.108.255.50 Cooperative Network Services (CNS) 32609 e4:aa:5d:83:73:06 206.108.255.47 IVDesk 393639 88:43:e1:00:f2:10 206.108.255.18 Consolidated Communications 12042 b0:aa:77:33:7b:03 206.108.255.79 Gigamonster, LLC 31939 3c:08:f6:81:6e:a5 206.108.255.46 OneNetUSA 46131 00:1d:e5:c0:78:c3 206.108.255.5 Implex 21709 54:75:d0:e6:08:30 206.108.255.106 Nuvera Communications 23465 00:11:5d:82:6c:00 206.108.255.80 Future Technologies 26451
Proxy ARP (or something like it)? CNS seems to be consistently coming in first place when I clear my ARP entry.
~Matthew matthewb@aitech.net AS13746
On Thu, Aug 16, 2018 at 3:25 PM, Frank Bulk <fbulk@mypremieronline.com> wrote: When I force a traceroute to originate from our MICE-facing connection, the first hop is 206.108.255.50 (AS32609 aka CNS). Any reason why?
To making things more interesting, Incapsula-destined traffic goes via Paul Bunyan. Here's just one example:
traceroute to www.yamaha-dealers.com (45.60.73.16), 30 hops max, 60 byte packets 1 AS32609.micemn.net <http://as32609.micemn.net/> (206.108.255.50) 14.059 ms 14.084 ms 14.076 ms 2 cns70.cnsllc.net (205.149.150.9) 18.484 ms 18.434 ms 18.507 ms 3 fg30.ips.cnsllc.net (205.149.150.30) 20.254 ms 20.346 ms 20.267 ms 4 crss2.PaulBunyan.net <http://crss2.paulbunyan.net/> (205.149.159.197) 20.527 ms 20.562 ms 20.619 ms 5 cra.PaulBunyan.net <http://cra.paulbunyan.net/> (205.149.159.181) 23.398 ms fp233.ips.PaulBunyan.net <http://fp233.ips.paulbunyan.net/> (205.149.159.233) 22.669 ms cra.PaulBunyan.net <http://cra.paulbunyan.net/> (205.149.159.181) 23.393 ms 6 * * * 7 * * * 8 * * * 9 * * * 10 * * * 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * * SiouxCenter-Arista-North(s1)
The reason I stumbled across this is because we've had more than a dozen customers over the last month complain about access to Incapsula-protected sites. Packet captures show TCP RSTs coming from the far side.
Regards,
Frank Bulk AS53347
------------------------------
To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
------------------------------
To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
------------------------------
To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
Thanks, Matthew, for explaining why ARP might be happening. Now that CNS has its proxy ARP turned off, it’s AS393639 that’s responding: SiouxCenter-Arista-North(s1)#traceroute ip www.yamaha-dealers.com source et 3/24 traceroute to www.yamaha-dealers.com (45.60.73.16), 30 hops max, 60 byte packets 1 AS393639.micemn.net (206.108.255.47) 13.936 ms 14.004 ms 13.998 ms 2 v415.core1.msp1.he.net (184.105.25.93) 14.146 ms 14.205 ms 14.274 ms 3 100ge13-1.core2.chi1.he.net (184.105.223.177) 22.533 ms 22.369 ms 22.538 ms 4 * * * 5 * * * 6 * * * 7 * * * 8 * * * 9 *^CSiouxCenter-Arista-North(s1)# Can an ACL be created on the Arista that discards in/outbound ARP requests for the non-MICE address space? Frank From: MICE Discuss <MICE-DISCUSS@LISTS.IPHOUSE.NET> On Behalf Of Steve Howard Sent: Thursday, August 16, 2018 9:32 PM To: MICE-DISCUSS@LISTS.IPHOUSE.NET Subject: Re: [MICE-DISCUSS] Routing of non-IX traffic I've disabled proxy arp on the CNS router... Has the behavior changed? On 08/16/2018 05:00 PM, Matthew Beckwell wrote: I'm getting similar behavior as Frank. Like Doug, I only have 45.60.73.0/24<http://45.60.73.0/24> from transit connections. So a traceroute from my MICE interface should ARP and die (I would think).... When I traceroute to 45.60.73.16-- my router sends out an ARP request, as expected. But...I get ARP replies for 45.60.73.16 from these Cisco MACs (in the order they came into my interface): 00:23:33:c6:a0:c0 206.108.255.50 Cooperative Network Services (CNS) 32609 e4:aa:5d:83:73:06 206.108.255.47 IVDesk 393639 88:43:e1:00:f2:10 206.108.255.18 Consolidated Communications 12042 b0:aa:77:33:7b:03 206.108.255.79 Gigamonster, LLC 31939 3c:08:f6:81:6e:a5 206.108.255.46 OneNetUSA 46131 00:1d:e5:c0:78:c3 206.108.255.5 Implex 21709 54:75:d0:e6:08:30 206.108.255.106 Nuvera Communications 23465 00:11:5d:82:6c:00 206.108.255.80 Future Technologies 26451 Proxy ARP (or something like it)? CNS seems to be consistently coming in first place when I clear my ARP entry. ~Matthew matthewb@aitech.net<mailto:matthewb@aitech.net> AS13746 On Thu, Aug 16, 2018 at 3:25 PM, Frank Bulk <fbulk@mypremieronline.com<mailto:fbulk@mypremieronline.com>> wrote: When I force a traceroute to originate from our MICE-facing connection, the first hop is 206.108.255.50 (AS32609 aka CNS). Any reason why? To making things more interesting, Incapsula-destined traffic goes via Paul Bunyan. Here's just one example: traceroute to www.yamaha-dealers.com<http://www.yamaha-dealers.com> (45.60.73.16), 30 hops max, 60 byte packets 1 AS32609.micemn.net<http://AS32609.micemn.net> (206.108.255.50) 14.059 ms 14.084 ms 14.076 ms 2 cns70.cnsllc.net<http://cns70.cnsllc.net> (205.149.150.9) 18.484 ms 18.434 ms 18.507 ms 3 fg30.ips.cnsllc.net<http://fg30.ips.cnsllc.net> (205.149.150.30) 20.254 ms 20.346 ms 20.267 ms 4 crss2.PaulBunyan.net<http://crss2.PaulBunyan.net> (205.149.159.197) 20.527 ms 20.562 ms 20.619 ms 5 cra.PaulBunyan.net<http://cra.PaulBunyan.net> (205.149.159.181) 23.398 ms fp233.ips.PaulBunyan.net<http://fp233.ips.PaulBunyan.net> (205.149.159.233) 22.669 ms cra.PaulBunyan.net<http://cra.PaulBunyan.net> (205.149.159.181) 23.393 ms 6 * * * 7 * * * 8 * * * 9 * * * 10 * * * 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * * SiouxCenter-Arista-North(s1) The reason I stumbled across this is because we've had more than a dozen customers over the last month complain about access to Incapsula-protected sites. Packet captures show TCP RSTs coming from the far side. Regards, Frank Bulk AS53347 ________________________________ To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1 ________________________________ To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
Relavent: https://ripe63.ripe.net/presentations/130-Proxy_ARP_RIPE_Nov2011.pdf <https://ripe63.ripe.net/presentations/130-Proxy_ARP_RIPE_Nov2011.pdf> Seems like quite a few participants on MICE with proxy ARP still on. I know some IX’s toss you in a quarantine VLAN for initial turn-up - maybe this is something that needs to start, so this sort of thing can be checked? — Andrew Hoyos hoyosa@gmail.com
On Aug 16, 2018, at 9:52 PM, Frank Bulk <fbulk@mypremieronline.com> wrote:
Thanks, Matthew, for explaining why ARP might be happening.
Now that CNS has its proxy ARP turned off, it’s AS393639 that’s responding:
SiouxCenter-Arista-North(s1)#traceroute ip www.yamaha-dealers.com <http://www.yamaha-dealers.com/> source et 3/24 traceroute to www.yamaha-dealers.com <http://www.yamaha-dealers.com/> (45.60.73.16), 30 hops max, 60 byte packets 1 AS393639.micemn.net <http://as393639.micemn.net/> (206.108.255.47) 13.936 ms 14.004 ms 13.998 ms 2 v415.core1.msp1.he.net <http://v415.core1.msp1.he.net/> (184.105.25.93) 14.146 ms 14.205 ms 14.274 ms 3 100ge13-1.core2.chi1.he.net <http://100ge13-1.core2.chi1.he.net/> (184.105.223.177) 22.533 ms 22.369 ms 22.538 ms 4 * * * 5 * * * 6 * * * 7 * * * 8 * * * 9 *^CSiouxCenter-Arista-North(s1)#
Can an ACL be created on the Arista that discards in/outbound ARP requests for the non-MICE address space?
Frank
From: MICE Discuss <MICE-DISCUSS@LISTS.IPHOUSE.NET <mailto:MICE-DISCUSS@LISTS.IPHOUSE.NET>> On Behalf Of Steve Howard Sent: Thursday, August 16, 2018 9:32 PM To: MICE-DISCUSS@LISTS.IPHOUSE.NET <mailto:MICE-DISCUSS@LISTS.IPHOUSE.NET> Subject: Re: [MICE-DISCUSS] Routing of non-IX traffic
I've disabled proxy arp on the CNS router... Has the behavior changed?
On 08/16/2018 05:00 PM, Matthew Beckwell wrote: I'm getting similar behavior as Frank.
Like Doug, I only have 45.60.73.0/24 <http://45.60.73.0/24> from transit connections. So a traceroute from my MICE interface should ARP and die (I would think)....
When I traceroute to 45.60.73.16-- my router sends out an ARP request, as expected. But...I get ARP replies for 45.60.73.16 from these Cisco MACs (in the order they came into my interface):
00:23:33:c6:a0:c0 206.108.255.50 Cooperative Network Services (CNS) 32609 e4:aa:5d:83:73:06 206.108.255.47 IVDesk 393639 88:43:e1:00:f2:10 206.108.255.18 Consolidated Communications 12042 b0:aa:77:33:7b:03 206.108.255.79 Gigamonster, LLC 31939 3c:08:f6:81:6e:a5 206.108.255.46 OneNetUSA 46131 00:1d:e5:c0:78:c3 206.108.255.5 Implex 21709 54:75:d0:e6:08:30 206.108.255.106 Nuvera Communications 23465 00:11:5d:82:6c:00 206.108.255.80 Future Technologies 26451
Proxy ARP (or something like it)? CNS seems to be consistently coming in first place when I clear my ARP entry.
~Matthew matthewb@aitech.net <mailto:matthewb@aitech.net> AS13746
On Thu, Aug 16, 2018 at 3:25 PM, Frank Bulk <fbulk@mypremieronline.com <mailto:fbulk@mypremieronline.com>> wrote: When I force a traceroute to originate from our MICE-facing connection, the first hop is 206.108.255.50 (AS32609 aka CNS). Any reason why?
To making things more interesting, Incapsula-destined traffic goes via Paul Bunyan. Here's just one example:
traceroute to www.yamaha-dealers.com <http://www.yamaha-dealers.com/> (45.60.73.16), 30 hops max, 60 byte packets 1 AS32609.micemn.net <http://as32609.micemn.net/> (206.108.255.50) 14.059 ms 14.084 ms 14.076 ms 2 cns70.cnsllc.net <http://cns70.cnsllc.net/> (205.149.150.9) 18.484 ms 18.434 ms 18.507 ms 3 fg30.ips.cnsllc.net <http://fg30.ips.cnsllc.net/> (205.149.150.30) 20.254 ms 20.346 ms 20.267 ms 4 crss2.PaulBunyan.net <http://crss2.paulbunyan.net/> (205.149.159.197) 20.527 ms 20.562 ms 20.619 ms 5 cra.PaulBunyan.net <http://cra.paulbunyan.net/> (205.149.159.181) 23.398 ms fp233.ips.PaulBunyan.net <http://fp233.ips.paulbunyan.net/> (205.149.159.233) 22.669 ms cra.PaulBunyan.net <http://cra.paulbunyan.net/> (205.149.159.181) 23.393 ms 6 * * * 7 * * * 8 * * * 9 * * * 10 * * * 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * * SiouxCenter-Arista-North(s1)
The reason I stumbled across this is because we've had more than a dozen customers over the last month complain about access to Incapsula-protected sites. Packet captures show TCP RSTs coming from the far side.
Regards,
Frank Bulk AS53347
To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1 <http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1>
To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1 <http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1> To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1 <http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1>
Since we already have a list of which MACs have proxy ARP on, I would suggest the MICE leadership team privately contact those MICE participants and ask them to turn off proxy ARP. Frank From: MICE Discuss <MICE-DISCUSS@LISTS.IPHOUSE.NET> On Behalf Of Andrew Hoyos Sent: Saturday, August 18, 2018 5:36 PM To: MICE-DISCUSS@LISTS.IPHOUSE.NET Subject: Re: [MICE-DISCUSS] Routing of non-IX traffic Relavent: https://ripe63.ripe.net/presentations/130-Proxy_ARP_RIPE_Nov2011.pdf Seems like quite a few participants on MICE with proxy ARP still on. I know some IX’s toss you in a quarantine VLAN for initial turn-up - maybe this is something that needs to start, so this sort of thing can be checked? — Andrew Hoyos hoyosa@gmail.com<mailto:hoyosa@gmail.com> On Aug 16, 2018, at 9:52 PM, Frank Bulk <fbulk@mypremieronline.com<mailto:fbulk@mypremieronline.com>> wrote: Thanks, Matthew, for explaining why ARP might be happening. Now that CNS has its proxy ARP turned off, it’s AS393639 that’s responding: SiouxCenter-Arista-North(s1)#traceroute ip www.yamaha-dealers.com<http://www.yamaha-dealers.com/> source et 3/24 traceroute to www.yamaha-dealers.com<http://www.yamaha-dealers.com/> (45.60.73.16), 30 hops max, 60 byte packets 1 AS393639.micemn.net<http://as393639.micemn.net/> (206.108.255.47) 13.936 ms 14.004 ms 13.998 ms 2 v415.core1.msp1.he.net<http://v415.core1.msp1.he.net/> (184.105.25.93) 14.146 ms 14.205 ms 14.274 ms 3 100ge13-1.core2.chi1.he.net<http://100ge13-1.core2.chi1.he.net/> (184.105.223.177) 22.533 ms 22.369 ms 22.538 ms 4 * * * 5 * * * 6 * * * 7 * * * 8 * * * 9 *^CSiouxCenter-Arista-North(s1)# Can an ACL be created on the Arista that discards in/outbound ARP requests for the non-MICE address space? Frank From: MICE Discuss <MICE-DISCUSS@LISTS.IPHOUSE.NET<mailto:MICE-DISCUSS@LISTS.IPHOUSE.NET>> On Behalf Of Steve Howard Sent: Thursday, August 16, 2018 9:32 PM To: MICE-DISCUSS@LISTS.IPHOUSE.NET<mailto:MICE-DISCUSS@LISTS.IPHOUSE.NET> Subject: Re: [MICE-DISCUSS] Routing of non-IX traffic I've disabled proxy arp on the CNS router... Has the behavior changed? On 08/16/2018 05:00 PM, Matthew Beckwell wrote: I'm getting similar behavior as Frank. Like Doug, I only have 45.60.73.0/24<http://45.60.73.0/24> from transit connections. So a traceroute from my MICE interface should ARP and die (I would think).... When I traceroute to 45.60.73.16-- my router sends out an ARP request, as expected. But...I get ARP replies for 45.60.73.16 from these Cisco MACs (in the order they came into my interface): 00:23:33:c6:a0:c0 206.108.255.50 Cooperative Network Services (CNS) 32609 e4:aa:5d:83:73:06 206.108.255.47 IVDesk 393639 88:43:e1:00:f2:10 206.108.255.18 Consolidated Communications 12042 b0:aa:77:33:7b:03 206.108.255.79 Gigamonster, LLC 31939 3c:08:f6:81:6e:a5 206.108.255.46 OneNetUSA 46131 00:1d:e5:c0:78:c3 206.108.255.5 Implex 21709 54:75:d0:e6:08:30 206.108.255.106 Nuvera Communications 23465 00:11:5d:82:6c:00 206.108.255.80 Future Technologies 26451 Proxy ARP (or something like it)? CNS seems to be consistently coming in first place when I clear my ARP entry. ~Matthew matthewb@aitech.net<mailto:matthewb@aitech.net> AS13746 On Thu, Aug 16, 2018 at 3:25 PM, Frank Bulk <fbulk@mypremieronline.com<mailto:fbulk@mypremieronline.com>> wrote: When I force a traceroute to originate from our MICE-facing connection, the first hop is 206.108.255.50 (AS32609 aka CNS). Any reason why? To making things more interesting, Incapsula-destined traffic goes via Paul Bunyan. Here's just one example: traceroute to www.yamaha-dealers.com<http://www.yamaha-dealers.com/> (45.60.73.16), 30 hops max, 60 byte packets 1 AS32609.micemn.net<http://as32609.micemn.net/> (206.108.255.50) 14.059 ms 14.084 ms 14.076 ms 2 cns70.cnsllc.net<http://cns70.cnsllc.net/> (205.149.150.9) 18.484 ms 18.434 ms 18.507 ms 3 fg30.ips.cnsllc.net<http://fg30.ips.cnsllc.net/> (205.149.150.30) 20.254 ms 20.346 ms 20.267 ms 4 crss2.PaulBunyan.net<http://crss2.paulbunyan.net/> (205.149.159.197) 20.527 ms 20.562 ms 20.619 ms 5 cra.PaulBunyan.net<http://cra.paulbunyan.net/> (205.149.159.181) 23.398 ms fp233.ips.PaulBunyan.net<http://fp233.ips.paulbunyan.net/> (205.149.159.233) 22.669 ms cra.PaulBunyan.net<http://cra.paulbunyan.net/> (205.149.159.181) 23.393 ms 6 * * * 7 * * * 8 * * * 9 * * * 10 * * * 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * * SiouxCenter-Arista-North(s1) The reason I stumbled across this is because we've had more than a dozen customers over the last month complain about access to Incapsula-protected sites. Packet captures show TCP RSTs coming from the far side. Regards, Frank Bulk AS53347 ________________________________ To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1 ________________________________ To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1 ________________________________ To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1 ________________________________ To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
On 08/21/2018 02:08 PM, Richard Laager wrote:
On 08/21/2018 08:04 AM, Frank Bulk wrote:
Since we already have a list of which MACs have proxy ARP on, I would suggest the MICE leadership team privately contact those MICE participants and ask them to turn off proxy ARP.
Sure thing. I've emailed them all off-list.
As of this afternoon, no MICE participants are doing proxy ARP. Thanks to those participants for responding quickly and reconfiguring their routers. Thanks to Matthew Beckwell for repeated testing to confirm the progress. -- Richard
Interesting - today I've learned that although IOS XR has Proxy ARP disabled by default, IOS XE has it enabled by default: nuveragw1#show ip int te0/3/0 | i ARP Proxy ARP is enabled RP/0/RSP0/CPU0:bbvgw1#show ip int te0/0/0/2 | i ARP Proxy ARP is disabled I’d agree that it’s not expected behavior in this context, so will disable it on Nuvera’s XE router. Thanks for making me smarter, anthony [Anthony_Anderberg]<https://www.nuvera.net/> From: MICE Discuss [mailto:MICE-DISCUSS@LISTS.IPHOUSE.NET] On Behalf Of Matthew Beckwell Sent: Thursday, August 16, 2018 5:01 PM To: MICE-DISCUSS@LISTS.IPHOUSE.NET Subject: Re: [MICE-DISCUSS] Routing of non-IX traffic I'm getting similar behavior as Frank. Like Doug, I only have 45.60.73.0/24<http://45.60.73.0/24> from transit connections. So a traceroute from my MICE interface should ARP and die (I would think).... When I traceroute to 45.60.73.16-- my router sends out an ARP request, as expected. But...I get ARP replies for 45.60.73.16 from these Cisco MACs (in the order they came into my interface): 00:23:33:c6:a0:c0 206.108.255.50 Cooperative Network Services (CNS) 32609 e4:aa:5d:83:73:06 206.108.255.47 IVDesk 393639 88:43:e1:00:f2:10 206.108.255.18 Consolidated Communications 12042 b0:aa:77:33:7b:03 206.108.255.79 Gigamonster, LLC 31939 3c:08:f6:81:6e:a5 206.108.255.46 OneNetUSA 46131 00:1d:e5:c0:78:c3 206.108.255.5 Implex 21709 54:75:d0:e6:08:30 206.108.255.106 Nuvera Communications 23465 00:11:5d:82:6c:00 206.108.255.80 Future Technologies 26451 Proxy ARP (or something like it)? CNS seems to be consistently coming in first place when I clear my ARP entry. ~Matthew matthewb@aitech.net<mailto:matthewb@aitech.net> AS13746 On Thu, Aug 16, 2018 at 3:25 PM, Frank Bulk <fbulk@mypremieronline.com<mailto:fbulk@mypremieronline.com>> wrote: When I force a traceroute to originate from our MICE-facing connection, the first hop is 206.108.255.50 (AS32609 aka CNS). Any reason why? To making things more interesting, Incapsula-destined traffic goes via Paul Bunyan. Here's just one example: traceroute to www.yamaha-dealers.com<http://www.yamaha-dealers.com> (45.60.73.16), 30 hops max, 60 byte packets 1 AS32609.micemn.net<http://AS32609.micemn.net> (206.108.255.50) 14.059 ms 14.084 ms 14.076 ms 2 cns70.cnsllc.net<http://cns70.cnsllc.net> (205.149.150.9) 18.484 ms 18.434 ms 18.507 ms 3 fg30.ips.cnsllc.net<http://fg30.ips.cnsllc.net> (205.149.150.30) 20.254 ms 20.346 ms 20.267 ms 4 crss2.PaulBunyan.net<http://crss2.PaulBunyan.net> (205.149.159.197) 20.527 ms 20.562 ms 20.619 ms 5 cra.PaulBunyan.net<http://cra.PaulBunyan.net> (205.149.159.181) 23.398 ms fp233.ips.PaulBunyan.net<http://fp233.ips.PaulBunyan.net> (205.149.159.233) 22.669 ms cra.PaulBunyan.net<http://cra.PaulBunyan.net> (205.149.159.181) 23.393 ms 6 * * * 7 * * * 8 * * * 9 * * * 10 * * * 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * * SiouxCenter-Arista-North(s1) The reason I stumbled across this is because we've had more than a dozen customers over the last month complain about access to Incapsula-protected sites. Packet captures show TCP RSTs coming from the far side. Regards, Frank Bulk AS53347 ________________________________ To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
participants (11)
-
Andrew Hoyos -
AnthonyAnderberg@nuvera.net -
David Farmer -
Doug McIntyre -
Frank Bulk -
Jeremy Lumby -
Matthew Beckwell -
Mike Horwath -
Richard Laager -
Ryan Goldberg -
Steve Howard