[c-nsp] mystery pseudowire interfaces?

Saku Ytti saku at ytti.fi
Mon Jul 18 08:20:06 EDT 2016 

Interesting. The most obvious solutions is that this is bug, some
corruption/memory leak interpreted as configured pseudowires. I
couldn't find anything in quick search in cisco bug tool. I'd engage
CTAC.
You could also try to correlate appearance/disappearance of these to a
operational work. Perhaps these happen when to (de)provision circuits?

The tinfoil hat explanation is that someone is extracting data from
your network. I know one network which had TCAM poked ERSPAN
extraction configured, i.e. not visible in config, and based on data
being extracted it was deemed intentional action by 3rd party.

At least two of those IP addresses are not advertised in global table,
but that does not prove anything really. Trying look at the bits of
the IP addresses and VC_ID and no obvious pattern at least.

On 18 July 2016 at 12:55, Mike <mike-cisconsplist at tiedyenetworks.com> wrote:
>
>
> Hi,
>
>     I have a metro-ethernet connection between two sites - an asr920 and an
> me3600x and am running mpls over it. I have just noticed some mystery
> pseudowire interfaces that have shown up and I strongly think it's my
> metro-e provider leaking data into my circuit. Is this possible? Some
> examples:
>
>
> pseudowire100012 is up
>     MTU 1500 bytes, BW 10000000 Kbit
>     Encapsulation l2tpv2
>     Peer IP 107.118.108.50, VC ID 1634955825
>     RX
>       0 packets 0 bytes 0 drops
>     TX
>       0 packets 0 bytes 0 drops
>
>
> pseudowire100013 is up
>     MTU 1500 bytes, BW 10000000 Kbit
>     Encapsulation unknown
>     Peer IP 104.100.115.108, VC ID 1969973601
>     RX
>       0 packets 0 bytes 0 drops
>     TX
>       0 packets 0 bytes 0 drops
> pseudowire100016 is up
>     MTU 1500 bytes, BW 10000000 Kbit
>     Encapsulation unknown
>     Peer IP 48.109.103.109, VC ID 1986802480
>     RX
>       0 packets 0 bytes 0 drops
>     TX
>       0 packets 0 bytes 0 drops
> pseudowire100023 is up
>     MTU 1500 bytes, BW 10000000 Kbit
>     Encapsulation unknown
>     Peer IP 98.52.48.49, VC ID 2003399541
>     RX
>       0 packets 0 bytes 0 drops
>     TX
>       0 packets 0 bytes 0 drops
>
> None of these IPs are me - I have only rfc1918 addresses in my mpls network.
> How is it possible these have been created? I don't understand the
> mechanisam. There are no log entries...
>
> Mike-
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



-- 
  ++ytti

More information about the cisco-nsp mailing list