[c-nsp] mystery pseudowire interfaces?

Mack McBride mack.mcbride at viawest.com
Mon Jul 18 11:01:34 EDT 2016


Another explanation is that pseudowires were previously created on the device and deleted and then
When MPLS was re-enabled, the interfaces reappeared.


Mack McBride | Senior Network Architect | ViaWest, Inc.
O: 720.891.2502 | C: 303.720.2711 | mack.mcbride at viawest.com | www.viawest.com


-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Saku Ytti
Sent: Monday, July 18, 2016 6:20 AM
To: Mike
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] mystery pseudowire interfaces?

Interesting. The most obvious solutions is that this is bug, some corruption/memory leak interpreted as configured pseudowires. I couldn't find anything in quick search in cisco bug tool. I'd engage CTAC.
You could also try to correlate appearance/disappearance of these to a operational work. Perhaps these happen when to (de)provision circuits?

The tinfoil hat explanation is that someone is extracting data from your network. I know one network which had TCAM poked ERSPAN extraction configured, i.e. not visible in config, and based on data being extracted it was deemed intentional action by 3rd party.

At least two of those IP addresses are not advertised in global table, but that does not prove anything really. Trying look at the bits of the IP addresses and VC_ID and no obvious pattern at least.

On 18 July 2016 at 12:55, Mike <mike-cisconsplist at tiedyenetworks.com> wrote:
>
>
> Hi,
>
>     I have a metro-ethernet connection between two sites - an asr920
> and an me3600x and am running mpls over it. I have just noticed some
> mystery pseudowire interfaces that have shown up and I strongly think
> it's my metro-e provider leaking data into my circuit. Is this
> possible? Some
> examples:
>
>
> pseudowire100012 is up
>     MTU 1500 bytes, BW 10000000 Kbit
>     Encapsulation l2tpv2
>     Peer IP 107.118.108.50, VC ID 1634955825
>     RX
>       0 packets 0 bytes 0 drops
>     TX
>       0 packets 0 bytes 0 drops
>
>
> pseudowire100013 is up
>     MTU 1500 bytes, BW 10000000 Kbit
>     Encapsulation unknown
>     Peer IP 104.100.115.108, VC ID 1969973601
>     RX
>       0 packets 0 bytes 0 drops
>     TX
>       0 packets 0 bytes 0 drops
> pseudowire100016 is up
>     MTU 1500 bytes, BW 10000000 Kbit
>     Encapsulation unknown
>     Peer IP 48.109.103.109, VC ID 1986802480
>     RX
>       0 packets 0 bytes 0 drops
>     TX
>       0 packets 0 bytes 0 drops
> pseudowire100023 is up
>     MTU 1500 bytes, BW 10000000 Kbit
>     Encapsulation unknown
>     Peer IP 98.52.48.49, VC ID 2003399541
>     RX
>       0 packets 0 bytes 0 drops
>     TX
>       0 packets 0 bytes 0 drops
>
> None of these IPs are me - I have only rfc1918 addresses in my mpls network.
> How is it possible these have been created? I don't understand the
> mechanisam. There are no log entries...
>
> Mike-
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



--
  ++ytti
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s). Unless you are the addressee or authorized agent of the addressee, you may not review, copy, distribute or disclose to anyone the message or any information contained within. If you have received this message in error, please contact the sender by electronic reply and immediately delete all copies of the message.


More information about the cisco-nsp mailing list