many strange MAC addresses on switch ports

Hi,

we use netdisco

formatting link
to keep track of the devices which are connected to our Cisco switches.

Last week I noticed many strange MAC addresses popping up on some switch ports. Sometimes there are several hundreds, sometimes less than 10 of these MACs. This happens on differnt Cisco switches (C2950-I6Q4L2-M, WS-C6506).

10:77:77:78:37:75 12:48:75:da:d8:87 14:78:7c:87:c7:74 14:78:7c:87:c7:7c 14:78:7c:8a:87:74 14:78:fc:88:57:7c 14:78:fc:88:c7:74 14:78:fc:88:c7:7c 14:78:fc:98:c7:74 14:78:fc:98:c7:7c 14:78:fd:97:c7:7c 14:78:fd:a2:47:7c 14:78:fd:a7:77:7c 14:78:fd:b7:47:74 ....

fc:98:c7:7c:26:77 fc:98:c7:7c:76:77 fc:98:c7:7c:76:b7 fe:11:77:c3:dc:87 fe:71:79:c3:8c:87

24:00:00:00:00:00 24:00:00:00:00:18 46:45:42:43:41:43 48:43:41:43:41:43 4a:65:74:20:38:39 4e:7d:35:3c:00:00 54:d4:35:3c:00:00 6a:00:00:d9:00:00 6a:00:00:d9:35:7c 6c:26:35:3c:18:e8 8a:77:35:3c:18:e8

18:77:a7:7c:a7:00

2a:f1:d7:7c:aa:71 2a:f1:d7:7c:aa:c1 2c:e7:bb:67:f7:27 42:7f:a5:1f:75:7f 54:77:77:77:75:47 54:87:b7:77:79:77 70:a7:74:75:48:73 70:a7:74:79:48:73 70:a7:77:79:48:73 70:a7:77:7d:48:73 70:b7:74:74:48:73 70:b7:74:79:48:73 70:d6:59:66:5a:07 72:77:07:27:70:57 74:77:79:77:71:70 74:b4:07:b3:64:74 74:ec:7b:0c:77:78 78:7c:74:9d:77:c7 7a:f7:7c:87:0b:71 7e:77:47:57:37:4f 80:d0:59:66:5a:07 98:d7:d7:92:77:8d b2:ea:b3:77:d4:75

There is no vendor code which would match these addresses.

Has anyone seen this before? Any idea what might cause this?

Ralf

Reply to
Ralf Gross
Loading thread data ...

Bad NIC or other transmitter sending rubbish?

Malicious code designed to make the forwarding database?

Bad switch?

Noise? - seems unlikely.

Reply to
anybody43

Maybe we can find a switch where this happens at regular intervals. At the moment I can't find a rule, different switches, different ports, different clients...

Ralf

Reply to
Ralf Gross

Add overflow. Malicious code designed to make the forwarding database overflow?

Reply to
anybody43

There is one port with 2400 of these addresses, but on most of the other affected ports the number of addresses is less than 100. I would assume that if someone really wants to flood the switch he would use much more addresses.

Ralf

Reply to
Ralf Gross

Sorry, I just read the OP more carefully.

The absolute first thing to do is to confirm that the problem is not with the 'disco' software.

You can use:

sh mac-a !

Reply to
anybody43

Depending on your security requirements, you might want to consider assuming that you have malicious code in the network until you can prove otherwise.

Find a device that is apparently sending these frames and SPAN or Monitor it's port. The frames should show up on the sniffer. You can use Ethereal which is free. SPAN a lot of ports (to a fast port) and save the traffic to files. When you see the addresses appear look at the relevant files.

I find that Ethereal gets indigestion with more than about 50M or 100M of captured data so keep each file less than that. It is easy to configure Ethereal to save in 50M chunks.

Reply to
anybody43

Am Thu, 20 Oct 2005 02:23:56 -0700 schrieb anybody43:

I know that ;)

Today I was able to see some of those odd addresses 'live' popping up on one switch port. At the moment I think that this might be a problem of some of our clients (nic, os..).

Either that or a odd client. We'll take a look at the clients that are connected to those ports.

Ralf

Reply to
Ralf Gross

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.