1. Home
  2. Cisco Systems
  3. Ghost MAC address Part II

Ghost MAC address Part II

I have three Cisco 2970s... 2970_1 has a trunk to 2970_2 vi Gi0/24 on both, and a trunk to 2970_3 on Gi0/4 (Gi0/2 on 2970_3)

I'm seeing lots of ARP broadcasts for an IP I do not use from a MAC address that isn't one of mine. I'm trying to hunt down where that address is with no luck:

2970_1 can't decide if it's on Gi0/24 or Gi0/4:

2970_1#sh mac-address-table address 000c.764e.04c8 Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- ----- 3 000c.764e.04c8 DYNAMIC Gi0/24 Total Mac Addresses for this criterion: 1

2970_1#sh mac-address-table address 000c.764e.04c8 Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- ----- 3 000c.764e.04c8 DYNAMIC Gi0/4 Total Mac Addresses for this criterion: 1

2970_1#sh mac-address-table address 000c.764e.04c8 Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- ----- 3 000c.764e.04c8 DYNAMIC Gi0/24 Total Mac Addresses for this criterion: 1

As mentioned above, Gi0/4 is a trunk to 2970_3 and Gi0/24 is a trunk to

2970_2

2970_2 thinks it might be on Gi0/3, Gi0/7, or Gi0/24:

2970_2#sh mac-address-table address 000c.764e.04c8 Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- ----- 3 000c.764e.04c8 DYNAMIC Gi0/3 Total Mac Addresses for this criterion: 1

2970_2#sh mac-address-table address 000c.764e.04c8 Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- ----- 3 000c.764e.04c8 DYNAMIC Gi0/24 Total Mac Addresses for this criterion: 1

2970_2#sh mac-address-table address 000c.764e.04c8 Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- ----- 3 000c.764e.04c8 DYNAMIC Gi0/7 Total Mac Addresses for this criterion: 1

Gi0/24 is a trunk to 2970_1, Gi0/3 is down with nothing connected to it, and Gi0/7 is a web server with one connected interface that does *not* have a hardware address of 000c.764e.04c8

2970_3 can't tell if it's on Gi0/2, Gi0/3, or Gi0/4:

2970_3#sh mac-address-table address 000c.764e.04c8 Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- ----- 3 000c.764e.04c8 DYNAMIC Gi0/2 Total Mac Addresses for this criterion: 1

2970_3#sh mac-address-table address 000c.764e.04c8 Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- ----- 3 000c.764e.04c8 DYNAMIC Gi0/3 Total Mac Addresses for this criterion: 1

2970_3#sh mac-address-table address 000c.764e.04c8 Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- ----- 3 000c.764e.04c8 DYNAMIC Gi0/4 Total Mac Addresses for this criterion: 1

Gi0/2 is a trunk to 2970_1, and Gi0/3 and Gi0/4 are connected to two name servers, neither of which have a hardware address of 000c.764e.04c8

WHAT THE HELL IS GOING ON??? How can a hardware address be dancing around like that, especially when it doesn't freaking exist? If I keep doing sh mac-address-table address 000c.764e.04c8 over and over again, the answers randomly dance between the various values I've shown above.

Reply to
John Oliver
Loading thread data ...
  1. What is the version of software running on each of the three 2970?

  1. Is VLAN 3 the only VLAN ( beside 1 ) configured on the three 2970's?

  2. What operating system are used on the name servers and the web server

  1. Have you capture any of the ARP requests/replies? If so what is the source IP address?

This might be caused by one of the ARP virus programs

Reply to
Merv

2970_1#sh version Cisco IOS Software, C2970 Software (C2970-LANBASE-M), Version 12.2(25)SEB4, RELEASE SOFTWARE (fc1) 2970_2#sh version Cisco IOS Software, C2970 Software (C2970-LANBASE-M), Version 12.2(25)SEB4, RELEASE SOFTWARE (fc1) 2970_3#sh version Cisco IOS Software, C2970 Software (C2970-LANBASE-M), Version 12.2(25)SEB4, RELEASE SOFTWARE (fc1)
2970_1#sh vlan

VLAN Name Status Ports

---- -------------------------------- ---------

-------------------------------

1 default active Gi0/1, Gi0/3, Gi0/5, Gi0/8 Gi0/10, Gi0/11, Gi0/13, Gi0/14 Gi0/15, Gi0/16, Gi0/17, Gi0/18 Gi0/19, Gi0/20, Gi0/21, Gi0/22 Gi0/23 2 Outside active 3 DMZ active Gi0/2, Gi0/6, Gi0/7, Gi0/9 Gi0/12 4 Secure active 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------

------

1 enet 100001 1500 - - - - - 0 0 2 enet 100002 1500 - - - - - 0 0 3 enet 100003 1500 - - - - - 0 0 4 enet 100004 1500 - - - - - 0 0 1002 fddi 101002 1500 - - - - - 0 0 1003 tr 101003 1500 - - - - - 0 0 1004 fdnet 101004 1500 - - - ieee - 0 0 1005 trnet 101005 1500 - - - ibm - 0 0

Remote SPAN VLANs

------------------------------------------------------------------------------

Primary Secondary Type Ports

------- --------- -----------------

------------------------------------------

2970_2#sh vlan

VLAN Name Status Ports

---- -------------------------------- ---------

-------------------------------

1 default active Gi0/1, Gi0/6, Gi0/8, Gi0/9 Gi0/10, Gi0/12, Gi0/19, Gi0/20 Gi0/21 2 Outside active 3 DMZ active Gi0/3, Gi0/4, Gi0/5, Gi0/7 Gi0/11, Gi0/13, Gi0/14, Gi0/15 Gi0/16, Gi0/17, Gi0/18, Gi0/22 Gi0/23 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------

------

1 enet 100001 1500 - - - - - 0 0 2 enet 100002 1500 - - - - - 0 0 3 enet 100003 1500 - - - - - 0 0 1002 fddi 101002 1500 - - - - - 0 0 1003 tr 101003 1500 - - - - - 0 0 1004 fdnet 101004 1500 - - - ieee - 0 0 1005 trnet 101005 1500 - - - ibm - 0 0

Remote SPAN VLANs

------------------------------------------------------------------------------

Primary Secondary Type Ports

------- --------- -----------------

------------------------------------------

2970_3#sh vlan

VLAN Name Status Ports

---- -------------------------------- ---------

-------------------------------

1 default active 3 VLAN0003 active Gi0/1, Gi0/3, Gi0/4, Gi0/5 Gi0/6, Gi0/7, Gi0/8, Gi0/9 Gi0/10, Gi0/11, Gi0/12, Gi0/13 Gi0/14, Gi0/15, Gi0/16, Gi0/17 Gi0/18, Gi0/19, Gi0/20, Gi0/21 Gi0/22, Gi0/23, Gi0/24 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------

------

1 enet 100001 1500 - - - - - 0 0 3 enet 100003 1500 - - - - - 0 0 1002 fddi 101002 1500 - - - - - 0 0 1003 tr 101003 1500 - - - - - 0 0 1004 fdnet 101004 1500 - - - ieee - 0 0 1005 trnet 101005 1500 - - - ibm - 0 0

Remote SPAN VLANs

------------------------------------------------------------------------------

Primary Secondary Type Ports

------- --------- -----------------

------------------------------------------

All Linux.

16:36:52.525936 00:0c:76:4e:04:c8 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 172.16.100.103 (Broadcast) tell 172.16.100.103
Reply to
John Oliver

If the offending device is continuously ARPing, then I would suggest setup a monitoring port connected to a PC running Ethereal.

Since the MAC address only show up on the trunk port of 2970_1, it would seem that the offending device is probably not connected to that switch.

So start with 2970_2, set up a monitoring port and one by one monitor the traffic from each port ( one port at a time). Hopefully this way you can find the device that is generating the ARP request for

172.16.100.103. The decode posted looks like a device sending a gratuitous ARP. If not found on 2970_2 repeat process on 2970_3.
Reply to
Merv

The Ethereal network protocol analyzer has changed its name to Wireshark.

formatting link

Reply to
Make

Strangely enough there is no mention of this change on

formatting link

Why might that be? "Shark" seems to be the critical part here. Would (on the) Make please go away, is my first reaction.

Reply to
anybody43

Try link

formatting link
ja select Windows SourceForge and you get
formatting link
there it is said: Wireshark (formerly Ethereal) is a network protocol analyzer for Unix and Windows.

Reply to
Make

any change of sticking the the OP's issue ???

Reply to
Merv

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.