cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1642
Views
6
Helpful
7
Replies

Virtual MAC Addresses?

Josh Morris
Level 3
Level 3

I am getting thousands (like tens of thousands) of weird MAC Addresses in ISE, many of them are getting profiled as 'Xerox-Device' or 'EquipTrans-Device' based on the OUI. The MAC Addresses mostly start with '00:01:00:00:*:*' and '00:00:00:00:00:*' and come from specific switches/ports. Without tracing the device down physically, I'm assuming these are some kind of virtual mac addresses. Has anyone seen anything like this? Do you have any mitigation techniques? Endpoint purge policies?

7 Replies 7

Yes I see before it before and I think you use 892.1x multi-host under port ? if Yes then change that to multi-auth and check again.

Thanks, I'm already multi-auth on all NADs.

Josh Morris
Level 3
Level 3

Just found that one port that was showing this behavior has a Cisco phone connected. The behavior kind of reminded me of a loop of some kind, where thousands of endpoints were learned on a port at one time, then all were inactive after that.

Hmm, it can be
SW1-eth-IPPhone-Eth-SW2 
this can make all host in SW1 (MAB) through SW2. and that explain how ISE know these MAC and success auth it. 
so to be sure if that is case 
show mac in SW's 
select two or three MAC connect to this port 
and see if these port appear in any other SW or not. 

Damien Miller
VIP Alumni
VIP Alumni

I tend to have customers use purge policies to keep their ISE deployment's database clean regardless of random MACs being used or not. Purge policies based on inactive days are quite good for this. 

As far as the specific virtual MACs you called out, firewalls are a common source of these, but HSRP/VRRP routers also use 0000.0xxx.xxxx. Both Checkpoints and Cisco ASAs use virtual macs similar to your range. 

It would probably be beneficial to track them down, determine which device type is on those ports, and potentially exempt them from authentication if they are in a protected space. 

I have also seen these random MAC addresses come from guest PCs running a VM hypervisor. I've never found any documentation explaining why, but I assume it has something to do with the vmNIC driver.
If you're seeing these being learned on uplink ports, you might want to disable the access-session monitor on those ports. This is mainly a visibility feature on newer switches, but I've never found it very useful to have monitoring on uplinks from a NAC perspective.

interface x/x/x
 no access-session monitor

adams pro
Level 1
Level 1

Hello,

I'm glad to see someone had similar issue.

I also have this issue where thousands of MAC addresses would be discovered on the same ports. Happened multiples times and I don't know why exactly. Opened a case when it happened the first time but engineer couldn't help.

The ports showing this behavior are connected to USB or USB-C ethernet Hubs.

You will find one example in the image attached.

I also found some information on the internet that could be related :

https://www.reddit.com/r/networking/comments/an6lfq/pass_though_power_usb_type_c_hubs_cause_broadcast/

https://community.cisco.com/t5/switching/mac-flooding-apple-usb-c-hub/td-p/3225604