06-03-2008 07:40 AM - edited 03-11-2019 05:54 AM
Has anyone seen addresses like this in Pix?
0152.4153.2000.1617.
8117.d000.0001.0000.
00
they keep showing up in output of "show dhcpd binding" and block other legitimate
client machine.
06-03-2008 08:49 AM
As per the MAC wiki:
"If the least significant bit of the most significant byte is set to a 1, the packet is meant to be sent only once but still reach several NICs. This is called multicast."
So those are Multicast MAC-Addresses depending on the protocol you are running (Like CDP,HSRP etc.)
Regards
Farrukh
06-03-2008 09:18 AM
Thanks for reply.
Could this be from the VOIP phones? thats the only thing we added to the network recently. But the question is how these strangely-formatted addresses got into DHCP table and get assigned IP addresses? Can I block these addresses?
06-03-2008 11:24 AM
Hello Wen
I tried to lookup those MACs on google, but till now could not come up with anything.
Which vendor's IP phones/Call Control software are you guys using?
Mind telling my what IP is mapped to these MACs?
Regards
Farrukh
06-03-2008 01:50 PM
We are not sure if this is the linksys VOIP phone. We have all kinds of devices here that might be linked to the network - windows, MAC, iphone/Blackberry ...
example of the "show dhcpd binding" output
69.77.163.189 0152.4153.2000.1617.
8117.d000.0002.0000.
00
69.77.163.190 0152.4153.2000.1617.
8117.d000.0005.0000.
00
69.77.163.191 0152.4153.2000.1617.
8117.d000.0001.0000.
00
06-03-2008 05:59 PM
If your PIX firewall directly terminated to a WAN link (Via Ethernet)?
These seem to be public IPs?
Regards
Farrukh
06-04-2008 07:11 AM
These are public IPs. The FW is directly connected to the Internet and has 69.77.163.0/24 on its inside interface.
06-04-2008 11:24 AM
Well if these IPs are on your network, why don't you give an OS fingerprinting tool like NMAP a try? Or perhaps run a 'Full' Nessus scan on these IPs, that might help you reveal some information about them.
Since you know the IPs, it should not be hard to track them down.
If you have CiscoWorks Campus Manager, you can use the User Tracking option to search for these IP/MACs.
Regards
Farrukh
06-04-2008 11:51 AM
unfortunately I dont have any tools like CiscoWorks Campus Manager here. What makes it worse is that these IPs might be some wireless devices. Strangely I dont even get any response by pinging these IPs.
06-04-2008 12:18 PM
Is your wireless setup secure? Or is it SSID broadcast with no security?
So some sort of device is associating with your AP using these Multicast MACs (very strange tough). Can you confirm if these IP addresses are from the Wireless AP Address Pool?
Regards
Farrukh
06-04-2008 12:45 PM
The APs are protected with SSIDs.
I am still not sure if these IPs are from the wireless because I cant take down all of them for testing while people are connected. They come and go with no pattern to follow. But it seems this happens more during day time.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide