cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1642
Views
25
Helpful
10
Replies

a strange MAC address appeared on a switch port

Vencola
Level 1
Level 1

Hi all,

 

there is a strange MAC address appeared on a switch port.

 

I have switch (WS-C3750X-48P-E) with port security MAC address sticky enabled.

SW version: 15.2(3)E2

there are two devices connected to this port , a Cisco phone and a an HP desktop.

the MAC is: 0000.3600.10ab   >> searching online shows that this MAC belongs to a vendor called " ATARI CORPORATION "

I don't have anything on the network from this vendor.

 

any idea why this strange MAC appeared on this port, this is not the first time I found a MCA from ATARI CORPORATION appear on our Network, on a different switches on a different ports. 

 

appreciate your help. 

 

10 Replies 10

Leo Laohoo
Hall of Fame
Hall of Fame

Statically assigned MAC address.

Not unheard of, not impossible to do and I'd do the same prank myself. 

Hello,

 

Atari (mostly gaming) devices do have NICs, maybe somebody has connected one of them to his/her PC. I would ask the user(s) connecting to this port...

Hi Georg, 

nobody connected anything to the device, the port gets shutdown due to port security violation.

the user answer is: no

the syslog server: shows that this port gets down and up about 8 times with 1sec between each up and down, then gets shutdown due to port security violation at the end. 

 

balaji.bandi
Hall of Fame
Hall of Fame

you mean the device connected showing this MAC Address (point to that interface where Phone and HP desktop connected ?)

Do you have any VM running in the HP Desktops ?

 

This is my experience this kind of device i have observed in the past. (may be not your case)

 

May be some of the TV have this interface i have seen and observed, ( i was not sure if this TV andriod based ) ? (what part of Geo location you are ?)  Also check do you have any WIFI recetnly there is randomoside IP config taking place (just guess - since you dont know the device.)

 

best bet is turn off device and test it. where this mac generating from and also is this go off ?

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

the MAC is not permanent, it just appeared on the port once and that is it. 

the port gets shutdown due to port security violation, if I enabled the port again, it will show the original MAC of the HP computer. 

Its Looks like something fishy with NIC Interface or something with the HP computer.

 

1. what Operating system?

2. what is the purpose of this PC.

3. Do you get a chance to add a new Interface and test it?

4. when the port disabled on the switch, what you see on the HP PC, is the MAC address of NIC the same or changed?

5. is this PC connected behind the phone? what phone model is this?

 

Can you post if you have any sample full logs when the port disabled on the switch?

 

on a side note - randomized MAC Address only applicable for WIFI network, not for the physical Ethernet interface.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hello,

 

I would scan the registry of your windows machine for that MAC address (regedt32). The MAC address must come from somewhere...

Deepak Kumar
VIP Alumni
VIP Alumni

Hi,

What's happens if you will disconnect the HP desktop? Will it disappear? have you checked in your desktop for anything wrong and have you enabled the Windows Random MAC creation feature (You can ask why Windows will generate a MAC address from AATARI OUI, I don't have an answer but it is general troubleshooting steps)?

 

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Yes it will disappear, it is not permanent, it just appeared once and then the original HP computer MAC appear again. 

I've scanned the PC for virus and it seems clean. 

 

I don't know about "Windows Random MAC creation feature" I will google it, appreciate if you can help. 

Hello
Apply a port or vlan based mac acl to drop the mac-address.

Example:
mac access-list extended nomac
deny host 0000.3600.10ab any
permit any any

int x/x
mac access-group nomac in

or
mac address-table static 0000.3600.10ab vlan x drop
mac address-table static 0000.3600.10ab vlan y drop 
< this wouldnt negate it appering on the access-port but it would stop it from commincatiing on the vlan(s)


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: