02-13-2021 10:38 PM
Hi all,
there is a strange MAC address appeared on a switch port.
I have switch (WS-C3750X-48P-E) with port security MAC address sticky enabled.
SW version: 15.2(3)E2
there are two devices connected to this port , a Cisco phone and a an HP desktop.
the MAC is: 0000.3600.10ab >> searching online shows that this MAC belongs to a vendor called " ATARI CORPORATION "
I don't have anything on the network from this vendor.
any idea why this strange MAC appeared on this port, this is not the first time I found a MCA from ATARI CORPORATION appear on our Network, on a different switches on a different ports.
appreciate your help.
02-13-2021 11:28 PM - edited 02-13-2021 11:28 PM
Statically assigned MAC address.
Not unheard of, not impossible to do and I'd do the same prank myself.
02-14-2021 12:26 AM
Hello,
Atari (mostly gaming) devices do have NICs, maybe somebody has connected one of them to his/her PC. I would ask the user(s) connecting to this port...
02-15-2021 12:54 AM
Hi Georg,
nobody connected anything to the device, the port gets shutdown due to port security violation.
the user answer is: no
the syslog server: shows that this port gets down and up about 8 times with 1sec between each up and down, then gets shutdown due to port security violation at the end.
02-14-2021 02:55 AM
you mean the device connected showing this MAC Address (point to that interface where Phone and HP desktop connected ?)
Do you have any VM running in the HP Desktops ?
This is my experience this kind of device i have observed in the past. (may be not your case)
May be some of the TV have this interface i have seen and observed, ( i was not sure if this TV andriod based ) ? (what part of Geo location you are ?) Also check do you have any WIFI recetnly there is randomoside IP config taking place (just guess - since you dont know the device.)
best bet is turn off device and test it. where this mac generating from and also is this go off ?
02-15-2021 12:55 AM
the MAC is not permanent, it just appeared on the port once and that is it.
the port gets shutdown due to port security violation, if I enabled the port again, it will show the original MAC of the HP computer.
02-15-2021 02:03 AM
Its Looks like something fishy with NIC Interface or something with the HP computer.
1. what Operating system?
2. what is the purpose of this PC.
3. Do you get a chance to add a new Interface and test it?
4. when the port disabled on the switch, what you see on the HP PC, is the MAC address of NIC the same or changed?
5. is this PC connected behind the phone? what phone model is this?
Can you post if you have any sample full logs when the port disabled on the switch?
on a side note - randomized MAC Address only applicable for WIFI network, not for the physical Ethernet interface.
02-15-2021 02:10 AM
Hello,
I would scan the registry of your windows machine for that MAC address (regedt32). The MAC address must come from somewhere...
02-14-2021 09:49 PM
Hi,
What's happens if you will disconnect the HP desktop? Will it disappear? have you checked in your desktop for anything wrong and have you enabled the Windows Random MAC creation feature (You can ask why Windows will generate a MAC address from AATARI OUI, I don't have an answer but it is general troubleshooting steps)?
02-15-2021 12:58 AM
Yes it will disappear, it is not permanent, it just appeared once and then the original HP computer MAC appear again.
I've scanned the PC for virus and it seems clean.
I don't know about "Windows Random MAC creation feature" I will google it, appreciate if you can help.
02-15-2021 02:25 AM - edited 02-15-2021 02:31 AM
Hello
Apply a port or vlan based mac acl to drop the mac-address.
Example:
mac access-list extended nomac
deny host 0000.3600.10ab any
permit any any
int x/x
mac access-group nomac in
or
mac address-table static 0000.3600.10ab vlan x drop
mac address-table static 0000.3600.10ab vlan y drop < this wouldnt negate it appering on the access-port but it would stop it from commincatiing on the vlan(s)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: