Solved: Re: get ride of fake mac address on catalyst switch

ray_juarez · ‎11-18-2010

Hi,

I recently noticed that some catalyst switches in my network are having a bunch of fake mac addresses in one or two ports. Some of these ports happen to have connected some third-party vendor lan switch (ANSEL) but some others have just one PC connected. I have shutdown the port and reloaded the switch but the problem persist. I this an IOS bug?

These are some data about my switch:

System image file is "flash:/c2950-i6q4l2-mz.121-22.EA6.bin"

cisco WS-C2950G-48-EI (RC32300) processor (revision Q0) with 21013K bytes of memory.
Processor board ID FOC1009Z7HA

Here are some mac addresss that show in my switch:

e2-9a-e5-f2-a8-9f

7e-37-ae-19-9e-9a

30-b9-22-70-80-0b

ac-6c-6b-fa-f7-be

98-e0-7d-e0-c2-b2

3a-aa-aa-aa-aa-aa

b0-07-4c-24-8e-02

80-f0-c0-c9-95-f9

deyadav · ‎11-18-2010

Well you cannot be 100% certain about it. There might just be malicious system/application in the network which advertises those MAC's. The best and the easiest way is it to do a sniffer capture on the ports where you see such traffic, and check for the packet details to know more about the system which is sending out those MAC's.

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/swspan.html

On the Span destination port, you may connect a PC with Wireshark installed to capture the traffic.

I could at least see an IOS bug around this issue, so perhaps you may to upgrade the IOS to latest available release for the 2950 switches:

You may check the bug using this link:

http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs

Bug ID:CSCsr93288

Cat2950 generates ghost MAC address

This was fixed in 12.1(22)EA9 and later releases.

HTH.

Regards,

Deepak

View solution in original post

deyadav · ‎11-18-2010

Port-security is 1 easy way to avoid such an issue.

http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst2950/software/release/12.1_22_ea11x/configuration/guide/swtrafc.html#wp1038501

If you would like to drop the packets with these MAC, you may use this command as well:

http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst2950/software/release/12.1_22_ea11x/command/reference/cli1.html#wp4344743

HTH.

Regards,

Deepak

ray_juarez · ‎11-18-2010

Hi Deepak,

Is there a way to know why these fake mac addresses suddenly appear on the switch? It doesn't seem to be done by users since they are not technical staff and they don't have technical skills to do so.

Thanks in advance.

Ray Juarez

deyadav · ‎11-18-2010

Well you cannot be 100% certain about it. There might just be malicious system/application in the network which advertises those MAC's. The best and the easiest way is it to do a sniffer capture on the ports where you see such traffic, and check for the packet details to know more about the system which is sending out those MAC's.

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/swspan.html

On the Span destination port, you may connect a PC with Wireshark installed to capture the traffic.

I could at least see an IOS bug around this issue, so perhaps you may to upgrade the IOS to latest available release for the 2950 switches:

You may check the bug using this link:

http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs

Bug ID:CSCsr93288

Cat2950 generates ghost MAC address

This was fixed in 12.1(22)EA9 and later releases.

HTH.

Regards,

Deepak

ray_juarez · ‎11-19-2010

Hi Deepak,

Thanks for your answer, it was very useful.

Best regards

Ray Juarez