Weird MAC address in "show dhcpd binding"

Unanswered Question
Farrukh Haroon Tue, 06/03/2008 - 08:49

As per the MAC wiki:

"If the least significant bit of the most significant byte is set to a 1, the packet is meant to be sent only once but still reach several NICs. This is called multicast."

So those are Multicast MAC-Addresses depending on the protocol you are running (Like CDP,HSRP etc.)



Farrukh Haroon Tue, 06/03/2008 - 11:24

Hello Wen

I tried to lookup those MACs on google, but till now could not come up with anything.

Which vendor's IP phones/Call Control software are you guys using?

Mind telling my what IP is mapped to these MACs?



We are not sure if this is the linksys VOIP phone. We have all kinds of devices here that might be linked to the network - windows, MAC, iphone/Blackberry ...

example of the "show dhcpd binding" output 0152.4153.2000.1617.


00 0152.4153.2000.1617.


00 0152.4153.2000.1617.



Farrukh Haroon Tue, 06/03/2008 - 17:59

If your PIX firewall directly terminated to a WAN link (Via Ethernet)?

These seem to be public IPs?



Farrukh Haroon Wed, 06/04/2008 - 11:24

Well if these IPs are on your network, why don't you give an OS fingerprinting tool like NMAP a try? Or perhaps run a 'Full' Nessus scan on these IPs, that might help you reveal some information about them.

Since you know the IPs, it should not be hard to track them down.

If you have CiscoWorks Campus Manager, you can use the User Tracking option to search for these IP/MACs.



Farrukh Haroon Wed, 06/04/2008 - 12:18

Is your wireless setup secure? Or is it SSID broadcast with no security?

So some sort of device is associating with your AP using these Multicast MACs (very strange tough). Can you confirm if these IP addresses are from the Wireless AP Address Pool?




This Discussion