Weird MAC address in "show dhcpd binding"

wen.chen · ‎06-03-2008

Has anyone seen addresses like this in Pix?

0152.4153.2000.1617.

8117.d000.0001.0000.

00

they keep showing up in output of "show dhcpd binding" and block other legitimate

client machine.

Farrukh Haroon · ‎06-03-2008

As per the MAC wiki:

"If the least significant bit of the most significant byte is set to a 1, the packet is meant to be sent only once but still reach several NICs. This is called multicast."

So those are Multicast MAC-Addresses depending on the protocol you are running (Like CDP,HSRP etc.)

Regards

Farrukh

wen.chen · ‎06-03-2008

Thanks for reply.

Could this be from the VOIP phones? thats the only thing we added to the network recently. But the question is how these strangely-formatted addresses got into DHCP table and get assigned IP addresses? Can I block these addresses?

Farrukh Haroon · ‎06-03-2008

Hello Wen

I tried to lookup those MACs on google, but till now could not come up with anything.

Which vendor's IP phones/Call Control software are you guys using?

Mind telling my what IP is mapped to these MACs?

Regards

Farrukh

wen.chen · ‎06-03-2008

We are not sure if this is the linksys VOIP phone. We have all kinds of devices here that might be linked to the network - windows, MAC, iphone/Blackberry ...

example of the "show dhcpd binding" output

69.77.163.189 0152.4153.2000.1617.

8117.d000.0002.0000.

00

69.77.163.190 0152.4153.2000.1617.

8117.d000.0005.0000.

00

69.77.163.191 0152.4153.2000.1617.

8117.d000.0001.0000.

00

Farrukh Haroon · ‎06-03-2008

If your PIX firewall directly terminated to a WAN link (Via Ethernet)?

These seem to be public IPs?

Regards

Farrukh

wen.chen · ‎06-04-2008

These are public IPs. The FW is directly connected to the Internet and has 69.77.163.0/24 on its inside interface.

Farrukh Haroon · ‎06-04-2008

Well if these IPs are on your network, why don't you give an OS fingerprinting tool like NMAP a try? Or perhaps run a 'Full' Nessus scan on these IPs, that might help you reveal some information about them.

Since you know the IPs, it should not be hard to track them down.

If you have CiscoWorks Campus Manager, you can use the User Tracking option to search for these IP/MACs.

Regards

Farrukh

wen.chen · ‎06-04-2008

unfortunately I dont have any tools like CiscoWorks Campus Manager here. What makes it worse is that these IPs might be some wireless devices. Strangely I dont even get any response by pinging these IPs.

Farrukh Haroon · ‎06-04-2008

Is your wireless setup secure? Or is it SSID broadcast with no security?

So some sort of device is associating with your AP using these Multicast MACs (very strange tough). Can you confirm if these IP addresses are from the Wireless AP Address Pool?

Regards

Farrukh

wen.chen · ‎06-04-2008

The APs are protected with SSIDs.

I am still not sure if these IPs are from the wireless because I cant take down all of them for testing while people are connected. They come and go with no pattern to follow. But it seems this happens more during day time.