Odd mac address entries on rackswitches

Unanswered Question
Sep 23rd, 2009

Hi,


After some advice on some odd switch log entries I'm seeing, and I wondered if anyone has an idea of what could be going on.


We're a small hosting company, running a VSS configuration on two 6509 Chassis leading off to C2960 rackswitches.


We host dedicated servers, both unix and windows based. We split subnets into /23's on seperate vlans, and grow our solution out through rackswitches with the additional vlans as we take on more customers. These Servers are on public IP's with a basic ACL in front. Customers can then purchase firewalls/additional security products as they see fit.


Recently, we began to get mac-addresses appearing in the logs, and the fleeting between different servers .

Recently, I am seeing the following entries in rackswitches logs.

After getting alerts of

These mac addresses are completely non-sensical, not registered to any companys nics, and appear to not be load balancing macs, or multicast. They're just randomly given mac addresses.


We have tried to place port-security on the rackswitches, but we still just get hits in the port-security violation logs now on the rackswitches


certain mac addresses appear ar random in the logs, and they usually occur on multiple rack-switches at around the same time


The 6509's never have log entries for this activity


Has anyone seen similar behaviour, or can give me any leads on what could be going on with these hosts?


All relevent details att'd.





  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Thu, 09/24/2009 - 04:48

Hello Richard,

these problems are among the most difficult to troubleshoot.


your configurations look like fine.


I think that port security can cause issues if the security violation reaction is to disable the port.


Edit:

I've checked that you have

switchport port-security violation restrict


this doesn't cause issues.


First of all, you should verify if these strange mac addresses really appear on wire.


A possible approach for this is to SPAN a server port trying to get the packets when an error event is signalled.

Also I've noticed that not unicast MAC addresses cannot be seen with a sh mac-address-table actually they don't enter the CAM table.

We see some messages like this also on switches not stacked:

all zeroes MAC addresses should come from not configured just initialized VMware instances.

Some other strange MAC addresses may be the result of devices with an IPv6 stack running.


If it is like in our campuses these messages are not a real problem.

if you start to see a lot of them they are "noise" that fill log buffers.


Hope to help

Giuseppe


Actions

This Discussion