I recently noticed that some catalyst switches in my network are having a bunch of fake mac addresses in one or two ports. Some of these ports happen to have connected some third-party vendor lan switch (ANSEL) but some others have just one PC connected. I have shutdown the port and reloaded the switch but the problem persist. I this an IOS bug?
These are some data about my switch:
System image file is "flash:/c2950-i6q4l2-mz.121-22.EA6.bin"
cisco WS-C2950G-48-EI (RC32300) processor (revision Q0) with 21013K bytes of memory.
Processor board ID FOC1009Z7HA
Here are some mac addresss that show in my switch:
Well you cannot be 100% certain about it. There might just be malicious system/application in the network which advertises those MAC's. The best and the easiest way is it to do a sniffer capture on the ports where you see such traffic, and check for the packet details to know more about the system which is sending out those MAC's.
On the Span destination port, you may connect a PC with Wireshark installed to capture the traffic.
I could at least see an IOS bug around this issue, so perhaps you may to upgrade the IOS to latest available release for the 2950 switches:
You may check the bug using this link:
Cat2950 generates ghost MAC address
This was fixed in 12.1(22)EA9 and later releases.