get ride of fake mac address on catalyst switch

Answered Question
Nov 18th, 2010
User Badges:

Hi,


I recently noticed that some catalyst switches in my network are having a bunch of fake mac addresses in one or two ports. Some of these ports happen to have connected some third-party vendor lan switch (ANSEL) but some others have just one PC connected. I have shutdown the port and reloaded the switch but the problem persist. I this an IOS bug?

These are some data about my switch:


System image file is "flash:/c2950-i6q4l2-mz.121-22.EA6.bin"


cisco WS-C2950G-48-EI (RC32300) processor (revision Q0) with 21013K bytes of memory.
Processor board ID FOC1009Z7HA


Here are some mac addresss that show in my switch:



e2-9a-e5-f2-a8-9f
7e-37-ae-19-9e-9a
30-b9-22-70-80-0b
ac-6c-6b-fa-f7-be
98-e0-7d-e0-c2-b2
3a-aa-aa-aa-aa-aa
b0-07-4c-24-8e-02
80-f0-c0-c9-95-f9
Correct Answer by deyadav about 6 years 9 months ago

Well you cannot be 100% certain about it. There might just be malicious system/application in the network which advertises those MAC's. The best and the easiest way is it to do a sniffer capture on the ports where you see such traffic, and check for the packet details to know more about the system which is sending out those MAC's.

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/swspan.html


On the Span destination port, you may connect a PC with Wireshark installed to capture the traffic.



I could at least see an IOS bug around this issue, so perhaps you may to upgrade the IOS to latest available release for the 2950 switches:


You may check the bug using this link:

http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs


Bug ID:CSCsr93288  

Cat2950 generates ghost MAC address


This was fixed in 12.1(22)EA9 and later releases.


HTH.


Regards,

Deepak

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
deyadav Thu, 11/18/2010 - 09:26
User Badges:
  • Cisco Employee,
ray_juarez Thu, 11/18/2010 - 13:39
User Badges:

Hi Deepak,


Is there a way to know why these fake mac addresses suddenly appear on the switch? It doesn't seem to be done by users since they are not technical staff and they don't have technical skills to do so.


Thanks in advance.


Ray Juarez

Correct Answer
deyadav Thu, 11/18/2010 - 20:20
User Badges:
  • Cisco Employee,

Well you cannot be 100% certain about it. There might just be malicious system/application in the network which advertises those MAC's. The best and the easiest way is it to do a sniffer capture on the ports where you see such traffic, and check for the packet details to know more about the system which is sending out those MAC's.

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/swspan.html


On the Span destination port, you may connect a PC with Wireshark installed to capture the traffic.



I could at least see an IOS bug around this issue, so perhaps you may to upgrade the IOS to latest available release for the 2950 switches:


You may check the bug using this link:

http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs


Bug ID:CSCsr93288  

Cat2950 generates ghost MAC address


This was fixed in 12.1(22)EA9 and later releases.


HTH.


Regards,

Deepak

ray_juarez Fri, 11/19/2010 - 10:02
User Badges:

Hi Deepak,


Thanks for your answer, it was very useful.


Best regards


Ray Juarez

Actions

This Discussion