Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Weird MAC address in "show dhcpd binding"

Has anyone seen addresses like this in Pix?

0152.4153.2000.1617.

8117.d000.0001.0000.

00

they keep showing up in output of "show dhcpd binding" and block other legitimate

client machine.

10 REPLIES

Re: Weird MAC address in "show dhcpd binding"

As per the MAC wiki:

"If the least significant bit of the most significant byte is set to a 1, the packet is meant to be sent only once but still reach several NICs. This is called multicast."

So those are Multicast MAC-Addresses depending on the protocol you are running (Like CDP,HSRP etc.)

Regards

Farrukh

Community Member

Re: Weird MAC address in "show dhcpd binding"

Thanks for reply.

Could this be from the VOIP phones? thats the only thing we added to the network recently. But the question is how these strangely-formatted addresses got into DHCP table and get assigned IP addresses? Can I block these addresses?

Re: Weird MAC address in "show dhcpd binding"

Hello Wen

I tried to lookup those MACs on google, but till now could not come up with anything.

Which vendor's IP phones/Call Control software are you guys using?

Mind telling my what IP is mapped to these MACs?

Regards

Farrukh

Community Member

Re: Weird MAC address in "show dhcpd binding"

We are not sure if this is the linksys VOIP phone. We have all kinds of devices here that might be linked to the network - windows, MAC, iphone/Blackberry ...

example of the "show dhcpd binding" output

69.77.163.189 0152.4153.2000.1617.

8117.d000.0002.0000.

00

69.77.163.190 0152.4153.2000.1617.

8117.d000.0005.0000.

00

69.77.163.191 0152.4153.2000.1617.

8117.d000.0001.0000.

00

Re: Weird MAC address in "show dhcpd binding"

If your PIX firewall directly terminated to a WAN link (Via Ethernet)?

These seem to be public IPs?

Regards

Farrukh

Community Member

Re: Weird MAC address in "show dhcpd binding"

These are public IPs. The FW is directly connected to the Internet and has 69.77.163.0/24 on its inside interface.

Re: Weird MAC address in "show dhcpd binding"

Well if these IPs are on your network, why don't you give an OS fingerprinting tool like NMAP a try? Or perhaps run a 'Full' Nessus scan on these IPs, that might help you reveal some information about them.

Since you know the IPs, it should not be hard to track them down.

If you have CiscoWorks Campus Manager, you can use the User Tracking option to search for these IP/MACs.

Regards

Farrukh

Community Member

Re: Weird MAC address in "show dhcpd binding"

unfortunately I dont have any tools like CiscoWorks Campus Manager here. What makes it worse is that these IPs might be some wireless devices. Strangely I dont even get any response by pinging these IPs.

Re: Weird MAC address in "show dhcpd binding"

Is your wireless setup secure? Or is it SSID broadcast with no security?

So some sort of device is associating with your AP using these Multicast MACs (very strange tough). Can you confirm if these IP addresses are from the Wireless AP Address Pool?

Regards

Farrukh

Community Member

Re: Weird MAC address in "show dhcpd binding"

The APs are protected with SSIDs.

I am still not sure if these IPs are from the wireless because I cant take down all of them for testing while people are connected. They come and go with no pattern to follow. But it seems this happens more during day time.

343
Views
0
Helpful
10
Replies
CreatePlease to create content