Re: Tracing rogue MAC source 00:00:00:00:00:00

Kevin Dorrell · ‎11-11-2005

I have some PCs on the LAN that misbehave due to a design fault. If you de-power one of these machines, and re-apply the power, (but do not boot it), then it goes into standby (interface up) and generates MAC frames apparently from the address 00:00:00:00:00:00 to the address 80:00:04:00:00:00 at intervals of every 32 seconds. Of course, these get flooded round the network.

My problem is how to track down this rogue machine. Back when I had all CatOS, it was easy. I would go to the root switch and do show cam dyn. This did not tell me directly about an entry for 00:00:00:00:00:00, but it did throw up an error message "%SYS-4-P2_WARN: 1/Filtering MAC address 00-00-00-00-00-00 on port b/p from host table." That told me which access switch to look at. I would then do the same on the access switch, etc. until I had the access port.

Now I have IOS in the distribution layer, I cannot do that any more. When I do show mac-address-table, it does not throw up the entry. If I do show mac-address-table address 0000.0000.0000 then it throws up the complete forwarding table, but no entry for 0000.0000.0000.

Can anyone suggest how I can track down this rogue MAC siource address? I know it is there, 'cos I see its packets on my monitor.

Thanks in advance.

Kevin Dorrell

Luxembourg

scottmac · ‎11-11-2005

I have seen a number of Linux PC firewalls generate zero MACs when they weren't configured properly.

Good Luck

Scott

Kevin Dorrell · ‎11-11-2005

I know what the machine is : a Siemens 800 XL series PC. We used to have hundreds of them, and they all did this after every power cut. Now we have fewer of them, but still too many to go round all the offices looking for the one that has not been booted since it was plugged in. Any ideas how to trace the zero source address to the access port?

Kevin Dorrell

Luxembourg.

scottmac · ‎11-11-2005

Sounds like a hoot ...

Well, if you're using DHCP everywhere, try doing a hard address assignment for the zero MAC, then set up a persistant ping for that address.

When the ping starts to work / gets an echo reply, then you at least know what segment to look on. Since you know it's a Seimens PC, that narrows it a bit further.

It's got to be easier than backtracking CAM tables in all of the switches. You may be able to use the ARP table instead of the CAM to figure out which port the offender is on (show arp |00:00:00 ....).

(and you can leave the DHCP assignment up for the next occurrance)

Good Luck

Scott

Kevin Dorrell · ‎11-14-2005

Thanks for the suggestions, but I'm afraid they will not work because the problem happens before the PC even gets as far as booting. In fact, once it boots for the first time, the problem goes away. I only get the problem if (standby) power is applied to the machine without booting it, i.e. just following a power cut. So there is no ARP or DHCP yet. By the time the machine gets to booting (includiong DHCP), it has already got its proper MAC address. It's a problem. I shall be glad when the last 800 XL goes out the door.

Kevin Dorrell

Luxembourg

jv · ‎11-14-2005

Kevin,

How about something like this:

Switch#debug ?

matm Debug Platform Independent Mac Manager

Switch#debug matm

MATM Main debug debugging is on

Switch#

Nov 14 06:48:51.986 EST: mat_enable_disable_addrs: type:2, port:Fa0/8

Nov 14 06:48:51.994 EST: mat_delete_all_addresses: type:1, port:0x807F6078

Nov 14 06:48:51.994 EST: mat_del_addr_entry: table_id:162, addr:0000.0000.0000

Nov 14 06:48:51.994 EST: mat_delete_all_addresses: type:1, port:0x807F6078

Nov 14 06:48:51.994 EST: mat_del_addr_entry: table_id:0, addr:0000.0000.0000

James