Re: Tracking MAC addresses

andrewsj · ‎09-10-2002

I have a 6509 at the core & 3500 switches at the closets. Port security is on all ports & is configured to shut down when a different mac is detected. I have 2 users that are having a problem where 'rogue' mac addresses shut them down. They both have laptops with only 1 NIC. The mac's always start the same way '0800.45**.****'. I now have a list of 20 mac addresses that have appeared on these 2 ports. No one else has access to these ports. Neither user plugs in anywhere else on the network, the laptops don't leave their offices. I tried using Sniffer Basic to see if I could find where these mac's are coming from. Any ideas on how to track these back to the source & stop them from entering our network would be greatly appreciated.

steve.barlow · ‎09-10-2002

Do a show cam mac 0800.45**.**** on catalyst OS switches to see where the switch see's the mac coming from (it will tell you the port). Trace it back that way.

Do a show mac-address-table on IOS based switches to see the same.

Also, as an FYI CONCURRENT COMPUTER CORP makes NICs with 0800.45 addresses, if that helps any.

Hope it helps.

Steve

andrewsj · ‎09-10-2002

I tried 'show cam mac', but it didn't like 'cam'. I don't see it in the list of 'show' commands. The switches are 3500 series XL's. We use 3Com NIC's exclusively on the network. The only other NIC's are a few Compaq's in laptops.

steve.barlow · ‎09-10-2002

Did you try show mac-address-table address 0800.45... ?

Steve

andrewsj · ‎09-10-2002

Here's where it gets interesting. The mac address does not show up on the address table. I tried it as soon as I got a message that one of the 2 ports was locked. This doesn't happen all the time either. It happens one day, then you won't see it for 3 or 4 days, or a week later. Talk about frustrating.

steve.barlow · ‎09-10-2002

The address will only be kept for 5 minutes. How quickly do you get the message that the port was locked? If you have an idea of which switch(es) generally it happens to, you can increase the "mac-address-table aging-time" to greater than 5 minutes (not too long but long enough for you to get the message and dial in).

Steve

andrewsj · ‎09-10-2002

The message comes through within a minute or two of the port being locked. I'll adjust the aging time & let you know what happens.

andrewsj · ‎09-11-2002

Adjusted the aging time to 3600. Another mac attempted access to one of the ports, 0800.4500.0070. Looked for it in the mac table, came back with 'No matching entry found'.

steve.barlow · ‎09-11-2002

When I think about it, it makes sense that the mac is not in the table, it got blocked by the port security and won't enter the table. Sorry for the wasted time.

This is the company that makes the mac you are seeing:

http://www.ccur.com/corporate/index.htm , they make Video-On-Demand and simulations. Does that help point you in the right direction who could be using those PCs? Can you ask if people are using their products?

As the port is disabled, I don't think any network devices can help (security risk : closest would be running a sniffer all the time looking for that mac and don't disable the port, see what they do and hope it points you in the right direction). I can only see the solution as asking around the location where the data jack is to see if anyone saw anything or find who uses that companies product.

Steve

stolson · ‎09-13-2002

The only thing I might add here is that some equipment allows you to change the MAC address from the BIA (burned in address). A malicious user can change the MAC to hide the identity of the equipment.

SteveO

andrewsj · ‎09-13-2002

Both users are not that technically minded.