Port security tripped by invalid MAC address 1

[jneiberger]

This is a weird one and it's happened twice in the past couple of months. We have port security active on our switches and twice we've seen it get tripped by an invalid MAC address like e8be.5bd3.5558. It's as if the machines that are connected to it temporarily switch to a different MAC address, which I've never heard of.

If I recall correctly, the first time it happened was with a printer, but I'm not 100% sure. Last night it happened again with a workstation. I did find someone else on a different forum who had experienced it but they did not know the cause.

Any ideas?

thanks,
John

 

[burtsbees]

MAC spoofing, like an attack?

Burt

 

[jneiberger]

I don't think that's it. This is a single workstation connected to a switch. My first thought was that someone was connecting something else to that switch port, but both times this has happened it was around 3:00 AM and at different locations. And if it were really another machine, the MAC address would probably be valid. Unless, of course, someone had manually tweaked the MAC on their NIC, and I have no idea why someone would do that.

Besides, I found one other person (in Russia) who has the same issue and he saw the exact same MAC address I posted. That's really bizarre!

 

[burtsbees]

What MAC, if I may ask?

Burt

 

[jneiberger]

e8be.5bd3.5558

 

[burtsbees]

If that is a multicast address, the dotted decimal would be
232.190.91.211.85.88

232.0.1.0-232.255.255.255 Reserved for local host allocation [RFC4607]

I think I found the Russian dude with the same problem...lol

Weird. What pc manufacturer is it? Onboard NIC or PCI?

I know Cisco all starts with 00

Burt

 

[jneiberger]

Well, as I recall, an actual multicast MAC would start with 01005e, but it's been a long time since I studied that. Besides, port security deals with the source MAC, not destination, and you should never see a multicast MAC in the source address field.

This is definitely weird!

 

[burtsbees]

Right---just grasping at straws, maybe trigger a thought...

what pc model and manufacturer is it? Does the Russian person have the same model? We should try and find a common denominator between you two...

Burt

 

[jneiberger]

The PC last night was a Dell, but I'd swear the first time this happened, it was to an HP printer at another location, but I'm not sure about that.

 

[jneiberger]

I just realized that I accidentally posted this in the router forum instead of the switch forum. Whoops?

Anyway, this happened again. This time was a different MAC address: 5258.5f55.55c5.

One other odd thing about this is that I tried a search on the Internet first and found one Russian user forum where someone was seeing the same thing and he's seeing the same exact MAC addresses.

I think it must be a weird NIC driver issue. The only reason we notice is because we have port security enabled. The ports are being disabled by the switch when it sees these weird MAC addresses.

I am truly stumped. Any ideas?

 

[burtsbees]

I saw the same forum...is the workstation a Dell still, even with the Russian dude? That MAC doesn't even fall uinder what Dell's code is! Nobody does!

Burt

 

[jneiberger]

Yeah, this was a Dell PC. But it appears that the first time this happened for us, it was an HP Printer. Or at least a printer. Not sure about the vendor.

This is definitely a strange one! But we would never have noticed it if we didn't have port security enabled. It's probably happening to a lot of people that just never notice.

 

[baddos]

It could be a nic driver too.

Anyways I would change your port-security action or put in err-disable-recovery to automatically reset the port after a timeout.

 

[drichter12]

We used to have this problem at my last company every once in a while but the MAC was usually either all zeros for the manufacturer id or once in a while an odd-ball that didn't match any manufacturer. We found that most of the problems came down to bad jack wiring or on accasion a bad cable.

Hope that helps...


Dale

 

[lastof5]

I had the same problem this morning (03:26:17) with seeing the 5258.5f55.55c5 mac address shut down the port. The machine is a Dell desktop. We thought maybe it was the night guard plugging his laptop into the port at this desk. Now I came across this thread and am wondering if it's something with Dell?

 

[jneiberger]

It has happened to us two or three times now and I haven't figured it out yet. I'll be sure to post here if I figure out what's actually happening. It's certainly not an attack of some sort, but I don't know what it is.

 

[MCTerabyte]

Are you using Dell 380's or 390's? I'm having the same problem.

 

[jneiberger]

I don't think we're using that specific model, but we are a Dell shop for PCs.

 

[burtsbees]

Seems to all be with Dell...
Do you have a DRAC card in it?

Burt

 

[kcbell]

Folks:

I read most of the people's post.

I can tell you that I experienced this in the past. A PC with no board NIC generated a new mac every so often. Since we had port security, the port was shut down. We end up doing either updating the NIC driver or insert a PCI nic in the PC and disabled the on-board NIC.

Since it was over a year ago, I cannot tell you which brand of PC. But it did happen!