This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Temporary Rogue MAC Addresses

I wanted to reach out to this community and see what information I can gain to figure out an issue we are having.

We use UDT to track MAC addresses and receive alerts.

Our nodes are defined as all of our managed switches (all same vendor - Netgear managed switches).

Sometimes once a day, often twice, rarely 3 or more times... I will get an alert that there is a Rogue Mac Address detected.  These are always vendorless MAC addresses and they are not the same - they almost appear to be randomly generated.  Often they are detected on a trunk port, and show a list of nodes/switches which have had an indirect connection.  Rarely, I will get a direct connect (from a trunk port to another switch), but I am certain no one is plugging anything into these ports as they are locked behind closed doors.

Something is picking up these in the MAC address tables.  There is never an IP associated to the MAC - so the arp tables haven't presented any leads.

To try to get more information, I setup Wireshark and captured a rotating set of logs over 24 hours.  I got 3 hits and I can find the detected MAC address in the list once each over a 3 hour period (when it is detected).  It doesn't give enough information to determine and the dataset in the packet doesn't appear to give any useful information.

I wanted to ask if anyone has run into a similar situation as this?  We really like the idea of using UDT - we are heavily into compliance and this is a very useful solution for us.  However, as it stands, the solution is useless to us if it provides false positives that we are unable to track down.  We have no way of knowing what is an actual alert or something out there creating and destroying a MAC address for use as an internal function.

Glad to provide more information if I can.

Parents
  • Try disabling the Indirect connection so that you will only get information for endpoints that are directly connected to your networking device.

  • So the problem we are running into (in my case and it sounds like the original posters issue) is I am only monitoring the interesting ports example 1-30 and leaving 31-48 un-monitored and port 49 (Fiber Port) is a trunk port and is seeing the Arp Traffic. When i worked with Solarwinds Support on this that also confirmed this is not expected behavior and UDT is misbehaving.

Reply
  • So the problem we are running into (in my case and it sounds like the original posters issue) is I am only monitoring the interesting ports example 1-30 and leaving 31-48 un-monitored and port 49 (Fiber Port) is a trunk port and is seeing the Arp Traffic. When i worked with Solarwinds Support on this that also confirmed this is not expected behavior and UDT is misbehaving.

Children
No Data