Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 7

Temporary Rogue MAC Addresses

I wanted to reach out to this community and see what information I can gain to figure out an issue we are having.

We use UDT to track MAC addresses and receive alerts.

Our nodes are defined as all of our managed switches (all same vendor - Netgear managed switches).

Sometimes once a day, often twice, rarely 3 or more times... I will get an alert that there is a Rogue Mac Address detected.  These are always vendorless MAC addresses and they are not the same - they almost appear to be randomly generated.  Often they are detected on a trunk port, and show a list of nodes/switches which have had an indirect connection.  Rarely, I will get a direct connect (from a trunk port to another switch), but I am certain no one is plugging anything into these ports as they are locked behind closed doors.

Something is picking up these in the MAC address tables.  There is never an IP associated to the MAC - so the arp tables haven't presented any leads.

To try to get more information, I setup Wireshark and captured a rotating set of logs over 24 hours.  I got 3 hits and I can find the detected MAC address in the list once each over a 3 hour period (when it is detected).  It doesn't give enough information to determine and the dataset in the packet doesn't appear to give any useful information.

I wanted to ask if anyone has run into a similar situation as this?  We really like the idea of using UDT - we are heavily into compliance and this is a very useful solution for us.  However, as it stands, the solution is useless to us if it provides false positives that we are unable to track down.  We have no way of knowing what is an actual alert or something out there creating and destroying a MAC address for use as an internal function.

Glad to provide more information if I can.

0 Kudos
5 Replies

We have the same issue -- to the point it has rendered UDT pretty useless.  We can't turn on alerting or we get 7-8 "false" alerts per day. 

Does anyone know if this has been resolved?

The manager in charge is ready to pitch UDT in the trashcan and move on to another product.

0 Kudos

So i am having the same issue and Solarwinds has confirmed this a Bug of sorts.

So is this still happening in the 2019.04 release?  We had a lot problems with this in earlier versions.  I upgraded three days ago and so far we haven't see this issue re-occur.

0 Kudos
Level 12

Try disabling the Indirect connection so that you will only get information for endpoints that are directly connected to your networking device.

0 Kudos

So the problem we are running into (in my case and it sounds like the original posters issue) is I am only monitoring the interesting ports example 1-30 and leaving 31-48 un-monitored and port 49 (Fiber Port) is a trunk port and is seeing the Arp Traffic. When i worked with Solarwinds Support on this that also confirmed this is not expected behavior and UDT is misbehaving.