Maclock Violation by Invalid Mac Address

  • 0
  • 2
  • Question
  • Updated 12 months ago
  • Answered
We have all ports with maclock protection with no dynamic entries and violation enable. 
All day we have violations with invalid mac addresses detected by switch. 
Macs like 00:00:00:10:12:00. or AB:00:AB:00:11:11 and many others that doesnt have a valid vendor. 
What causes this violations? virus? malware? cable? 
can be a switch problem? negotiation? 
How can switch port detects these macs? 

Switchs Enterasys B5.

Tks for help.
Photo of Diogo Rocha

Diogo Rocha

  • 170 Points 100 badge 2x thumb

Posted 1 year ago

  • 0
  • 2
Photo of Matthew Hum

Matthew Hum

  • 434 Points 250 badge 2x thumb
those MACs can occur for a number of reasons. Often some cheap vendors will not bother registering a MAC OUI and just choose one (this is usually seen in knockoff and cheap products from small vendors). Others might have registered and it's a new OUI that the switch doesn't recognize. Also it might be someone changing their mac either in an OS or driver/firmware.

the switch detects these MACs when the client sends in it's first frame. in the L2 header is the sender MAC address, which is then detected and learned on that port.

When you use maclock protection with no dynamic entries, then you need to specify the allowed mac for each port. hence any changed MAC or movement of your users or devices will trigger a violation. 
Photo of Naoman Ghani

Naoman Ghani

  • 100 Points 100 badge 2x thumb
We have seen this on ports where either the device NIC was defective or cabling was damaged.

We use maclock firstarrival to limit the number of mac addresses per port.

Also, we use macauth with radius server having a list of all MAC addresses and the vlans they are supposed to be assigned.  Unknown mac addresses are put in an untrusted vlan.