Header Only - DO NOT REMOVE - Extreme Networks

Maclock Violation by Invalid Mac Address


We have all ports with maclock protection with no dynamic entries and violation enable.
All day we have violations with invalid mac addresses detected by switch.
Macs like 00:00:00:10:12:00. or AB:00:AB:00:11:11 and many others that doesnt have a valid vendor.
What causes this violations? virus? malware? cable?
can be a switch problem? negotiation?
How can switch port detects these macs?

Switchs Enterasys B5.

Tks for help.

2 replies

Userlevel 1
those MACs can occur for a number of reasons. Often some cheap vendors will not bother registering a MAC OUI and just choose one (this is usually seen in knockoff and cheap products from small vendors). Others might have registered and it's a new OUI that the switch doesn't recognize. Also it might be someone changing their mac either in an OS or driver/firmware.

the switch detects these MACs when the client sends in it's first frame. in the L2 header is the sender MAC address, which is then detected and learned on that port.

When you use maclock protection with no dynamic entries, then you need to specify the allowed mac for each port. hence any changed MAC or movement of your users or devices will trigger a violation.
We have seen this on ports where either the device NIC was defective or cabling was damaged.

We use maclock firstarrival to limit the number of mac addresses per port.

Also, we use macauth with radius server having a list of all MAC addresses and the vlans they are supposed to be assigned. Unknown mac addresses are put in an untrusted vlan.

Reply