This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I have a situation and will give as much data as I can to paint this picture. First this only happens to machines that are newly connected to the network. Second I have noticed there are some devices on the network that are static assigned, but are within the DHCP Pool with no reservations. Third we are running port-security with the shutdown feature on this Cisco Switch.

Device starts and does the DHCP discover. DHCP gives the IP of one of the static devices. PC accepts and then I see a DHCP decline. Then another address is given by DHCP, another static, PC accepts and then I see the DHCP decline. Then finally DHCP gives a not used address and the PC accepts and all is well. The strange thing is that all three MAC addresses are now seen on the port in Port-Security.

How can this be? We have even seen more addresses on a port and the port gets shutdown.

asked 10 Sep '11, 18:20

TomTinsley's gravatar image

TomTinsley
1111
accept rate: 0%


The first thing to do is to fix the network misconfiguration. Each device that is assigned a static IP address within the DHCP scope with no DHCP reservation should either be reassigned a static address outside the DHCP scope, or a reservation should be created.

Most DHCP servers have a mechanism to check if an address is in use. Windows Server calls it "DHCP conflict detection." If you enable this, the DHCP server will ping the address before offering it to a client. If the DHCP server gets a response to the ping, it will not offer the address. It will select another address and repeat the confict detection process. Note that Microsoft considers it a best practice to use client-side conflict detection rather than server conflict detection, but if you are not able to reassign the static IP addresses or create DHCP reservations, this might help.

Finally, what do you mean "all three MAC addresses are now seen on the port....?" The only MAC addresses that should be seen in Port-Security are the MAC addresses of systems passing ingress traffic. In other words, assuming this is an access port with only one device connected, then the only MAC address you should see in the Port-Security configuration is the MAC address of the directly connected device. The DHCP server has tried to hand out three IP addresses, but this does not involve three MAC addresses. The number of IP addresses that the DHCP server offers to the client should have nothing to do with the number of MAC addresses that appear on the port.

You said this happens to newly connected devices. Was there another device connected to the same port before the new device, or was the port unused? When you connect a new device to a port, the switch still remembers the MAC address(es) of the previously connected device(s) unless you manually clear the configuration or you have port security aging enabled. Even though you only have one device at a time connected to the port, you can accidentally exceed the number of MAC addresses allowed in the Port-Security configuration over time as devices age and are replaced with newer devices.

If you are using dynamic secure MAC addresses, the switch will remember the MAC addresses until you clear the configuration, or until the switch is rebooted. If you are using sticky secure MAC addresses, the switch will remember the MAC addresses even if the switch is rebooted. You will have to manually clear the old MAC address(es).

permanent link

answered 10 Sep '11, 21:12

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

Thanks for your reply. I have told the DHCP Team to do the static reservation for the device as well.

The three MAC Addresses... I mean this switchport has no mac addresses on it. The machine is a newley imaged machine. So hooking up to the switchport, no ip is on the host and no MAC is on the switchport.

I realize the only mac addresses that should be seen on the switchport is the source address entering the switchport. This is why I am confused. Why/How could a MAC for an HP Printer be on tne switchport? I tracked down the mac address and did find it on another switch on the network.

I will need to look harder at the sniffer trace and the switchport/pc.

(11 Sep '11, 05:45) TomTinsley

Windows 7 uses a random MAC address for the LLTD service (Link Layer Topology Discovery, used for SOHO networks to check if the PC is connected to a switch or hub).

Unless the service is disabled the random MAC address is generated and used when the users clicks "See full map" in the network sharing center.

This still does not explain the use of the HP printers MAC address.

permanent link

answered 11 Sep '11, 08:50

packethunter's gravatar image

packethunter
2.1k71548
accept rate: 8%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×157
×44
×41
×7

question asked: 10 Sep '11, 18:20

question was seen: 8,768 times

last updated: 11 Sep '11, 08:50

p​o​w​e​r​e​d by O​S​Q​A