weird mac address

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Hi,
I have an interesting problem. I have a centos server connected to our dmz zone. For security reasons our network department limited the number of mac addresses that can connect to the port on the switch. And since we are running vmware server on top on centos and a windows virtual machine inside of it, the number of mac addresses that can connect to this port is two or the switch  blocks all traffic on this port. And now comes the problem. The port blocks almost immediately. After some investigation we found out, that we have actually 3 addresses communicating from this port. One that belongs to eth-0 and is ibm specific (the server is an IBM x3550 and every mac starts with the vendor code), one that belongs to the virtual machine and is Vmware specific and then we have another mac address that is IBM specific.

I can't find where this traffic comes from. I traced the traffic with Wireshark and found, that this mac address creates a DHCP discover every 64 seconds. I first checked if this mac adress could be from the second network card, that is not connected with a cable nor is the device enabled, but it doesn't and the mystery mac is completely different from the network cards macs on the last 6 characters (the two on-board cards macs are different only on the last character). Then I tried searching the logs and /etc for any occurrence of this mac address, but I can't find anything. Then we tried to isolate the server, so I connected it directly to my laptop and run the trace again to see if this packet comes from outside and is then redirected back out on Vmware's virtual switch (since it's a broadcast packet, this could be somehow possible). But everything indicates that this packets are generated on this server.

In the meantime we increased the number of mac addresses to 3, but after a while we got a packet from a fourth IBM mac address, that again doesn't belong anywhere. It was similar to the mystery mac (it was only different on the last two characters) and the switch blocked the port in the middle of the night. but this was a one-time occurrence for now.

Does anyone have an idea what is happening or where i should look for the mystery mac address.

thanx

Janez
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux