Ghost MAC address Part II

I have three Cisco 2970s... 2970_1 has a trunk to 2970_2 vi Gi0/24 on
both, and a trunk to 2970_3 on Gi0/4 (Gi0/2 on 2970_3)

I'm seeing lots of ARP broadcasts for an IP I do not use from a MAC
address that isn't one of mine. I'm trying to hunt down where that
address is with no luck:

2970_1 can't decide if it's on Gi0/24 or Gi0/4:

2970_1#sh mac-address-table address 000c.764e.04c8
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
3 000c.764e.04c8 DYNAMIC Gi0/24
Total Mac Addresses for this criterion: 1
2970_1#sh mac-address-table address 000c.764e.04c8
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
3 000c.764e.04c8 DYNAMIC Gi0/4
Total Mac Addresses for this criterion: 1
2970_1#sh mac-address-table address 000c.764e.04c8
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
3 000c.764e.04c8 DYNAMIC Gi0/24
Total Mac Addresses for this criterion: 1

As mentioned above, Gi0/4 is a trunk to 2970_3 and Gi0/24 is a trunk to
2970_2



2970_2 thinks it might be on Gi0/3, Gi0/7, or Gi0/24:

2970_2#sh mac-address-table address 000c.764e.04c8
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
3 000c.764e.04c8 DYNAMIC Gi0/3
Total Mac Addresses for this criterion: 1
2970_2#sh mac-address-table address 000c.764e.04c8
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
3 000c.764e.04c8 DYNAMIC Gi0/24
Total Mac Addresses for this criterion: 1
2970_2#sh mac-address-table address 000c.764e.04c8
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
3 000c.764e.04c8 DYNAMIC Gi0/7
Total Mac Addresses for this criterion: 1

Gi0/24 is a trunk to 2970_1, Gi0/3 is down with nothing connected to it,
and Gi0/7 is a web server with one connected interface that does *not*
have a hardware address of 000c.764e.04c8


2970_3 can't tell if it's on Gi0/2, Gi0/3, or Gi0/4:

2970_3#sh mac-address-table address 000c.764e.04c8
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
3 000c.764e.04c8 DYNAMIC Gi0/2
Total Mac Addresses for this criterion: 1
2970_3#sh mac-address-table address 000c.764e.04c8
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
3 000c.764e.04c8 DYNAMIC Gi0/3
Total Mac Addresses for this criterion: 1
2970_3#sh mac-address-table address 000c.764e.04c8
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
3 000c.764e.04c8 DYNAMIC Gi0/4
Total Mac Addresses for this criterion: 1

Gi0/2 is a trunk to 2970_1, and Gi0/3 and Gi0/4 are connected to two
name servers, neither of which have a hardware address of 000c.764e.04c8


WHAT THE HELL IS GOING ON??? How can a hardware address be dancing
around like that, especially when it doesn't freaking exist? If I keep
doing sh mac-address-table address 000c.764e.04c8 over and over again,
the answers randomly dance between the various values I've shown above.


--
* John Oliver http://www.john-oliver.net/ *

1. What is the version of software running on each of the three 2970?

2. Is VLAN 3 the only VLAN ( beside 1 ) configured on the three 2970's?

3. What operating system are used on the name servers and the web
server

4. Have you capture any of the ARP requests/replies? If so what is the
source IP address?


This might be caused by one of the ARP virus programs

On 17 Jul 2006 14:28:27 -0700, Merv wrote:
>
> 1. What is the version of software running on each of the three 2970?

2970_1#sh version
Cisco IOS Software, C2970 Software (C2970-LANBASE-M), Version
12.2(25)SEB4, RELEASE SOFTWARE (fc1)

2970_2#sh version
Cisco IOS Software, C2970 Software (C2970-LANBASE-M), Version
12.2(25)SEB4, RELEASE SOFTWARE (fc1)

2970_3#sh version
Cisco IOS Software, C2970 Software (C2970-LANBASE-M), Version
12.2(25)SEB4, RELEASE SOFTWARE (fc1)

> 2. Is VLAN 3 the only VLAN ( beside 1 ) configured on the three 2970's?

2970_1#sh vlan

VLAN Name Status Ports
---- -------------------------------- ---------
-------------------------------
1 default active Gi0/1, Gi0/3, Gi0/5,
Gi0/8
Gi0/10, Gi0/11, Gi0/13,
Gi0/14
Gi0/15, Gi0/16, Gi0/17,
Gi0/18
Gi0/19, Gi0/20, Gi0/21,
Gi0/22
Gi0/23
2 Outside active
3 DMZ active Gi0/2, Gi0/6, Gi0/7,
Gi0/9
Gi0/12
4 Secure active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1
Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------
------
1 enet 100001 1500 - - - - - 0
0
2 enet 100002 1500 - - - - - 0
0
3 enet 100003 1500 - - - - - 0
0
4 enet 100004 1500 - - - - - 0
0
1002 fddi 101002 1500 - - - - - 0
0
1003 tr 101003 1500 - - - - - 0
0
1004 fdnet 101004 1500 - - - ieee - 0
0
1005 trnet 101005 1500 - - - ibm - 0
0

Remote SPAN VLANs
------------------------------------------------------------------------------


Primary Secondary Type Ports
------- --------- -----------------
------------------------------------------

2970_2#sh vlan

VLAN Name Status Ports
---- -------------------------------- ---------
-------------------------------
1 default active Gi0/1, Gi0/6, Gi0/8,
Gi0/9
Gi0/10, Gi0/12, Gi0/19,
Gi0/20
Gi0/21
2 Outside active
3 DMZ active Gi0/3, Gi0/4, Gi0/5,
Gi0/7
Gi0/11, Gi0/13, Gi0/14,
Gi0/15
Gi0/16, Gi0/17, Gi0/18,
Gi0/22
Gi0/23
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1
Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------
------
1 enet 100001 1500 - - - - - 0
0
2 enet 100002 1500 - - - - - 0
0
3 enet 100003 1500 - - - - - 0
0
1002 fddi 101002 1500 - - - - - 0
0
1003 tr 101003 1500 - - - - - 0
0
1004 fdnet 101004 1500 - - - ieee - 0
0
1005 trnet 101005 1500 - - - ibm - 0
0

Remote SPAN VLANs
------------------------------------------------------------------------------


Primary Secondary Type Ports
------- --------- -----------------
------------------------------------------

2970_3#sh vlan

VLAN Name Status Ports
---- -------------------------------- ---------
-------------------------------
1 default active
3 VLAN0003 active Gi0/1, Gi0/3, Gi0/4,
Gi0/5
Gi0/6, Gi0/7, Gi0/8,
Gi0/9
Gi0/10, Gi0/11, Gi0/12,
Gi0/13
Gi0/14, Gi0/15, Gi0/16,
Gi0/17
Gi0/18, Gi0/19, Gi0/20,
Gi0/21
Gi0/22, Gi0/23, Gi0/24
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1
Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------
------
1 enet 100001 1500 - - - - - 0
0
3 enet 100003 1500 - - - - - 0
0
1002 fddi 101002 1500 - - - - - 0
0
1003 tr 101003 1500 - - - - - 0
0
1004 fdnet 101004 1500 - - - ieee - 0
0
1005 trnet 101005 1500 - - - ibm - 0
0

Remote SPAN VLANs
------------------------------------------------------------------------------


Primary Secondary Type Ports
------- --------- -----------------
------------------------------------------

> 3. What operating system are used on the name servers and the web
> server

All Linux.

> 4. Have you capture any of the ARP requests/replies? If so what is the
> source IP address?

16:36:52.525936 00:0c:76:4e:04:c8 > Broadcast, ethertype ARP (0x0806),
length 60: arp who-has 172.16.100.103 (Broadcast) tell 172.16.100.103

--
* John Oliver http://www.john-oliver.net/ *

If the offending device is continuously ARPing, then I would suggest
setup a monitoring port connected to a PC running Ethereal.

Since the MAC address only show up on the trunk port of 2970_1, it
would seem that the offending device is probably not connected to that
switch.

So start with 2970_2, set up a monitoring port and one by one monitor
the traffic from each port ( one port at a time). Hopefully this way
you can find the device that is generating the ARP request for
172.16.100.103. The decode posted looks like a device sending a
gratuitous ARP. If not found on 2970_2 repeat process on 2970_3.

The Ethereal network protocol analyzer has changed its name to Wireshark.
http://www.wireshark.org/

> If the offending device is continuously ARPing, then I would suggest
> setup a monitoring port connected to a PC running Ethereal.

Make wrote:
> The Ethereal network protocol analyzer has changed its name to Wireshark.
> http://www.wireshark.org/
>
> > If the offending device is continuously ARPing, then I would suggest
> > setup a monitoring port connected to a PC running Ethereal.

Strangely enough there is no mention of this change on
www.ethereal.com.

Why might that be? "Shark" seems to be the critical part here.
Would (on the) Make please go away, is my first reaction.

> Strangely enough there is no mention of this change on
> www.ethereal.com.

Try link http://www.ethereal.com/download.html ja select Windows SourceForge
and you get
http://sourceforge.net/project/showf...p?group_id=255
and there it is said:
Wireshark (formerly Ethereal) is a network protocol analyzer for Unix and
Windows.

any change of sticking the the OP's issue ???