Solved

2 MAC Addresses off of port on switch from one server

Posted on 2010-09-14
17
847 Views
Last Modified: 2012-06-27
I have a server connected to a procurve 4208. I noticed last week that there were 2 mac addresses coming off of that single port intervace. The server itself has 2 NICS but one is disabled, so I am just using the one. What's interesting is that the MAC Address of the "ghost" is one character from the MAC address of the live interface. Additionally, it is requesting and getting DHCP from my DHCP server. Well I needed to put an end to that quickly so I enacted port security on the port on the switch to only allow the single correct MAC data through. With the "ghost" locked out it is no longer pulling DHCP and is no longer pingable on the network. However, I can ping the bogus IP Address on the server itself. I did an ipconfig /all and route print on the server and didn't see anything that stood out. I also cleared the arp, flushed dns, searched for unwanted services and ran a virus scan and came up short. Does anyone have a clue what i am looking for?
0
Comment
Question by:pdoukas
17 Comments
 
LVL 22

Expert Comment

by:Matt V
ID: 33676353
Does the server have a remote management card or iLO interface in it?
This is a known issue with some IBM servers, and may apply to others as well.
The RSA/iLO will "share" the NIC1 port on the motherboard and request an IP along with the one the server is already using.
0
 

Author Comment

by:pdoukas
ID: 33676417
Dell PE2950 with static assigned IP Address. I have about 15 just like it and all were configured at the same time. I feel it is unlikely this is what I am looking for, HOWEVER, I will look into it. Thing is, aren't these used for remote management? How would I determine if it is being used, or if it even exists without powering off the server?
0
 
LVL 22

Expert Comment

by:Matt V
ID: 33676464
If you browse to the IP from your server (which can still see it I think you said) from IE, you should get the remote management login screen.
Otherwise, using a program like nmap to scan open ports on the IP might shed some light.
0
 

Author Comment

by:pdoukas
ID: 33676548
I actually tried browsing the IP Address with IE, used multiple "common" ports and nothing came up. I thought about nmap and wireshark but according to nmap documentation (You cannot generally scan your own machine from itself (using a loopback IP such as 127.0.0.1 or any of its registered IP addresses). Wireshark would require me to reboot after the installation and this is a production server that I simply cannot bring down until I know what I am dealing with and can remove it within about 10 minutes. I check for a DRAC card, remote management for Dell, and there is not one on there so I think that may be a moot avenue. I realize my options are limited unless I bounce the server, but I need to hold off as long as I can. I can tell you we ran a port scanner against the IP prior to me locking it down and nothing showed up that was open.

0
 
LVL 22

Expert Comment

by:Matt V
ID: 33676560
Try Microsoft Network Monitor.. it is wireshark without the reboot required.
0
 

Author Comment

by:pdoukas
ID: 33676696
I will certainly do that. I will install and test on the test server and then if there are no issues will let it loose on the production. Stay tuned......and thanks for your assistance.
0
 

Author Comment

by:pdoukas
ID: 33677232
Ok so I ran MNM pretty quickly as I knew that as soon as I cleared the flag on the switch and reset the notification that one would appear within a few seconds, and sure enough the flag went off. So I stopped the scan and filtered the MAC address and came up empty. I filtered the IP address and came up empty as well. So I thought that I did something wrong, and started the scan again. I ran a utility off of the server that we have complete control over and then stopped the scan. The MAC and IP Address of the workstation running the proxcedure came up just fine in my filter. At this point I am completely baffled.
0
 

Author Comment

by:pdoukas
ID: 33677318
I do want to add that I applied an IPV4 adresses filter on for my third attempt so I could ping the address as I knew it would respond from the particular server. Although I have data now, nothing significant other than ICMP traffic from the server to the server.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:pdoukas
ID: 33677424
4th attempt using MAC Address filter and I get nada. I'm just letting it sit there in hopes that there is something making it want to go out and do something.
0
 

Author Comment

by:pdoukas
ID: 33677569
For my 5th attempt I took the port off of port security. I loaded MNM with both and IP filter and MAC filter. The only thing that would respond going to the server was for the static IP that is assigned to the correct NIC which is also the correct MAC address. I tried to ping the "ghost" ip address and although I would get a reply off of my workstation I wouldn't see any traffic on NMN running on the server. Consequently, if I appy port security again, I cannot ping the "ghost" IP Address. I am at a loss.
0
 
LVL 22

Accepted Solution

by:
Matt V earned 500 total points
ID: 33678028
Sure sounds like the remote management card.  It would not show up to Windows as a device, so would not show any traffic in MNM.

That is my call on it anway.  Turn port security back on and dont't worry about it :)


0
 

Author Comment

by:pdoukas
ID: 33678299
I'm going to rest on it tonight. Not to worry, you will be rewarded if unresolved, but keep an eye on thread, I'm not giving up quite as easily :)
0
 
LVL 6

Expert Comment

by:kuoh
ID: 33678752
The server may not have a DRAC, but according to Dell documentation, the PE2950 still has a BMC that uses NIC1.  http://support.dell.com/support/edocs/systems/pe2950/en/hom/html/syssetup.htm#wp1056468  That is most likely what is generating the traffic you're seeing.  You can either disable it or assign a static IP, but that means a reboot.  Alternatively, you can change to NIC2, but that will still involve some network disruption and possibly other issues with the OS depending on what version you're running.

If I were you, I'd leave it enabled, install the BMC utility and check things out.  It can actually come in very handy for certain remote troubleshooting situations. http://support.dell.com/support/edocs/software/smbmcmu/2.0A01/en/ug/bmcugc0d.htm
0
 

Author Comment

by:pdoukas
ID: 33684135
Very Interesting, I did not know this. I cannot bounce the server for at least a couple of days, but I will and I will let you know what I find.
0
 

Author Comment

by:pdoukas
ID: 34443410
Yes close it. No resolution, just filtering the issue seems to suffice.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 34459564
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now