• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 888
  • Last Modified:

2 MAC Addresses off of port on switch from one server

I have a server connected to a procurve 4208. I noticed last week that there were 2 mac addresses coming off of that single port intervace. The server itself has 2 NICS but one is disabled, so I am just using the one. What's interesting is that the MAC Address of the "ghost" is one character from the MAC address of the live interface. Additionally, it is requesting and getting DHCP from my DHCP server. Well I needed to put an end to that quickly so I enacted port security on the port on the switch to only allow the single correct MAC data through. With the "ghost" locked out it is no longer pulling DHCP and is no longer pingable on the network. However, I can ping the bogus IP Address on the server itself. I did an ipconfig /all and route print on the server and didn't see anything that stood out. I also cleared the arp, flushed dns, searched for unwanted services and ran a virus scan and came up short. Does anyone have a clue what i am looking for?
0
pdoukas
Asked:
pdoukas
1 Solution
 
Matt VCommented:
Does the server have a remote management card or iLO interface in it?
This is a known issue with some IBM servers, and may apply to others as well.
The RSA/iLO will "share" the NIC1 port on the motherboard and request an IP along with the one the server is already using.
0
 
pdoukasAuthor Commented:
Dell PE2950 with static assigned IP Address. I have about 15 just like it and all were configured at the same time. I feel it is unlikely this is what I am looking for, HOWEVER, I will look into it. Thing is, aren't these used for remote management? How would I determine if it is being used, or if it even exists without powering off the server?
0
 
Matt VCommented:
If you browse to the IP from your server (which can still see it I think you said) from IE, you should get the remote management login screen.
Otherwise, using a program like nmap to scan open ports on the IP might shed some light.
0
The eGuide to Automating Firewall Change Control

Today’s IT environment is constantly changing, which affects security policies and firewall rules. Discover tips to help you embrace this change through process improvement & identify areas where automation & actionable intelligence can enhance both security and business agility.

 
pdoukasAuthor Commented:
I actually tried browsing the IP Address with IE, used multiple "common" ports and nothing came up. I thought about nmap and wireshark but according to nmap documentation (You cannot generally scan your own machine from itself (using a loopback IP such as 127.0.0.1 or any of its registered IP addresses). Wireshark would require me to reboot after the installation and this is a production server that I simply cannot bring down until I know what I am dealing with and can remove it within about 10 minutes. I check for a DRAC card, remote management for Dell, and there is not one on there so I think that may be a moot avenue. I realize my options are limited unless I bounce the server, but I need to hold off as long as I can. I can tell you we ran a port scanner against the IP prior to me locking it down and nothing showed up that was open.

0
 
Matt VCommented:
Try Microsoft Network Monitor.. it is wireshark without the reboot required.
0
 
pdoukasAuthor Commented:
I will certainly do that. I will install and test on the test server and then if there are no issues will let it loose on the production. Stay tuned......and thanks for your assistance.
0
 
pdoukasAuthor Commented:
Ok so I ran MNM pretty quickly as I knew that as soon as I cleared the flag on the switch and reset the notification that one would appear within a few seconds, and sure enough the flag went off. So I stopped the scan and filtered the MAC address and came up empty. I filtered the IP address and came up empty as well. So I thought that I did something wrong, and started the scan again. I ran a utility off of the server that we have complete control over and then stopped the scan. The MAC and IP Address of the workstation running the proxcedure came up just fine in my filter. At this point I am completely baffled.
0
 
pdoukasAuthor Commented:
I do want to add that I applied an IPV4 adresses filter on for my third attempt so I could ping the address as I knew it would respond from the particular server. Although I have data now, nothing significant other than ICMP traffic from the server to the server.
0
 
pdoukasAuthor Commented:
4th attempt using MAC Address filter and I get nada. I'm just letting it sit there in hopes that there is something making it want to go out and do something.
0
 
pdoukasAuthor Commented:
For my 5th attempt I took the port off of port security. I loaded MNM with both and IP filter and MAC filter. The only thing that would respond going to the server was for the static IP that is assigned to the correct NIC which is also the correct MAC address. I tried to ping the "ghost" ip address and although I would get a reply off of my workstation I wouldn't see any traffic on NMN running on the server. Consequently, if I appy port security again, I cannot ping the "ghost" IP Address. I am at a loss.
0
 
Matt VCommented:
Sure sounds like the remote management card.  It would not show up to Windows as a device, so would not show any traffic in MNM.

That is my call on it anway.  Turn port security back on and dont't worry about it :)


0
 
pdoukasAuthor Commented:
I'm going to rest on it tonight. Not to worry, you will be rewarded if unresolved, but keep an eye on thread, I'm not giving up quite as easily :)
0
 
kuohCommented:
The server may not have a DRAC, but according to Dell documentation, the PE2950 still has a BMC that uses NIC1.  http://support.dell.com/support/edocs/systems/pe2950/en/hom/html/syssetup.htm#wp1056468  That is most likely what is generating the traffic you're seeing.  You can either disable it or assign a static IP, but that means a reboot.  Alternatively, you can change to NIC2, but that will still involve some network disruption and possibly other issues with the OS depending on what version you're running.

If I were you, I'd leave it enabled, install the BMC utility and check things out.  It can actually come in very handy for certain remote troubleshooting situations. http://support.dell.com/support/edocs/software/smbmcmu/2.0A01/en/ug/bmcugc0d.htm
0
 
pdoukasAuthor Commented:
Very Interesting, I did not know this. I cannot bounce the server for at least a couple of days, but I will and I will let you know what I find.
0
 
pdoukasAuthor Commented:
Yes close it. No resolution, just filtering the issue seems to suffice.
0
 
QlemoDeveloperCommented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now