Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
661
Views
4
Helpful
6
Replies

Virtual MAC Addresses?

Josh Morris
Level 3
Level 3

‎07-10-2023 07:18 AM

I am getting thousands (like tens of thousands) of weird MAC Addresses in ISE, many of them are getting profiled as 'Xerox-Device' or 'EquipTrans-Device' based on the OUI. The MAC Addresses mostly start with '00:01:00:00:*:*' and '00:00:00:00:00:*' and come from specific switches/ports. Without tracing the device down physically, I'm assuming these are some kind of virtual mac addresses. Has anyone seen anything like this? Do you have any mitigation techniques? Endpoint purge policies?

0 Helpful
6 Replies 6

MHM Cisco World
VIP
VIP

‎07-10-2023 07:42 AM

Yes I see before it before and I think you use 892.1x multi-host under port ? if Yes then change that to multi-auth and check again.

0 Helpful

Josh Morris
Level 3
Level 3
In response to MHM Cisco World

‎07-10-2023 08:13 AM

Thanks, I'm already multi-auth on all NADs.

Josh Morris
Level 3
Level 3

‎07-10-2023 08:17 AM

Just found that one port that was showing this behavior has a Cisco phone connected. The behavior kind of reminded me of a loop of some kind, where thousands of endpoints were learned on a port at one time, then all were inactive after that.

MHM Cisco World
VIP
VIP
In response to Josh Morris

‎07-10-2023 08:39 AM

Hmm, it can be
SW1-eth-IPPhone-Eth-SW2 
this can make all host in SW1 (MAB) through SW2. and that explain how ISE know these MAC and success auth it. 
so to be sure if that is case 
show mac in SW's 
select two or three MAC connect to this port 
and see if these port appear in any other SW or not. 

0 Helpful

Damien Miller
VIP Alumni
VIP Alumni

‎07-10-2023 02:47 PM

I tend to have customers use purge policies to keep their ISE deployment's database clean regardless of random MACs being used or not. Purge policies based on inactive days are quite good for this. 

As far as the specific virtual MACs you called out, firewalls are a common source of these, but HSRP/VRRP routers also use 0000.0xxx.xxxx. Both Checkpoints and Cisco ASAs use virtual macs similar to your range. 

It would probably be beneficial to track them down, determine which device type is on those ports, and potentially exempt them from authentication if they are in a protected space. 

Greg Gibbs
Cisco Employee
Cisco Employee
In response to Damien Miller

‎07-10-2023 03:04 PM

I have also seen these random MAC addresses come from guest PCs running a VM hypervisor. I've never found any documentation explaining why, but I assume it has something to do with the vmNIC driver.
If you're seeing these being learned on uplink ports, you might want to disable the access-session monitor on those ports. This is mainly a visibility feature on newer switches, but I've never found it very useful to have monitoring on uplinks from a NAC perspective.

interface x/x/x
 no access-session monitor
Customers Also Viewed These Support Documents