How to identify unknown devices on network?

Michael Butash michael at butash.net
Mon Jul 7 10:27:28 MST 2014 

If using L2 bridging for AP vlan's, it should NOT rewrite the L2 source 
mac - that only occurs at L3 boundaries, or if the ap is doing 
lwapp/capwap tunneling on controller-based networks.  They just act like 
yet another switch in path, fowarding mac addresses as it builds a 
table, not rewriting them.

As per the dupe mac issue, it is MUCH worse to duplicate mac addresses, 
as this causes a condition known as "unicast-broadcast flooding".  I've 
seen data centers crushed because windoze admin's loved using 
microsoft's network load-balancing (nlb) services, that go figure, just 
duplicated mac addresses on all cluster members to make them all receive 
the request (they'd arbitrate on the back-end with an out of band 
connection which should answer).

Why is this bad?

When a switch sees mac addy's learned on multiple ports, it FLOODS the 
frames out ALL interfaces in a given vlan, forwarding as a broadcast 
now, as does all other switches receiving it, and all hosts have to 
accept the packet at least into buffer before dropping it as an unknown 
mac destination (ie. not the host receiving it). Imagine what happens 
when that IP address happens to take a multi-gigabit DDoS attack...  
Data centers go poof, thanks Microsoft (and admins that don't understand 
networking).

Funny enough, Microsoft says the solution is to put your cluster on a 
HUB (yes, not a switch).

Cisco said not to use Microsoft Clustering NLB services, thus the 
load-balancer market was born, now making network guys figure out 
applications (or applications people learning networking).

-mb


On 07/07/2014 05:34 AM, kitepilot at kitepilot.com wrote:
> When you have a chain of wireless IP/bridges, and you don't enable the 
> WDS feature (implemented
>> a company called Silex.  Could be any number of devices. They seem to 
>> make a wide range of interesting products.
>> http://www.silexamerica.com
>> I just used a MAC address search tool online.
>> The first one that came up for me was http://www.coffer.com .
>> The first part of a Mac hardware address is the manufacturer. The 
>> remainder is a unique serial number/identifier.  The two together 
>> (are supposed) make a globally unique hardware address to prevent any 
>> possible addressing conflicts.
>> Some, er, less conscientious manufacturers aren't diligent about 
>> ensuring truly unique mac addresses.  It is easier and cheaper to 
>> make half a million exact copies than the added cost and complexity 
>> of incrementing the MAC address.
>> MAC address cloning can cause issues also if we are not careful.
>> Hopefully that will help a bit in tracking what has connected to your 
>> network.
>> Let us know here on the list if you have any other questions or if we 
>> can elaborate.
>> Have a great night!
>> Ed K.
>> Plug lurker
>>> On Jul 6, 2014, at 11:33 PM, joe at actionline.com wrote:
>>> How can I identify the unknown devices (????? below)
>>> on my local network?
>>> Source IP:  Devices:    Mac addr:
>>> 192.168.0.1 Motorola    00:24:37:85:73:f0 REPLACED
>>> 192.168.0.2 X5003191    2c:44:fd:67:34:ab Ethernet 3
>>> 192.168.0.3 Unknown ??    88:87:17:c0:a4:45 ?????
>>> 192.168.0.4 Galaxy phn    0c-71-5d-29-dc-ff
>>> 192.168.0.5 Tivo 84600    00:11:d9:55:72:ca
>>> 192.168.0.6 Xoom tab    98-4b-4a-c0-6f-3a
>>> 192.168.0.7 Chromecast    d0:e7:82:c4:5c:ac
>>> 192.168.0.8 ??????????    00:19:9d:56:50:2e ?????
>>> 192.168.0.9 Nexus7 tab    ac:22:0b:44:da:95
>>> 192.168.0.10 HP laptop    e0:06:e6:a2:93:a5
>>> 192.168.0.91 Lenovo      70:71:bc:3e:00:ed
>>> 192.168.0.64 T43 laptop    00:12:f0:34:5c:33
>>> 192.168.0.104 BRW008092CAC78E - 00:80:92:ca:c7:8e ?????
>>>
>>>
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss

More information about the PLUG-discuss mailing list