A few months ago, I made a few posts on the Monday and Wednesday threads about a weird issue we had been experiencing. Since I had received a lot of different opinions and it seemed to be a pretty niche issue, I thought I'd post an update.
Basically, PCs were randomly spoofing the MAC address of other machines on the same VLAN, regardless of location and switch. This would occur at different times of day, and sometimes not occur at all for days a time. The initial response was that it was a loop, but that was ruled out. No updates, no new apps, nothing pushed.
Packet captures didn't really show much-- a few (non-reproducible) Gratuitous ARPs that didn't make any sense, a few DNS queries that didn't exist, etc. I eventually narrowed it down to -most- PCs having this issue only through power state changes, but PC event logs showed absolutely nothing.
Since I was blamed for the issue ("since port security is tripping, it has to be a network issue"), I went back and forth with Cisco for 3 months and, thankfully, they helped out immensely.
Turns out, SCCM has a setting called Wake Up Proxy that will make a machine on a VLAN a "manager" for machines going through power state changes, where it will spoof their MAC address in order to keep them alive on the CAM table. Blog here and Cisco thread here.
Now I guess we just have to have a working change control process, hmm...
No comments:
Post a Comment