Ghost client showing on connection from MX100 to MS350

Solved
Autumn
Getting noticed

Ghost client showing on connection from MX100 to MS350

Hi all!

 

I've got a strange one, there's a client showing up on a connection from my MX100 to a MS350.

 

It's showing up as a MacBook and it's traversing different VLANS and constantly changing IP addresses between what appears to be 4 different IPs.

 

When I click on the client for more info it says client not found, can't search using the MAC address, it doesn't appear. It's showing up on port 48 of the MS350 but when I look at the MS350 overview, it says the client is on port 1.

 

A side note, the MAC address is one digit off from a legitimate MAC address from one of our PCs.

 

Can anyone shed some light on this or is there a way to block a MAC address through the Dashboard?

 

Let me know if you need more info!

 

Thanks!

 

~Autumn

 

*Edit: Forgot to mention, the CDP/LLDP on port 48 of the MS350; it shows it's connected into port 7 of the MX100 but when I go to the MX100 it says port 7 is disconnected.

 

Not on site right now so I can't check the cabling physically but any ideas for when I get up there to check it out would be helpful.

 

1 Accepted Solution
TBisel
Getting noticed

If its showing active on switch an not in clients list that means its traffic is not leaving your network and is localized. Track back to switch port he is in and shut it down there.

 

View solution in original post

11 Replies 11
TBisel
Getting noticed

I would disable port 7.  might be something weird, I would do a IP scan on the subnet see if you can get it. Also what I would do is make a group policy destroying internet access and blocking all the things and assign it to that device.

Autumn
Getting noticed

I'm a bit new to the Dashboard. I'm not able to click on any ports on the MX100 like I can on the MS350s.

 

How do you disable a port on a MX100? Console? Local status page?

 

Also, I'm not sure if I can apply the policy to the user. The user doesn't show up in searches and when I click on the client while on Port 48 it says that the client does not exist.

 

Is there another way to apply a policy to a user or should I get the 4 IP addresses they are using and make a firewall rule?

 

Sorry for the basic questions!!

 

Thanks!

NolanHerring
Kind of a big deal

You have to go to security appliance>addressing & vlans and you can see the port configs there.
Nolan Herring | nolanwifi.com
TwitterLinkedIn
TBisel
Getting noticed

If your hoping to console anything with Meraki, your going to have a bad time...

 

Aside from that the group Policy I am talking about is in Meraki. Network wide -> Configure -> Group Policy. Than find the device in the Client list, click left box and above the check box at top of list is the Policy drop down. There is actually a "Blocked" by default so you can just use that.

Autumn
Getting noticed

I think I'm going to have to check the connection from port 7 to port 48. This client is just not searchable in the client's list but keeps showing a lot of traffic on the switch.

 

Thanks for the assistance!

TBisel
Getting noticed

If its showing active on switch an not in clients list that means its traffic is not leaving your network and is localized. Track back to switch port he is in and shut it down there.

 

Autumn
Getting noticed

Thanks!! I'll look into it further. The fact that it's all local traffic is a good hint, thank you.

 

In your opinion, is it something I should be worried about?

 

If it's all localized traffic, does that mean it's pulling data from the servers/security cameras?

 

Could a loop in the network cause something like this?

 

Any more info is greatly appreciated!

 

~Autumn

PhilipDAth
Kind of a big deal
Kind of a big deal

I think I would be tempted to try and schedule in a reboot.  Something sounds screwy.

 

Are you running modern firmware on the MS350 like 10.45?

Autumn
Getting noticed

Running 11.6
Autumn
Getting noticed

After some investigation, the mac book pro's MAC address is matching the MAC of our MX.

So there's some bug that's causing the MX to be listed as traffic on the network that's traversing all the VLANs.

 

Got a case with the Meraki guys to get it taken care of, thanks for all your input everyone!!

 

-Autumn

GIdenJoe
Kind of a big deal
Kind of a big deal

That's a bug.

 

When you use Meraki as L3 switch you usually get a random client in the network that get's allotted most traffic coming from the L3 switch.

From logical deduction (I don't have the facts like the Meraki team does) I believe the problem is as follows:
- The switches/AP can only track clients using MAC
- The MX can do both but is configured to use MAC because they're all in the same combined network.

- But the L3 switch of course uses it's own MAC to forward frames towards the MX if you use a best practice point-to-point /30 LAN between MX and MS and all LAN traffic gets routed out that /30 towards the MX.

- I also believe the traffic recognition differs on the switches than the MX'es so that means if the MX and the MS agree that this traffic is skype.. then the registration of that traffic to the dashboard will be coming from the MS with the correct client MAC address.   However if they don't agree for example the MS says it's HTTPS traffic, but the MX classifies the traffic as bittorent then you will have duplicate registration of the same traffic and of course the MX will see the traffic coming from the MAC of the MS causing one client to have major traffic towards WAN/Internet.  How it chooses the client name though is a mystery for me.

I hope a Meraki technician could provide more inside clarification on this.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels