MAC Address Spoofing

Does anyone have experience dealing with MAC address spoofing when using Cisco Switch Sticky MAC enabled for Panasonic cameras in particular a WV-SW559?

Firmware is current at Application 1.62 version & Image data at 2.33

Only ports open on camera are 80,554 checked ports 1-65256

VMS is OnSSI using NetDVMS version 6.5. In process of moving to Ocularis 5.0

Can you explain what you are trying to do, or what the issue is?

We are trying to clearup why on Cisco switches at different sites, with port security is enabled we have a security violation.

Cisco switches are identical at both sites with software, etc.

A panasonic WV-SF539 camera is installed at both locations.

Error message displayed is as follows:

This error comes from our Cisco switch with MAC security turned on. This security is commonly called sticky MAC security.

Aug 4 13:45:04 xx.xx.x.x 231511: Aug 4 13:45:03.548 CDT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0000.4006.0000 on port GigabitEthernet1/0/15. xx.xx.x.x is the switch IP address.

Installed Panasonic WV-SF539 camera shows:

MAC address 08-00-23-9A-D1-7B
Serial no. LIV04395
Firmware version
1 Application: 1.62
2 Image data: 2.33
IPL version 1.00
HTML version ENG 2.00
IP address(IPv6) Linklocal fe80::a00:23ff:fe9a:d17b

using to lookup MAC address info


00:00:40 APPLICON, INC.

Thus the 0000.4006.0000 we believe is a spoof MAC address

perhaps in the Panasonic WV-SF539 camera software.

In all cases the camera is online and recording using

OnSSI VMS software.

You list two different model cameras. Which one is actually installed? Was this camera ever sent for repair? If so, the mac could have been reprogramed...

Are you sure that there are no other devices (network switch) plugged in to that port on the switch?

The only camera model is WV-SW559 sorry about mentioning WV-SF539 currently working on this camera on my desk.

The WV-SW559 camera is the only device plugged into port on Cisco switch.

Details below.

  • Golf Center

1428 0800.239a.d17b STATIC Gi1/0/11

camera is using



VLAN info is 1428

MAC address 08-00-23-9A-D1-7B

Does not seem to matter if you move camera to another port on switch you have the

same spoof MAC address. Results below did not paste from camera.

IPv4 network
Network Settings
IP address(IPv4) . . .
Subnet mask . . .
Default gateway

. . .

Camera has not been send off for repair

Hi 1!

Interesting case. Questions:

  1. Are the cameras sending frames with their own Panasonic ethernet MACs as well?
  2. Did they ever work without causing a violation?
  3. Have the cameras been defaulted since the violations?
  4. Do you have the Cisco Sticky Mac configuration set to shut the port down on violation?

One thing you could try is setting the switch to not shutdown the port but just deny and log the violations, just temporarily. That way you would be able to see if its just on boot-up and/or how frequent the packets are being sent out.

If you can put the camera on an isolated test network with just a PC then you could run wireshark on the PC and see what protocols and messages the spoofed ethernet address is sending. You may be able to get this eaiser thru the switch, but it wasn't obvious to me how to get more then the violation information you shared.

Going further, if you could enable telnet or ssh on panosonic camera, you should be able to track down the actual process that is spoofing using tcpdump and netstat etc.

btw, I HAVE actually seen cameras use more than one ethernet address breifly during boot (and not just on dual wired/wireless cameras). Both an Axis camera I have and an Everfocus one start out with a different MAC for just a few seconds before switching to the 'real' one on the label.

That said, the MAC addresses always have the same OUI, so this seems different.

Finally, OUI 00:00:40 is really ancient, it's actually the 65th OUI ever issued; the first ten went right to Xerox (surprise), and Applicon went out of business long before the camera was ever made.

Super long shot: Applicon's assets eventually ended up being owned by Siemens AG. So its possible that they sold it or are using it themselves.

camera is using

Have you confirmed no other devices are trying to use this IP address?


Using Angry IP Scanner results below:

Angry-IP-scan for subnet

Only ports open on camera are 80,554...

Just to note that this would be the only open incoming ports. Ephemeral outgoing ports used by a rogue program on the camera are likely open.

Who initiates the conversation and whether it is directed from/to a specific host or broadcast is one thing that wireshark or tcpdump would tell you.

Thanks for the help, I will be speaking with our Networking team tomorrow.

They are the Cisco experts and can try some of the items you suggested.

Cameras were recently purchased in past two years. One site online 16 months or so the other site online for 18 months. Just recently this error has occured within the past two months.

We don't have any other Panasonic cameras displaying these problems. We have a mixture of Sony,Panasonic,IQinvision,Toshiba,Arecont, and Sony video encoders supporting analog cameras.

Background, we are a City Government in North Texas with 300 plus cameras and have been networking cameras since 2006 when we started with OnSSI NETDVMS platform. Currently we are using EMC/Isilon storage array supporting cameras using approx. 67 TB. Plans are underway to move to the Ocularis 5.0 platform from the NetGuard client loaded on PC's, etc.

Issue resolved by applying firmware update to Panasonic cameras.