Can you explain what you are trying to do, or what the issue is?
The only camera model is WV-SW559 sorry about mentioning WV-SF539 currently working on this camera on my desk.
The WV-SW559 camera is the only device plugged into port on Cisco switch.
1428 0800.239a.d17b STATIC Gi1/0/11
camera is using 10.14.28.106
VLAN info is 1428
|MAC address ||08-00-23-9A-D1-7B |
Does not seem to matter if you move camera to another port on switch you have the
same spoof MAC address. Results below did not paste from camera.
Camera has not been send off for repair
IPVMU Certified | 08/05/15 11:04pm
Interesting case. Questions:
- Are the cameras sending frames with their own Panasonic ethernet MACs as well?
- Did they ever work without causing a violation?
- Have the cameras been defaulted since the violations?
- Do you have the Cisco Sticky Mac configuration set to shut the port down on violation?
One thing you could try is setting the switch to not shutdown the port but just deny and log the violations, just temporarily. That way you would be able to see if its just on boot-up and/or how frequent the packets are being sent out.
If you can put the camera on an isolated test network with just a PC then you could run wireshark on the PC and see what protocols and messages the spoofed ethernet address is sending. You may be able to get this eaiser thru the switch, but it wasn't obvious to me how to get more then the violation information you shared.
Going further, if you could enable telnet or ssh on panosonic camera, you should be able to track down the actual process that is spoofing using tcpdump and netstat etc.
btw, I HAVE actually seen cameras use more than one ethernet address breifly during boot (and not just on dual wired/wireless cameras). Both an Axis camera I have and an Everfocus one start out with a different MAC for just a few seconds before switching to the 'real' one on the label.
That said, the MAC addresses always have the same OUI, so this seems different.
Finally, OUI 00:00:40 is really ancient, it's actually the 65th OUI ever issued; the first ten went right to Xerox (surprise), and Applicon went out of business long before the camera was ever made.
Super long shot: Applicon's assets eventually ended up being owned by Siemens AG. So its possible that they sold it or are using it themselves.
IPVMU Certified | 08/05/15 11:17pm
camera is using 10.14.28.106
Have you confirmed no other devices are trying to use this IP address?
Using Angry IP Scanner results below:
IPVMU Certified | 08/05/15 11:40pm
Only ports open on camera are 80,554...
Just to note that this would be the only open incoming ports. Ephemeral outgoing ports used by a rogue program on the camera are likely open.
Who initiates the conversation and whether it is directed from/to a specific host or broadcast is one thing that wireshark or tcpdump would tell you.
Thanks for the help, I will be speaking with our Networking team tomorrow.
They are the Cisco experts and can try some of the items you suggested.
Cameras were recently purchased in past two years. One site online 16 months or so the other site online for 18 months. Just recently this error has occured within the past two months.
We don't have any other Panasonic cameras displaying these problems. We have a mixture of Sony,Panasonic,IQinvision,Toshiba,Arecont, and Sony video encoders supporting analog cameras.
Background, we are a City Government in North Texas with 300 plus cameras and have been networking cameras since 2006 when we started with OnSSI NETDVMS platform. Currently we are using EMC/Isilon storage array supporting cameras using approx. 67 TB. Plans are underway to move to the Ocularis 5.0 platform from the NetGuard client loaded on PC's, etc.
Issue resolved by applying firmware update to Panasonic cameras.