Hi 1!
Interesting case. Questions:
- Are the cameras sending frames with their own Panasonic ethernet MACs as well?
- Did they ever work without causing a violation?
- Have the cameras been defaulted since the violations?
- Do you have the Cisco Sticky Mac configuration set to shut the port down on violation?
One thing you could try is setting the switch to not shutdown the port but just deny and log the violations, just temporarily. That way you would be able to see if its just on boot-up and/or how frequent the packets are being sent out.
If you can put the camera on an isolated test network with just a PC then you could run wireshark on the PC and see what protocols and messages the spoofed ethernet address is sending. You may be able to get this eaiser thru the switch, but it wasn't obvious to me how to get more then the violation information you shared.
Going further, if you could enable telnet or ssh on panosonic camera, you should be able to track down the actual process that is spoofing using tcpdump and netstat etc.
btw, I HAVE actually seen cameras use more than one ethernet address breifly during boot (and not just on dual wired/wireless cameras). Both an Axis camera I have and an Everfocus one start out with a different MAC for just a few seconds before switching to the 'real' one on the label.
That said, the MAC addresses always have the same OUI, so this seems different.
Finally, OUI 00:00:40 is really ancient, it's actually the 65th OUI ever issued; the first ten went right to Xerox (surprise), and Applicon went out of business long before the camera was ever made.
Super long shot: Applicon's assets eventually ended up being owned by Siemens AG. So its possible that they sold it or are using it themselves.