FYI, got this message from one of our network guys. This involved another campus.
~~~~~~~~~~~~~~~~~ We ran into a really "interesting" issue this week. The SCCM guys decided to implement the SCCM "wake-proxy" feature on the SCCM. Not quite the normal magic packet WOL procedure. This has the SCCM server hit specific machines, which then go and hit the machines in their vlan. However, these "manager machines" also spoof the mac addresses of the machines that go to sleep in their vlan in order to keep the MAC alive in the switch tables. This is quite fun when you have port-security turned on that limits the number of mac addresses on the ports! We had random machines dropping off the network, DHCP issues, etc. It was quite fun to chase down what exactly was going on. The only indication that we saw was that ports were showing multiple MAC addresses when we knew that there was only one device connected to it and it was not running a VM. Wasn't even logged into. Fortunately, something ticked the back of my mind about a feature they were thinking about implementing on the SCCM and we were able to put the pieces together. Otherwise, we would still be scratching our heads over this. Bottom line? DO NOT implement SCCM wake-proxy with any sort of port-security enabled. Better yet, just don't implement wake-proxy at all. Here is a discussion we found afterwards, once we knew what to look for. https://supportforums.cisco.com/discussion/11835361/mac-address-flapping-and-sccm-wake-proxy I worked with ALU TAC all afternoon on this. The only weirdness that we could see was that the packet capture showed that the computer was sending out replies to ARP packets that were not for his MAC address. I sent them the above link, so hopefully, they can add it to their internal database and be prepared if they see it again. Just letting you all know!
