All NetApp E-Series Systems (E.g. E2700 and E2600)

Issue

The internal chip vendor for the NetApp host card (HIC) responsible for the CH3 / CH4 host ports has a predefined set of MAC addresses for every port on the host card. These are set to allow multiple protocols support.

The normal behaviour is to have FCoE/ethernet/iSCSI MAC addresses all uniquely defined on the same port.

Solution

If you must quickly identify what MAC addresses would be visible by some security applications, you can determine a list using a label on the controller host card. Locate the controller HW and write down the MAC address from the label on the host card (white sticker).

Based on the example label we refer here, you can see the MAC, 00:A0:98:5C:1C:B8 x6.  
 'x6' is indicating that the MAC address pool for this card is 6 sequential addresses long.  

The NetApp HIC would require the following MAC addresses be allowed in aggressive port security implementations.
00:A0:98:5C:1C:B8
00:A0:98:5C:1C:B9
00:A0:98:5C:1C:BA
00:A0:98:5C:1C:BB
00:A0:98:5C:1C:BC
00:A0:98:5C:1C:BD 

If the label is missing or further evidence is required, there is a shell command that can output the MAC address pool list.  Please note that shell commands are sensitive and should only be completed by NetApp to avoid any chance of error and impact.
 
1.  Connect to shell of controller
2.  Execute chall 0 and document what host channel relates to the port of interest.  In my example, we are using channel 4 and 5 to show the full list of the card.
-> chall 0
 
chAll (Tick 0304974794) ==> 04/11/17-12:24:26 (GMT)
 
2701-A 08.25.08.00
.....Channels.....:...........Target...........:............Initiator..........:
             Link :ITN :..........IOs..........:ITN :............IOs...........:.........Busy.........Idle.
  Ch H/D STP Down :cnt : Open  Completed  Errs :cnt : Qd  Open  Completed  Errs:           Ms           Ms
---- --- --- ---- :--- :----- ---------- ----- :--- :--- ----- ---------- -----: ------------ -------------   0 Drv SAS    0 :  1 :    0      41267     0 : 14 :  0     0     112236     0:        16536     61258555
   1 Drv SAS    0 :  1 :    0      41150     0 : 14 :  0     0     104671     6:        12267     61262825
-< 2 Hst SAS    0 :  0 :    0          0     0 :  0 :  0     0          0     0:            0     61275093
-< 3 Hst SAS    0 :  0 :    0          0     0 :  0 :  0     0          0     0:            0     61275093
-< 4 Hst FCP    0 :  0 :    0          0     0 :  0 :  0     0          0     0:            0     61275093
-< 5 Hst FCP    0 :  0 :    0          0     0 :  0 :  0     0          0     0:            0     61275093
   6 Drv USB    0 :  0 :    0          0     0 :  2 :  0     0          0     0:            0     61275094
value = 1 = 0x1
 
3.  Using channel from step #2, execute qlSetMacAddresses # to output MAC addresses to shell.  The highlighted portion of the output below correlates to the last octet of the MAC addresses in the list we manually created above.
-> qlSetMacAddresses 4
address into qlSetMacAddresses:0
NOTE: memory values are displayed in hexadecimal.
0x0c697700:                          b8 1c 5c 98 a0 00 00 00  *         .\.....*
0x0c697710:  b9 1c 5c 98 a0 00 00 00 ba 1c 5c 98 a0 00 00 00  *..\.......\.....*
0x0c697720:  bb 1c 5c 98 a0 00 00 00 bc 1c 5c 98 a0 00 00 00  *..\.......\.....*
0x0c697730:  bd 1c 5c 98 a0 00 00 00                          *..\.............*
value = 0 = 0x0
-> 04/11/17-12:29:41 (tShellRem208398600): WARN:  Mac Address of less that 0xFFFFFFFF rejected
04/11/17-12:29:41 (tShellRem208398600): WARN:  QLogic command failed
 
-> qlSetMacAddresses 5
address into qlSetMacAddresses:0
NOTE: memory values are displayed in hexadecimal.
0x0c690500:  b8 1c 5c 98 a0 00 00 00 b9 1c 5c 98 a0 00 00 00  *..\.......\.....*
0x0c690510:  ba 1c 5c 98 a0 00 00 00 bb 1c 5c 98 a0 00 00 00  *..\.......\.....*
0x0c690520:  bc 1c 5c 98 a0 00 00 00 bd 1c 5c 98 a0 00 00 00  *..\.......\.....*
value = 0 = 0x0
-> 04/11/17-12:31:06 (tShellRem208398600): WARN:  Mac Address of less that 0xFFFFFFFF rejected
04/11/17-12:31:06 (tShellRem208398600): WARN:  QLogic command failed 

4.  Repeat this process for every port (channel) connected on each controller.