Mystery MAC address

Crist Clark cjc+nanog at
Fri Jul 8 18:14:41 UTC 2022

The vendor code C0-EA-E4 looks like Sonicwall.

It’s not going unusual for a device take a global address on the device and
flip the local bit for some other use.

On Fri, Jul 8, 2022 at 10:13 AM Saku Ytti <saku at> wrote:

> Technically the right most is multicast bit, the 2nd right most is locally
> assigned, it doesn't imply randomisation, it is unknowable how it was
> assigned.
> On Fri, 8 Jul 2022 at 20:07, Brandon Svec via NANOG <nanog at>
> wrote:
>> I think that is a randomized address. Look at the second character in a
>> MAC address, if it is a 2, 6, A, or E it is a randomized address.  Per
>> *Brandon Svec*
>> On Fri, Jul 8, 2022 at 9:24 AM JoeSox <joesox at> wrote:
>>> Hello,
>>> I have something I have never seen before and was wondering if anyone in
>>> the community has seen something like this?
>>> So some active directory accounts are getting locked intermittently and
>>> I had to do some sniffing and I have an IP address showing up in a non-used
>>> subnet 10.1.2.x
>>> And it shows an unrecognized MAC address. This virtual machine is in a
>>> Nutanix environment.
>>> I am trying to figure this out without bringing in paid outside help.
>>> Thanks in advance for any responses.
>>> c2:ea:e4:c5:57:e6
>>> is the MAC in question. I don't fully understand this request.
>>> is the mystery ip that doesn't ping, is the DC.
>>> AD Audit provides nonexistent machines making the requests and even
>>> blank.
>>> "User account 'Administrator' was locked from computer ''."
>>> [image: image.png]
>>> --
>>> Thank You,
>>> Joe
> --
>   ++ytti
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the NANOG mailing list