Mystery MAC address

Fri Jul 8 18:14:41 UTC 2022

The vendor code C0-EA-E4 looks like Sonicwall.

It’s not going unusual for a device take a global address on the device and
flip the local bit for some other use.

On Fri, Jul 8, 2022 at 10:13 AM Saku Ytti <saku at ytti.fi> wrote:

> Technically the right most is multicast bit, the 2nd right most is locally
> assigned, it doesn't imply randomisation, it is unknowable how it was
> assigned.
>
> On Fri, 8 Jul 2022 at 20:07, Brandon Svec via NANOG <nanog at nanog.org>
> wrote:
>
>> I think that is a randomized address. Look at the second character in a
>> MAC address, if it is a 2, 6, A, or E it is a randomized address.  Per
>> https://www.mist.com/get-to-know-mac-address-randomization-in-2020/
>> *Brandon Svec*
>>
>>
>>
>> On Fri, Jul 8, 2022 at 9:24 AM JoeSox <joesox at gmail.com> wrote:
>>
>>> Hello,
>>>
>>> I have something I have never seen before and was wondering if anyone in
>>> the community has seen something like this?
>>>
>>> So some active directory accounts are getting locked intermittently and
>>> I had to do some sniffing and I have an IP address showing up in a non-used
>>> subnet 10.1.2.x
>>> And it shows an unrecognized MAC address. This virtual machine is in a
>>> Nutanix environment.
>>>
>>> I am trying to figure this out without bringing in paid outside help.
>>> Thanks in advance for any responses.
>>> c2:ea:e4:c5:57:e6
>>> is the MAC in question. I don't fully understand this request. 10.1.2.18
>>> is the mystery ip that doesn't ping, 10.1.3.9 is the DC.
>>> AD Audit provides nonexistent machines making the requests and even
>>> blank.
>>> "User account 'Administrator' was locked from computer ''."
>>>
>>> [image: image.png]
>>>
>>> --
>>> Thank You,
>>> Joe
>>>
>>
>
> --
>   ++ytti
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20220708/f12d9a65/attachment.html>