Mystery MAC address

JoeSox joesox at
Fri Jul 8 21:29:22 UTC 2022


Looks like that MAC is our Sonicwall firewall and the packets are coming in
from upstream on a shared VLAN but not a shared subnet (not sure how this
is happening).
Our sonicwall shows one virus hit on one of the new
addresses (upstream subnet) seen today.
Thanks for all the responses. The upstream is investigating now.
Thank You,

On Fri, Jul 8, 2022 at 11:40 AM William Herrin <bill at> wrote:

> On Fri, Jul 8, 2022 at 9:22 AM JoeSox <joesox at> wrote:
> > And it shows an unrecognized MAC address. This virtual machine is in a
> Nutanix environment.
> > I am trying to figure this out without bringing in paid outside help.
> Thanks in advance for any responses.
> > c2:ea:e4:c5:57:e6
> > is the MAC in question.
> Hi Joe,
> Any MAC address with the 2 bit set in the first byte (e.g. c2) is
> locally generated. Those are x2, x6, xA and xE. Typically this means a
> virtual machine but not always.
> Best bet: trace it through your switch. If you have managed switches,
> they know which port any given mac address came from. You can trace
> that back to the machine and then look at the virtual switch on the
> machine to figure out which VM.
> Incidentally, the 1 bit in the first byte means broadcast (1) or unicast
> (0).
> Regards,
> Bill Herrin
> --
> For hire.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the NANOG mailing list