Re: Mystery MAC address

[Crist Clark <cjc+nanog () pumpky net>]

The vendor code C0-EA-E4 looks like Sonicwall.

It’s not going unusual for a device take a global address on the device and
flip the local bit for some other use.

On Fri, Jul 8, 2022 at 10:13 AM Saku Ytti <saku () ytti fi> wrote:

> Technically the right most is multicast bit, the 2nd right most is locally
> assigned, it doesn't imply randomisation, it is unknowable how it was
> assigned.
>
> On Fri, 8 Jul 2022 at 20:07, Brandon Svec via NANOG <nanog () nanog org>
> wrote:
>
> > I think that is a randomized address. Look at the second character in a
> > MAC address, if it is a 2, 6, A, or E it is a randomized address.  Per
> > https://www.mist.com/get-to-know-mac-address-randomization-in-2020/
> > *Brandon Svec*
> >
> >
> >
> > On Fri, Jul 8, 2022 at 9:24 AM JoeSox <joesox () gmail com> wrote:
> >
> > > Hello,
> > >
> > > I have something I have never seen before and was wondering if anyone in
> > > the community has seen something like this?
> > >
> > > So some active directory accounts are getting locked intermittently and
> > > I had to do some sniffing and I have an IP address showing up in a non-used
> > > subnet 10.1.2.x
> > > And it shows an unrecognized MAC address. This virtual machine is in a
> > > Nutanix environment.
> > >
> > > I am trying to figure this out without bringing in paid outside help.
> > > Thanks in advance for any responses.
> > > c2:ea:e4:c5:57:e6
> > > is the MAC in question. I don't fully understand this request. 10.1.2.18
> > > is the mystery ip that doesn't ping, 10.1.3.9 is the DC.
> > > AD Audit provides nonexistent machines making the requests and even
> > > blank.
> > > "User account 'Administrator' was locked from computer ''."
> > >
> > > [image: image.png]
> > >
> > > --
> > > Thank You,
> > > Joe
>
> --
>   ++ytti