Re: Mystery MAC address

[JoeSox <joesox () gmail com>]

FOLLOWUP:

Looks like that MAC is our Sonicwall firewall and the packets are coming in
from upstream on a shared VLAN but not a shared subnet (not sure how this
is happening).
Our sonicwall shows one virus hit on one of the new 10.1.2.0
addresses (upstream subnet) seen today.
Thanks for all the responses. The upstream is investigating now.
--
Thank You,
Joe


On Fri, Jul 8, 2022 at 11:40 AM William Herrin <bill () herrin us> wrote:

> On Fri, Jul 8, 2022 at 9:22 AM JoeSox <joesox () gmail com> wrote:
> > And it shows an unrecognized MAC address. This virtual machine is in a
> Nutanix environment.
> > I am trying to figure this out without bringing in paid outside help.
> Thanks in advance for any responses.
> > c2:ea:e4:c5:57:e6
> > is the MAC in question.
>
> Hi Joe,
>
> Any MAC address with the 2 bit set in the first byte (e.g. c2) is
> locally generated. Those are x2, x6, xA and xE. Typically this means a
> virtual machine but not always.
>
> Best bet: trace it through your switch. If you have managed switches,
> they know which port any given mac address came from. You can trace
> that back to the machine and then look at the virtual switch on the
> machine to figure out which VM.
>
> Incidentally, the 1 bit in the first byte means broadcast (1) or unicast
> (0).
>
> Regards,
> Bill Herrin
>
>
> --
> For hire. https://bill.herrin.us/resume/