nanog mailing list archives
Re: Mystery MAC address
From: JoeSox <joesox () gmail com>
Date: Fri, 8 Jul 2022 14:29:22 -0700
FOLLOWUP: Looks like that MAC is our Sonicwall firewall and the packets are coming in from upstream on a shared VLAN but not a shared subnet (not sure how this is happening). Our sonicwall shows one virus hit on one of the new 10.1.2.0 addresses (upstream subnet) seen today. Thanks for all the responses. The upstream is investigating now. -- Thank You, Joe On Fri, Jul 8, 2022 at 11:40 AM William Herrin <bill () herrin us> wrote:
On Fri, Jul 8, 2022 at 9:22 AM JoeSox <joesox () gmail com> wrote:And it shows an unrecognized MAC address. This virtual machine is in aNutanix environment.I am trying to figure this out without bringing in paid outside help.Thanks in advance for any responses.c2:ea:e4:c5:57:e6 is the MAC in question.Hi Joe, Any MAC address with the 2 bit set in the first byte (e.g. c2) is locally generated. Those are x2, x6, xA and xE. Typically this means a virtual machine but not always. Best bet: trace it through your switch. If you have managed switches, they know which port any given mac address came from. You can trace that back to the machine and then look at the virtual switch on the machine to figure out which VM. Incidentally, the 1 bit in the first byte means broadcast (1) or unicast (0). Regards, Bill Herrin -- For hire. https://bill.herrin.us/resume/
Current thread:
- Mystery MAC address JoeSox (Jul 08)
- Re: Mystery MAC address Christopher Morrow (Jul 08)
- Re: Mystery MAC address heasley (Jul 08)
- Re: Mystery MAC address Brandon Svec via NANOG (Jul 08)
- Re: Mystery MAC address Saku Ytti (Jul 08)
- Re: Mystery MAC address Crist Clark (Jul 08)
- Re: Mystery MAC address Saku Ytti (Jul 08)
- Re: Mystery MAC address William Herrin (Jul 08)
- Re: Mystery MAC address JoeSox (Jul 08)
- Re: Mystery MAC address Christopher Morrow (Jul 08)