The vendor code C0-EA-E4 looks like Sonicwall. It’s not going unusual for a device take a global address on the device and flip the local bit for some other use.
On Fri, Jul 8, 2022 at 10:13 AM Saku Ytti <s...@ytti.fi> wrote: > Technically the right most is multicast bit, the 2nd right most is locally > assigned, it doesn't imply randomisation, it is unknowable how it was > assigned. > > On Fri, 8 Jul 2022 at 20:07, Brandon Svec via NANOG <nanog@nanog.org> > wrote: > >> I think that is a randomized address. Look at the second character in a >> MAC address, if it is a 2, 6, A, or E it is a randomized address. Per >> https://www.mist.com/get-to-know-mac-address-randomization-in-2020/ >> *Brandon Svec* >> >> >> >> On Fri, Jul 8, 2022 at 9:24 AM JoeSox <joe...@gmail.com> wrote: >> >>> Hello, >>> >>> I have something I have never seen before and was wondering if anyone in >>> the community has seen something like this? >>> >>> So some active directory accounts are getting locked intermittently and >>> I had to do some sniffing and I have an IP address showing up in a non-used >>> subnet 10.1.2.x >>> And it shows an unrecognized MAC address. This virtual machine is in a >>> Nutanix environment. >>> >>> I am trying to figure this out without bringing in paid outside help. >>> Thanks in advance for any responses. >>> c2:ea:e4:c5:57:e6 >>> is the MAC in question. I don't fully understand this request. 10.1.2.18 >>> is the mystery ip that doesn't ping, 10.1.3.9 is the DC. >>> AD Audit provides nonexistent machines making the requests and even >>> blank. >>> "User account 'Administrator' was locked from computer ''." >>> >>> [image: image.png] >>> >>> -- >>> Thank You, >>> Joe >>> >> > > -- > ++ytti >
