FOLLOWUP:

Looks like that MAC is our Sonicwall firewall and the packets are coming in from upstream on a shared VLAN but not a shared subnet (not sure how this is happening).
Our sonicwall shows one virus hit on one of the new 10.1.2.0 addresses (upstream subnet) seen today.
Thanks for all the responses. The upstream is investigating now.
--
Thank You,
Joe


On Fri, Jul 8, 2022 at 11:40 AM William Herrin <bill@herrin.us> wrote:
On Fri, Jul 8, 2022 at 9:22 AM JoeSox <joesox@gmail.com> wrote:
> And it shows an unrecognized MAC address. This virtual machine is in a Nutanix environment.
> I am trying to figure this out without bringing in paid outside help. Thanks in advance for any responses.
> c2:ea:e4:c5:57:e6
> is the MAC in question.

Hi Joe,

Any MAC address with the 2 bit set in the first byte (e.g. c2) is
locally generated. Those are x2, x6, xA and xE. Typically this means a
virtual machine but not always.

Best bet: trace it through your switch. If you have managed switches,
they know which port any given mac address came from. You can trace
that back to the machine and then look at the virtual switch on the
machine to figure out which VM.

Incidentally, the 1 bit in the first byte means broadcast (1) or unicast (0).

Regards,
Bill Herrin


--
For hire. https://bill.herrin.us/resume/