One resource I've found incredibly valuable in performing network reconnaissance is the IEEE's MAC OUI database. An Organizationally Unique Identifier (OUI) makes up the first 24 bits of a MAC address, and serves to identify the owner of an address range (typically the NIC manufacturer) with the goal of preserving global uniqueness.
Although the IEEE's instructions state that OUIs should be entered in
XX-XX-XX format (the first half of a hexadecimal MAC address), dashes are optional, and you can also search by text string to identify all OUIs owned by a particular company (for example, "cisco systems"). Alternatively, the full list is available for download in plain text format.
The database isn't always 100% telling, as the IEEE notes many manufacturers subcontract the production of interface circuitry, consequently delegating the assignment of burned-in addresses. However, the database has helped me numerous times to identify a rogue router emplaced by a customer or a legitimate infrastructure device which was overlooked in existing documentation and not otherwise remotely identifiable.