Networking

Cisco administration 101: Understanding Ethernet MAC addresses

While you're probably familiar with Ethernet MAC addresses, how much do you know about working with them in the Cisco IOS? In this edition of Cisco Routers and Switches, David Davis tells you how to determine the MAC address, change it, and use it to filter traffic.

Chances are good that most of you know what an Ethernet MAC address is. But what you might not know is what you can do with MAC addresses in the Cisco IOS.

An Ethernet MAC address uniquely identifies every Ethernet device in the world. Each vendor that creates network devices (e.g., Ethernet NICs, wireless devices, routers, and switches) preprograms these addresses into their devices.

A MAC address can go by other names, including physical address (in Windows), Ethernet address, and hardware address. Whatever you call it, this address is a 12-character hexadecimal string. Here are some examples:

  • 1234.5678.90ab
  • 12-34-56-78-90-ab
  • 12.34.56.78.90.ab

Determine your MAC address

In Windows, you can find out your MAC address using the ipconfig /all command. Listing A offers an example.

In the command's output, you can find the MAC address under the Physical Address listing. You can find out similar information from the switch this PC connects to using the show mac-address-table command. Here's an example:

Switch# show mac-address-table 
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
 All    0014.1c40.b080    STATIC      CPU
 All    0100.0ccc.cccc    STATIC      CPU
 All    0100.0ccc.cccd    STATIC      CPU
 All    0100.0cdd.dddd    STATIC      CPU
   1    000f.1fd3.d85a    DYNAMIC     Fa0/14

On a Cisco router, you can find out which MAC addresses your interfaces use with the show interfaces command. Here's an example:

RouterB# show interfaces
Ethernet0/0 is up, line protocol is up 
Hardware is AmdP2, address is 0003.e39b.9220 (bia 0003.e39b.9220)
Internet address is 1.1.1.1/8

On the second line of each interface, you'll see the hardware address line with the BIA (burned in address). In this case, the hardware address is 0003.e39b.9220.

Each Ethernet interface on a Cisco router has its own Ethernet MAC address. Special devices such as routers and switches have a number of special built-in addresses such as the four displayed above in the show mac-address-table output; these are the lines with the STATIC type listed.

Change my MAC address

Changing your MAC address from the default is what we call MAC spoofing. This term has a negative connotation because its more popular uses are for improper activities, particularly wireless network hacking. However, MAC spoofing does have legitimate uses, such as testing MAC filtering.

To change your MAC address on a Cisco router, use the mac-address command while in Interface Configuration Mode. Just use the command with the new MAC address—it's that simple. Here's an example:

RouterB# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
RouterB(config)# int e0/0
RouterB(config-if)# mac-address 0000.0000.0001
RouterB(config-if)#^Z
RouterB#
RouterB# show int e0/0
Ethernet0/0 is up, line protocol is up 
Hardware is AmdP2, address is 0000.0000.0001 (bia 0003.e39b.9220)
Internet address is 1.1.1.1/8

After changing the MAC address, you can view the new one using the show interfacecommand.

Filter traffic based on MAC address

Let's say that, through a protocol analyzer, you find a device sending unwanted traffic on your network. It looks like this device is multi-homed—that is, it's sending traffic from multiple IP addresses.

You could find the switch port it's on using the show mac-address-table command and perform a shutdown on the port. But what if it connects to a hub with other devices or comes from some network not under your control?

Another option is to filter the traffic on the router or switch using a MAC address filter. Here's an example.

Cat3750Switch(config)# mac access-list ext filtermac 
Cat3750Switch(config-ext-macl)# deny host 0000.0000.0001 any
Cat3750Switch(config-ext-macl)# permit any any
Cat3750Switch(config-ext-macl)# exit
Cat3750Switch(config)# int g1/0/40
Cat3750Switch(config-if)# mac access-group filtermac in

In this example—using a Cisco Catalyst 3750 Gigabit Ethernet switch—we created an extended named MAC address access control list called filtermac. This ACL denies all traffic with a source MAC address of 0000.0000.0001 and permits all other traffic. We then applied this MAC address ACL to Gigabit Ethernet interface 1/0/40, which prevents traffic from entering that port from any device with that MAC address, no matter what the IP address.

Keep in mind that filtering by MAC addresses is not a security measure—someone can easily change the MAC address in your operating system.

For more information on MAC address ACLs, check out Cisco's Creating Named MAC Extended ACLs documentation. Do you have a good switch configuration recommendation that you want to share? What other switch topics would you like to see covered in this column? Share your thoughts in this article's discussion.

Miss a column?

Check out the Cisco Routers and Switches Archive, and catch up on David Davis' most recent columns.

Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!

David Davis has worked in the IT industry for 12 years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.

8 comments
Rupika_Kapoor
Rupika_Kapoor

Hello  David Davis CCIE


Thank you for the post. 

I am trying to create a MAC access list on my 2921 series router, but on applying the access list on interface gigbitethernet 0/0 using command 'mac access-group 700 in'. I am getting error message :
--------
(config-if)#mac access-group 700 in
                                   ^ 
% Invalid input detected at '^' marker.
-------

I am unable to find what I am missing here?

wesleyfry
wesleyfry

Could you give a more in depth explanation of the various commands to view the MAC-ADDRESS-TABLE. For instance dynamic as opposed to static.

h_buchal
h_buchal

This was a great article. I learned a few new tricks. I want to know how can one find a the IP address of the devices connected to a Cisco Router/Switch and the port that these devices are connected to.

krisrise28
krisrise28

need help with ccna test. i enterered access list(config)access 101 permit tcp x.x.x.x x.x.x.x eq 80 but it told me "version cannot accept access list 101" also diagram ask about mac address for a device on certain port but did a show mac-address table and nothing displayed for that mac address

muleram
muleram

Am not sure where to place ACLs.I know for one thing that Extended ACLs are placed close to the source.

bggb29
bggb29

We filter out all dmz traffic from the core out. It would be useful to setup seperate external switches dor dmz only traffic and trunk the dmz vlans to a external switch. Or turnk firewalls into a switch. thanks

ddavis
ddavis

Hi Muleram, Thanks for your question. You always want to place ACL's closest to the SOURCE of the traffic. That way, you stop the unwanted traffic from wasting any part of your network bandwidth. For example, say that you only want telnet traffic going across your WAN circuit. You might as well block all traffic but telnet on the Ethernet LAN port, closest to the devices creating the traffic. Thanks for reading TechRepublic! -David

ddavis
ddavis

Hi bggb29, Thanks for the article suggestion. I will get working on this one! It is a good idea. Thanks for reading TechRepublic! -David

Editor's Picks