Networking

Cisco administration 101: Understanding Ethernet MAC addresses

While you're probably familiar with Ethernet MAC addresses, how much do you know about working with them in the Cisco IOS? In this edition of Cisco Routers and Switches, David Davis tells you how to determine the MAC address, change it, and use it to filter traffic.

Chances are good that most of you know what an Ethernet MAC address is. But what you might not know is what you can do with MAC addresses in the Cisco IOS.

An Ethernet MAC address uniquely identifies every Ethernet device in the world. Each vendor that creates network devices (e.g., Ethernet NICs, wireless devices, routers, and switches) preprograms these addresses into their devices.

A MAC address can go by other names, including physical address (in Windows), Ethernet address, and hardware address. Whatever you call it, this address is a 12-character hexadecimal string. Here are some examples:

  • 1234.5678.90ab
  • 12-34-56-78-90-ab
  • 12.34.56.78.90.ab

Determine your MAC address

In Windows, you can find out your MAC address using the ipconfig /all command. Listing A offers an example.

In the command's output, you can find the MAC address under the Physical Address listing. You can find out similar information from the switch this PC connects to using the show mac-address-table command. Here's an example:

Switch# show mac-address-table 
          Mac Address Table
—————————————————————-

Vlan    Mac Address       Type        Ports
——    —————-       ————    ——-
 All    0014.1c40.b080    STATIC      CPU
 All    0100.0ccc.cccc    STATIC      CPU
 All    0100.0ccc.cccd    STATIC      CPU
 All    0100.0cdd.dddd    STATIC      CPU
   1    000f.1fd3.d85a    DYNAMIC     Fa0/14

On a Cisco router, you can find out which MAC addresses your interfaces use with the show interfaces command. Here's an example:

RouterB# show interfaces
Ethernet0/0 is up, line protocol is up 
Hardware is AmdP2, address is 0003.e39b.9220 (bia 0003.e39b.9220)
Internet address is 1.1.1.1/8

On the second line of each interface, you'll see the hardware address line with the BIA (burned in address). In this case, the hardware address is 0003.e39b.9220.

Each Ethernet interface on a Cisco router has its own Ethernet MAC address. Special devices such as routers and switches have a number of special built-in addresses such as the four displayed above in the show mac-address-table output; these are the lines with the STATIC type listed.

Change my MAC address

Changing your MAC address from the default is what we call MAC spoofing. This term has a negative connotation because its more popular uses are for improper activities, particularly wireless network hacking. However, MAC spoofing does have legitimate uses, such as testing MAC filtering.

To change your MAC address on a Cisco router, use the mac-address command while in Interface Configuration Mode. Just use the command with the new MAC address—it's that simple. Here's an example:

RouterB# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
RouterB(config)# int e0/0
RouterB(config-if)# mac-address 0000.0000.0001
RouterB(config-if)#^Z
RouterB#
RouterB# show int e0/0
Ethernet0/0 is up, line protocol is up 
Hardware is AmdP2, address is 0000.0000.0001 (bia 0003.e39b.9220)
Internet address is 1.1.1.1/8

After changing the MAC address, you can view the new one using the show interfacecommand.

Filter traffic based on MAC address

Let's say that, through a protocol analyzer, you find a device sending unwanted traffic on your network. It looks like this device is multi-homed—that is, it's sending traffic from multiple IP addresses.

You could find the switch port it's on using the show mac-address-table command and perform a shutdown on the port. But what if it connects to a hub with other devices or comes from some network not under your control?

Another option is to filter the traffic on the router or switch using a MAC address filter. Here's an example.

Cat3750Switch(config)# mac access-list ext filtermac 
Cat3750Switch(config-ext-macl)# deny host 0000.0000.0001 any
Cat3750Switch(config-ext-macl)# permit any any
Cat3750Switch(config-ext-macl)# exit
Cat3750Switch(config)# int g1/0/40
Cat3750Switch(config-if)# mac access-group filtermac in

In this example—using a Cisco Catalyst 3750 Gigabit Ethernet switch—we created an extended named MAC address access control list called filtermac. This ACL denies all traffic with a source MAC address of 0000.0000.0001 and permits all other traffic. We then applied this MAC address ACL to Gigabit Ethernet interface 1/0/40, which prevents traffic from entering that port from any device with that MAC address, no matter what the IP address.

Keep in mind that filtering by MAC addresses is not a security measure—someone can easily change the MAC address in your operating system.

For more information on MAC address ACLs, check out Cisco's Creating Named MAC Extended ACLs documentation. Do you have a good switch configuration recommendation that you want to share? What other switch topics would you like to see covered in this column? Share your thoughts in this article's discussion.

Miss a column?

Check out the Cisco Routers and Switches Archive, and catch up on David Davis' most recent columns.

Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!

David Davis has worked in the IT industry for 12 years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.

Editor's Picks