Cisco IOS: Understanding Ethernet MAC Addresses.

CCNA 200-301

CCNA 200-301

CCNP Enterprise

CCNP Enterprise

CCNP Security

CCNP Security

CCIE Enterprise Lab

CCIE Enterprise Lab

CCIE Security Lab

CCIE Security Lab

CCNP Service Provider

CCNP Service Provider

CCNP Data Center

CCNP Data Center

CCNP Collaboration

CCNP Collaboration

CCIE DC Lab

CCIE DC Lab

ic_r
ic_l
Cisco IOS: Understanding Ethernet MAC Addresses.
images

Although you may be familiar with Ethernet MAC addresses, how much do you know about their use in the Cisco Internet Operating System (Cisco IOS)? In this version of Cisco routers and switches, this article teaches you how to determine and modify the MAC address and use it to filter traffic.

Most of you may know what an Ethernet MAC address is, but you may not know how to apply a MAC address to the Cisco Internet Operating System.

An Ethernet MAC address uniquely identifies every Ethernet device in the world. Vendors that produce network devices (such as Ethernet network interface cards, wireless devices, routers, and switches) pre-program these addresses into their devices.

The MAC address has other names, including physical address (in Windows), Ethernet address, and hardware address. Regardless of its name, it is a hexadecimal string of 12 characters. Here are some examples:

1234.5678.90ab

12-34-56-78-90-ab

12.34.56.78.90.ab

Determine your MAC address

In Windows, you can use the ipconfig /all command to find out your MAC address. Listing A is an example.

In the output of this command, you can find the MAC address in the physical address list. You can also use the show mac-address-table command to find similar information from the switches connected to this computer. Below is an example:

Switch# show mac-address-table

Mac Address Table

VlanMac AddressTypePorts

All0014.1c40.b080STATICCPU

All0100.0ccc.ccccSTATICCPU

All0100.0ccc.cccdSTATICCPU

All0100.0cdd.ddddSTATICCPU

1000f.1fd3.d85aDYNAMICFa0/14

On the Cisco router, you can apply the show interfaces command to find out which MAC address your interface uses. Below is an example:

RouterB# show interfaces

Ethernet0/0 is up, line protocol is up

Hardware is AmdP2, the address is 0003.e39b.9220 (bia 0003.e39b.9220)

The Internet address is 1.1.1.1/8

On the second line of each interface, you will see the hardware address with the burned address (BIA). In the above example, the hardware address is 0003.e39b.9220.

Each Ethernet interface on a Cisco router has its own Ethernet MAC address. Special devices such as routers and switches have a number of specific built-in addresses, such as the four addresses shown in the output of the show mac-address-table command above; these listed rows are static.

Modify the MAC address

We refer to the practice of modifying the default MAC address as MAC spoofing. Since this term is often used to express inappropriate behavior, especially wireless network hacking, it is derogatory. But MAC spoofing does have legitimate uses, such as testing MAC filtering.

To change the MAC address on the Cisco router, use the mac-address command in Interface Configuration Mode. Just use this command for the new MAC address - it's that simple. The following is an example:

RouterB# conf t

Enter configuration commands, one per line. End with CNTL/Z.

RouterB(config)# int e0/0

RouterB(config-if)# mac-address 0000.0000.0001

RouterB(config-if)#^Z

RouterB#

RouterB# show int e0/0

Ethernet0/0 is up, line protocol is up

Hardware is AmdP2, address is 0000.0000.0001 (bia 0003.e39b.9220)

The Internet address is 1.1.1.1/8

After modifying the MAC address, you can use the show interface command to view the new address.

Filter traffic based on MAC address

Suppose you discover through a protocol analyzer that a device is sending malicious traffic to your network. And this device seems to be a multi-connected device -- that is, it is sending traffic to you from multiple IP addresses.

You can use the show mac-address-table command to find the switch port it is using and execute the shutdown command on this port. But what if it is connected to a hub with another device, or from a network that you don't control?

A MAC address filter can then be applied to filter traffic on the router or switch. E.g:

Cat3750Switch(config)# mac access-list ext filtermac

Cat3750Switch(config-ext-macl)# deny host 0000.0000.0001 any

Cat3750Switch(config-ext-macl)# permit any any

Cat3750Switch(config-ext-macl)# exit

Cat3750Switch(config)# int g1/0/40

Cat3750Switch(config-if)# mac access-group filter mac in

In this example - using a Cisco Catalyst Gigabit Ethernet switch, we create an extension MAC address access control list called filter mat. This access control list (ACL) rejects all traffic with a source MAC address of 0000.0000.0001 and allows other traffic. We then apply this MAC address access control list to Gigabit Ethernet interface 1/0/40, which prevents device traffic with that MAC address from entering that port, regardless of its IP address.

Remember, filtering traffic with MAC addresses is not a safe method - others can easily change the MAC address on your operating system.

For more information on MAC address access control lists, see Creating a Named MAC Extension Access Control List File. If you have any exchange configuration suggestions that are worth sharing with us, or which other switch topics you would like to see in this column, you can consult SPOTO.

SPOTO has been training in the IT industry for 16 years and includes a number of certificates including CCIE, CISSP, CCNA, AWS, and CCNP. At present, SPOTO has become a leader in global IT training.