MAC Addresses: Navigating Layer 2 Security and Network Integrity

Each host in a network has its own 48-bit (6 octets) Media Access Control (MAC) address, represented in hexadecimal format. MAC is the physical address for our network interfaces. There are several different standards for the MAC address:

  • Ethernet (IEEE 802.3)
  • Bluetooth (IEEE 802.15)
  • WLAN (IEEE 802.11)

Each network card has its individual MAC address, which is configured once on the manufacturer’s hardware side but can always be changed, at least temporarily.

The MAC address consists of a total of 6 bytes. The first half (3 bytes / 24 bit) is the so-called Organization Unique Identifier (OUI) defined by the Institute of Electrical and Electronics Engineers (IEEE) for the respective manufacturers.

Let’s have a look at an example of such a MAC address:

MAC address:


The last half of the MAC address is called the Individual Address Part or Network Interface Controller (NIC), which the manufacturers assign. The manufacturer sets this bit sequence only once and thus ensures that the complete address is unique.

In both Windows and Linux operating systems, you can retrieve valuable information about your network interfaces, including the MAC addresses, using specific command-line tools. In Windows, the:

ipconfig /all

command provides a detailed overview of network configurations for all interfaces, displaying information such as IP addresses, subnet masks, and the MAC addresses.

On the other hand, Linux users can leverage the:


command to inspect network interfaces and their associated MAC addresses.

MAC addresses can be changed/manipulated or spoofed, and as such, they should not be relied upon as a sole means of security or identification. Network administrators should implement additional security measures, such as network segmentation and strong authentication protocols, to protect against potential attacks.

MAC addresses classification.

As with IPv4 addresses, there are also certain reserved areas for the MAC address. These include, for example, the local range for the MAC. Furthermore, the last two bits in the first octet can play another essential role. The least significant bit (LSB) of the first octet can have two states, 0 and 1, as we already know. The last bit identifies the MAC address as Unicast (0) or Multicast (1). With unicast, it means that the packet sent will reach only one specific host. With multicast, the packet is sent only once to all hosts on the local network, which then decides whether or not to accept the packet based on their configuration. The multicast address is a unique address, just like the broadcast address, which has fixed octet values. All the MAC addresses with the eighth bit as 1 are the multicast MAC address, excluding the broadcast MAC address. Broadcast in a network represents a broadcasted call, where data packets are transmitted simultaneously from one point to all members of a network. It is mainly used if the address of the receiver of the packet is not yet known. The broadcast address is all binary 1s (FF-FF-FF-FF-FF-FF). An example is the ARP (for MAC addresses) and DHCP (for IPv4 addresses) protocols.

Address Resolution Protocol.

If a host with the IP target address is located in the same subnet, the delivery is made directly to the target computer’s physical address. However, if this host belongs to a different subnet, the Ethernet frame is addressed to the MAC address of the responsible router (default gateway). If the Ethernet frame’s destination address matches its own layer 2 address, the router will forward the frame to the higher layers. Address Resolution Protocol (ARP) is used in IPv4 to determine the MAC addresses associated with the IP addresses.

Address Resolution Protocol (ARP) is a network protocol. It is an important part of the network communication used to resolve a network layer (layer 3) IP address to a link layer (layer 2) MAC address. It maps a host’s IP address to its corresponding MAC address to facilitate communication between devices on a Local Area Network (LAN) (for example on an Ethernet network that requires physical addresses to be known before sending packets).

When a device on a LAN wants to communicate with another device, it sends a broadcast message containing the destination IP address and its own MAC address. The device with the matching IP address responds with its own MAC address, and the two devices can then communicate directly using their MAC addresses. This process is known as ARP resolution.

ARP is an important part of the network communication process because it allows devices to send and receive data using MAC addresses rather than IP addresses, which can be more efficient.

ARP Request: When a device wants to communicate with another device on a LAN, it sends an ARP request to resolve the destination device’s IP address to its MAC address. The request is broadcast to all devices on the LAN and contains the IP address of the destination device. The device with the matching IP address responds with its MAC address.

ARP Reply: When a device receives an ARP request, it sends an ARP reply to the requesting device with its MAC address. The reply message contains the IP and MAC addresses of both the requesting and the responding devices.

The Address Resolution Protocol (ARP) cache is a table maintained by operating systems that maps IP addresses to corresponding MAC addresses. When a host on a local network needs to send a packet to another host, it first checks its ARP cache to see if it already knows the MAC address associated with the destination IP address. If the mapping is found in the ARP cache, it saves the time and resources that would otherwise be used to broadcast an ARP request.

Windows displays the current ARP cache entries using the command:

arp -a

It provides a list of IP addresses and their corresponding MAC addresses, along with the address type (dynamic or static) and the physical interface.

The terminology used can vary, and it often depends on the context of networking devices. ARP Table is a term used for the table maintained by hosts to map IP addresses to MAC addresses. MAC Address Table is a term more associated with networking devices like switches.

MAC Address Table.

Network switches maintain a dynamic MAC address table, documenting associations between MAC addresses and the respective ports or interfaces. This table is dynamically updated as the switch learns source MAC addresses from incoming frames. When forwarding a data frame, the switch consults its MAC address table to determine the outbound port associated with the destination MAC address in the frame header. This efficient lookup process minimizes the need for broadcasting by selectively forwarding frames only to the port where the destination device’s MAC address is located, enhancing network efficiency and reducing unnecessary traffic.

Different network equipment vendors provide specific command-line tools to retrieve information about the MAC address table, aiding in network troubleshooting and monitoring.

MikroTik RouterOS:

/interface bridge host print

Cisco (IOS-based switches):

show mac address-table

Juniper (Junos-based switches):

show ethernet-switching table

HP/Aruba (ProVision/ArubaOS-Switch):

show mac-address

Dell EMC Networking (OS9):

show mac-address-table

Brocade/Ruckus (ICX/FastIron):

show mac-address

ARP Spoofing Attacks.

ARP spoofing, also known as ARP cache poisoning, poses a significant threat to network security, allowing attackers to intercept or manipulate traffic on a LAN. This malicious technique, facilitated by tools like Ettercap or Cain & Abel, involves sending falsified ARP messages to associate the attacker’s MAC address with the IP address of a legitimate device on the network. This association enables the interception of traffic intended for the genuine device, paving the way for activities like data theft or Man-in-the-Middle attacks. To safeguard against ARP spoofing, implementing robust security measures is essential. This includes the use of secure network protocols like IPSec or SSL and the deployment of security tools such as firewalls and intrusion detection systems. These defences help fortify the network against unauthorized ARP manipulation and enhance overall network integrity and confidentiality.

MAC Address Entries in Network Security.

Network switches employ various types of MAC address entries to manage network traffic efficiently and enhance security. Dynamic entries are dynamically created as the switch learns source MAC addresses from incoming frames, but they have an aging time, and their persistence is contingent on periodic refreshment. In contrast, static entries are manually set by users or administrators, offering a persistent association between MAC addresses and switch ports, ensuring their retention through system resets or interface changes. Blackhole entries, also user-configured, serve security purposes by discarding frames with specified MAC addresses and persisting across system resets.

Manually configured MAC address entries play a pivotal role in network security. By binding specific MAC addresses to designated switch ports, particularly through static entries, users can prevent unauthorized access and data theft. This is crucial as attackers might exploit forged MAC addresses in attack packets, leading to incorrect MAC table entries and potential forwarding of packets to unauthorized users. Blackhole entries further bolster security by preventing traffic associated with specified MAC addresses from passing through the switch, thwarting potential attacks from unauthorized users. Additionally, the priority given to user-configured entries over dynamically learned ones ensures the enforcement of user-defined security policies within the network.

Securing Network Integrity: Layer 2 Measures and MAC Address Management.

Layer 2 security refers to the set of measures and protocols implemented at the data link layer (Layer 2) of the OSI (Open Systems Interconnection) model to secure network communication. This layer is responsible for framing, addressing, and error detection within the local network segment, typically facilitated by switches and bridges. Layer 2 security aims to protect against various threats and unauthorized activities that can compromise the integrity, confidentiality, and availability of data at this level of the network.

Key aspects of Layer 2 security include:

  1. Port Security:
    Objective: Restrict unauthorized devices from connecting to specific switch ports.
    Implementation: Limits the number of MAC addresses or specific MAC addresses allowed on a switch port.
  2. MAC Address Filtering:
    Objective: Control which devices are allowed to communicate on the network based on their MAC addresses.
    Implementation: Create a list of authorized MAC addresses, permitting only those devices to access the network.
  3. VLAN Access Control Lists (VACLs):
    Objective: Control and filter traffic between VLANs within the same switch.
    Implementation: Define rules to allow or deny traffic between specific VLANs.
  4. Private VLANs (PVLANs):
    Objective: Isolate devices within the same VLAN, preventing communication between them.
    Implementation: Assign different types of VLANs (isolated, community) to achieve segmentation.
  5. Dynamic ARP Inspection (DAI):
    Objective: Protect against ARP spoofing attacks by validating ARP packets.
    Implementation: Verify the source MAC address and IP address in ARP packets, discarding invalid ones.
  6. DHCP Snooping:
    Objective: Prevent rogue DHCP servers from assigning IP addresses to devices.
    Implementation: Allow only authorized DHCP servers to provide IP addresses to devices.
  7. Port-Based Authentication:
    Objective: Authenticate devices before granting them network access.
    Implementation: Implement protocols like 802.1X to require authentication before enabling network connectivity.

LinkedIn: :point_down: