Knock out a network with MAC addresses

You’re a busy network administrator with routers, firewall, and Active Directory policies, etc. You might forget about one important basic thing of network: MAC address. Wrongly configured MAC address of a network device could knock down partial or entire network.

MAC address or physical address are used to identify the network interface card (NIC) of network devices. I won’t cover the basic foundation of MAC address in this article, but better to describe a situation where a wrong MAC address could cause big troubles for the network.

Look at the network diagram below, the middle router has three interfaces that interconnects the internal networks. This router also connects to Cisco PIX firewall as the internet gateway. The IP addresses and MAC addresses of the router’s interfaces are as following diagram.

Typical Network Diagram

Beautiful days

when everything is working perfectly.

As a network administrator, you are very happy if your network run smoothly without any troubles. But, sometimes, you could encounter a very weird problem where you could only sit in from your your computer and watch your intermittent PING, and ask what’s going on in your network.

At the low layer 2 of the OSI model (data link), here is what basically happens when a client want to connect to another client in a different subnet with the help of router R1.

1/ If Client (A) want to communicate with Client (B) from a different subnet network, Client A must ask the router R1 to transmit the packets to Client B.

2/ To send the packet to the Client B, Client A must use the IP address of the Client B as the destination IP, and the MAC address of router R1 as the destination MAC address. Because MAC address works at layer 2, the farthest MAC address it could reach is the MAC address of the local router interface. In this case, the packet from the IP that sends to should have this structure

Typical Network Packet

Please note that the destination MAC address in this case is the MAC address of the Router R1.

3/ At first, client A doesn’t have the MAC address of the interface FastEthernet 0/2 of router R1 to use as destination MAC address. Client initiates an ARP request packet to the local subnet network. The destination MAC address of ARP request is ff:ff:ff:ff:ff:ff. It means every network device in the same broadcast domain could receive the packet.

ARP Request Packet

4/ If everything goes through, then Client A could successfully contact interface FastEthernet 0/2 of router R1, and R1 sends back ARP reply with its real MAC address.

ARP Reply Packet

4 prime/ BUT, somehow, there is another network device (computer, wireless router, security camera DVR, etc) could statically assigned the same IP address of the gateway. In this case, it is assigned (manually or some reasons) the same IP address as the gateway, But this network device has a different MAC address than the interface FastEthernet 0/2 on router R1.

Misconfigured IP network device

And, unfortunately, this wrong-device (an IP phone) was able to successfully deliver a wrong ARP Reply frame back to the client before the Router 1 could do. It turns out as client A accepts the wrong MAC address of the gateway as 09:08:07:06:05:04

ARP Reply Packet
What’s next? See page #2 for more information.

Pages: 1 2

About The Author

Hao Nguyen

Hao Nguyen

Hello! I'm Hao Nguyen and I'm currently working as a Network Engineer for a small firm in Houston. I enjoy writing technical documents and blog, such as

Leave a Reply