kb/network-l2-l3 ── Networking: L2 / L3 ── beginner

MAC Address

MAC address is a 48-bit hardware identifier for a network interface, written as `aa:bb:cc:dd:ee:ff`. It is unique within an L2 segment and is used in [[ethernet-frame]] for L2 addressing.

view as markdownaka: mac, hardware-address, ll-address

Structure

48 bits = 6 bytes, normally written in hexadecimal separated by colons or hyphens: aa:bb:cc:dd:ee:ff.

First 3 bytes are the OUI (Organizationally Unique Identifier), assigned by IEEE to manufacturers (Cisco, Intel, Dell, ...). You can look up the vendor by OUI: https://www.wireshark.org/tools/oui-lookup.html
Last 3 bytes are a serial number assigned by the manufacturer

Special values

ff:ff:ff:ff:ff:ff is the broadcast address (reaches every host on the segment)
01:00:5e:xx:xx:xx is IPv4 multicast (used by protocols such as ospf, ip multicast)
33:33:xx:xx:xx:xx is IPv6 multicast
Locally administered (the second-least-significant bit of the first octet, the U/L bit) means the address is NOT globally unique; it was assigned locally by an admin. VM and container managers do this (Docker, libvirt). You can spot it by prefixes like 02:42:... (Docker, 0x02 = ...10) or 0a:... (0x0a = ...10).

ip link and MAC

In Linux, a MAC address lives on an interface, not on an IP address. One interface has one MAC (exception: macvlan/macvtap create additional virtual adapters).

bash

ip -br link

# eth0  UP  fe:80:42:...      <- lladdr

# lo    UNKNOWN  00:00:...    <- loopback has a zeroed MAC

cat /sys/class/net/eth0/address    # same MAC via sysfs

You can change the MAC if the NIC supports it:

bash

sudo ip link set eth0 down

sudo ip link set eth0 address aa:bb:cc:00:11:22

sudo ip link set eth0 up

Reasons to change the MAC include MAC spoofing to bypass 802.1x, testing, and bypassing a provider's MAC allowlist.

MAC visibility scope

MAC is an L2 address, visible only within one broadcast domain (between switches). When a packet crosses a router, the destination MAC is rewritten at each hop to the MAC of the next router. The source MAC changes too. IP addresses are preserved from the first to the last hop (exception: nat).

§ команды

bash

ip -br link

List all interfaces with their MAC addresses, one line each

bash

cat /sys/class/net/eth0/address

Read the MAC via sysfs (no need to parse `ip` output)

bash

ip neigh | awk '{print $5}'

List all MAC addresses of known neighbors (see [[arp]])

bash

sudo ip link set eth0 address de:ad:be:ef:00:01

Change the interface MAC address (requires down, then set, then up)

§ см. также

§ упоминается в уроках

intermediate-03-three-node-routing

kb/network-l2-l3 ── Networking: L2 / L3 ── beginner

MAC Address

MAC address is a 48-bit hardware identifier for a network interface, written as `aa:bb:cc:dd:ee:ff`. It is unique within an L2 segment and is used in [[ethernet-frame]] for L2 addressing.

view as markdownaka: mac, hardware-address, ll-address

Structure

48 bits = 6 bytes, normally written in hexadecimal separated by colons or hyphens: aa:bb:cc:dd:ee:ff.

First 3 bytes are the OUI (Organizationally Unique Identifier), assigned by IEEE to manufacturers (Cisco, Intel, Dell, ...). You can look up the vendor by OUI: https://www.wireshark.org/tools/oui-lookup.html
Last 3 bytes are a serial number assigned by the manufacturer

Special values

ff:ff:ff:ff:ff:ff is the broadcast address (reaches every host on the segment)
01:00:5e:xx:xx:xx is IPv4 multicast (used by protocols such as ospf, ip multicast)
33:33:xx:xx:xx:xx is IPv6 multicast
Locally administered (the second-least-significant bit of the first octet, the U/L bit) means the address is NOT globally unique; it was assigned locally by an admin. VM and container managers do this (Docker, libvirt). You can spot it by prefixes like 02:42:... (Docker, 0x02 = ...10) or 0a:... (0x0a = ...10).

ip link and MAC

In Linux, a MAC address lives on an interface, not on an IP address. One interface has one MAC (exception: macvlan/macvtap create additional virtual adapters).

bash

ip -br link

# eth0  UP  fe:80:42:...      <- lladdr

# lo    UNKNOWN  00:00:...    <- loopback has a zeroed MAC

cat /sys/class/net/eth0/address    # same MAC via sysfs

You can change the MAC if the NIC supports it:

bash

sudo ip link set eth0 down

sudo ip link set eth0 address aa:bb:cc:00:11:22

sudo ip link set eth0 up

Reasons to change the MAC include MAC spoofing to bypass 802.1x, testing, and bypassing a provider's MAC allowlist.

MAC visibility scope

§ команды

bash

ip -br link

List all interfaces with their MAC addresses, one line each

bash

cat /sys/class/net/eth0/address

Read the MAC via sysfs (no need to parse `ip` output)

bash

ip neigh | awk '{print $5}'

List all MAC addresses of known neighbors (see [[arp]])

bash

sudo ip link set eth0 address de:ad:be:ef:00:01

Change the interface MAC address (requires down, then set, then up)

§ см. также

§ упоминается в уроках

intermediate-03-three-node-routing