The MAC address is a unique identifier of a network device. Each MAC address is assigned by the vendor of the device and is associated with the network interface card (NIC). A MAC address is 48 bits in length and is identified as 12 hexadecimal digits. The first six hexadecimal digits identify the manufacturer and are provided by the IEEE (formerly known as the Institute of Electrical and Electronics Engineers). The last six hexadecimal digits identify the interface, like a serial number, and are provided by the vendor. A MAC address is burned into read-only memory (ROM) and is, therefore, considered permanent to the device. MAC addresses are written in this format:

MM:MM:MM:SN:SN:SN

When a device is powered up, the MAC address is sent out on the network connection, or the wire. The switch adds the MAC address and the port number on which it received the information to its MAC address table. The switch uses this table when it needs to communicate with a specific device. When the switch receives a communication request, it looks for the MAC address in its table and sends the communication out through the port identified in the table.

MAC spoofing is done to bypass a network access control or to identify a system as one that has already been authorized by the access control. For example, a specific network allows only a certain set of MAC addresses. An attacker can find an approved MAC address and change his or her system to match it. This will allow the attacker to gain access to your network.

Broadcast domains fall within the Data Link Layer and allow network devices to broadcast their MAC addresses to everyone on that LAN. By limiting the number of devices on a domain, you limit the number of network devices that can talk to one another without a switch.

VLANs are defined in the IEEE 802.1q standard. VLANs can be used to segment network traffic and limit communications among multiple networks. A VLAN is a collection of devices in a single broadcast domain. VLANs are used within an organization to separate networks with different resources. For example, a company may create a VLAN specifically for the HR department so that members outside this VLAN cannot access HR resources. It becomes another mechanism for defense in depth.

VLANs may even be used on a temporary basis for projects. If an organization has contractors working on a specific application, an administrator may restrict the contractors to a particular VLAN that allows access only to the specific application. The contractors can communicate with one another and the application within the VLAN, but they cannot generate traffic to the entire network. VLANs also reduce broadcasts, and; therefore, an administrator may design the network to limit such network traffic.

You can configure access control lists on a router to deny certain access to a network or deny certain traffic from traveling on a network. A router examines each packet and determines whether the packet should be forwarded or dropped based on what is stated in the access control list. For example, an administrator may use an access control list to block File Transfer Protocol (FTP) traffic on part of a network but allow Simple Mail Transfer Protocol (SMTP) traffic for email.

Route maps are a way for an administrator to direct traffic on a network. A route map allows an administrator to define a routing policy before the routing table on the router is referenced. Creating a route map is sometimes called “policy-based routing.” An administrator sets a policy that states “if . . . then.” A route map can use multiple policies requiring that multiple matches of packets must occur before routing changes occur.

ACLs can be used to match specific policies. Route maps are similar to ACLs in that they are an ordered sequence of events resulting in either a permit or deny permission. A route map and an ACL are scanned in a specific order until a match occurs. A route map may use an ACL in order to match the specific criteria.

When a route map is applied to an interface and tested against specific criteria and the criteria matches, an action is taken. These actions can be used to modify the packet or modify the route. For example, a route map would be used to ensure only traffic with an internal IP address (192.168.1.X) is allowed out of a specific interface. If an IP address that does not match (192.168.5.X) is on the network, the route map’s action would be to drop the packet. In this case, you can use a route map to ensure that IP addresses within a certain range do not leave the network.

In certain situations, disabling an entire IP network may be a necessary step. For instance, there may be a virus on the human resources network. Instead of allowing the virus to spread to other networks such as engineering or finance, an administrator may disable the network altogether.