IP vs MAC Address – Why Use IP if We Already Have a MAC Address?

ethernetipv4

I am preparing for ICND1 exams and recently started to learn about different Cisco devices.
I have just come to know how the packet is generated to be transmitted over a network, or outside the network.

For example,
When the packet is generated, it adds source IP address, Destination IP address, Source Mac address, destination mac address, and other data.

Since Switch is a layer 2 device, and it uses MAC addresses to interact with other Hosts within the Network, then why do we use IP addresses within our local networks ?

What if someone do not need to connect to any host or network outside its own network, Why do he still needs to have an IP address, isn't MAC address is enough ?

Best Answer

Since Switch is a layer 2 device, and it uses MAC addresses to interact with other Hosts within the Network, then why do we use IP addresses within our local networks?

Well let's start with what traffic you're sending.

If you use a strictly layer-2 protocol inside your own LAN with no HTTP, SSL, NFS, CIFS, iSCSI, H.323, SIP, DNS, ICMP, databases, or websockets, then your proposal works just fine. In fact, FCoE does not rely on an IP layer... so if that's what you want, knock yourself out :-)

The problem is that you just crippled 95% of the utility of most networks by removing those IP-based services. Networks exist to share information; all operating systems on the planet share information by binding services to, and encapsulating inside IP. That information is usually wrapped inside TCP as well.

Rhetorical question: Could a bunch of determined people implement TCP and UDP services directly on top of ethernet in all the major operating systems?
Pedantic Answer: Yes, but that's a collosal waste of time and resources for insignificant gain. Let's start with the basics... there is no DNS name-service for ethernet mac-addresses. That means unless you build it, how would you resolve URLs without IP addresses? I doubt that anyone really wants to type http://00c0.9b4a.fb2c/ just so they can avoid 20 extra bytes in each packet. This is just an example of the work required.

What if someone do not need to connect to any host or network outside its own network, Why do he still needs to have an IP address, isn't MAC address is enough?

Technically, yes. In the real world... it's a pretty boring network without IP.

Related Solutions

Ethernet Neighbor Discovery

To get the MAC address for a given IP(v4) address, your computer will use the Address Resolution Protocol. For IPv6, the Neighbor Discovery Protocol does the same thing.

The purpose of LLDP is to discover other devices on the network, and the messages are always sent from your own MAC address to well known destination MAC addresses.

Cisco Catalyst 2960-X – Adding ACL Rule for L2TP Packet Filtering

There seems to be some confusion about this topic for you. Let's begin by clearing up a few details.

I am familiar with the mac access-list command but every manual I had seen explicitly says that ACLs filter only non-IP protocols.

If you think about this a bit, it makes sense. An IP packet doesn't contain a MAC addresses, so this would be difficult. However, IP traffic is encapsulated in a L2 protocol, typically Ethernet which does utilize MAC addresses.

You cannot apply named MAC extended ACLs to Layer 3 interfaces.

Again, this is natural. Since MAC ACLs function on L2, they wouldn't really need/want them on a L3 interface anyway.

However, by default interfaces on a 2960-X are layer 2 interfaces, so you can apply a MAC access-list to them.

So, this series of commands should provide the result you want (using the first SFP port on a WS-C2960X-48FPS-L so adjust as necessary):

! Create the ACL
mac access-list extended TestACL
deny host 8877.6655.4433 any
permit any any

! Now apply to the interface
interface Gi1/0/49
mac access-group TestACL in

Edit based on comments: if you want to rule out the source port being incorrect, you can use the following with the above ACL to block all traffic from that MAC going out the second SFP port:

! Now apply to the interface
interface Gi1/0/50
mac access-group TestACL out

If that doesn't work, then the MAC address has to be incorrect and you need to provide more information.

The ACL will work no matter if the MAC address table is updated dynamically or if you add a static entry. However, if the dynamic entry for this MAC is flapping between different ports, that could explain why the ACL didn't work as intended. Additionally, without additional features configured, the static entry will not have an effect on traffic arriving on a port, only on the destination port used for the traffic.

And finally, the packet being highlighted in red by Wireshark doesn't tell me much. Different versions of Wireshark have used different coloring rules, the default rules typically include a number of matches that get colored red, and many of us use our own custom rules. You would need to provide more detail or the actual capture for us to know what exactly that means.

Best Answer

Related Solutions

Ethernet Neighbor Discovery

Cisco Catalyst 2960-X – Adding ACL Rule for L2TP Packet Filtering

Related Topic