What is MAC Filtering?

Quick Answer: MAC filtering is a network security feature that allows or blocks devices from connecting to a network based on their unique MAC addresses.

There are a few ways to sort or allow devices to be assigned policies on the fly. One of the most popular, especially with guest or legacy networks, is MAC filtering. MAC filtering uses the MAC, or machine address code, to differentiate devices and assign policies, such as security roles. 

At first glance, that may be a bit complicated, but let’s take it apart piece by piece.

What is a MAC Address?

A MAC address can be thought of as the way you use your social security number. It’s a unique code assigned to devices. It’s formed by six sets of two hex codes, each pair referred to as an octet. It can also be split into two parts: an OUI and a device-specific address. It looks something like this: 0f:0f:0f:0a:0a:0a.

The OUI is from the vendor; each vendor has a designated OUI, and some may have a few. At the time of writing, Cisco owned 1,168 OUI Codes for the devices it manufactured. The OUI is helpful on a network when you don’t recognize a device or need to know what kind of device it may be. Knowing the manufacturer helps you figure out what the device does.

The second portion of a MAC address is specific to the device itself. Every device should, theoretically, have a unique MAC. This does cause some issues, though, because there are two main types of MAC address: a BIA (burned in address) and a local or user-assigned address, also known as locally administered vs universal. 

There’s actually a bit in the OUI code that is flipped if the MAC has been assigned locally when it’s decoded into decimal. (For more information on how this works, check out CBT Nuggets Network+.) This means that a user could theoretically encode whatever MAC they wish onto the device.

What is MAC Filtering?

MAC filtering uses the MAC address as a security or policy assignment measure. A computer, router, or server will read the MAC used to send traffic and declare it by the transmitting device to decide what to do with it. 

This happens in a non-filtering sense every single time a packet or frame is sent on any network, but MAC filtering is specifically used in the context of a higher-layer or higher-order decision.

MAC filtering can be a security measure that allows only known MACs (or rather, the devices displaying them) into the system. It can also apply certain specific policies to devices bearing individual MACs. 

Where is MAC Filtering Used? 

A good example here is CPE in a wireless internet service provider: MAC filtering is sometimes used to tell the router above you what to do. The router at the distribution point reads your MAC (generally of the first point of on-premise equipment, such as your receiving dish) and only allows so much speed or so much metered data to flow to the client in question. 

In another setting, such as a wired network, it could determine if you are allowed on the network at all or if you’ve previously authenticated. Using a guest system, an unknown MAC might have to click through a terms of service, whereas a MAC that has been logged before will be allowed. 

Those of my readers who have ever tried to use a gaming device like a Playstation or Xbox in a hotel will be familiar with having to retrieve and give your MAC to enable connection. (Or perhaps I'm dating myself here!.)

What Problems Does MAC Filtering Cause and Prevent?

As discussed above, MAC filtering can be beneficial in a more casual environment to monitor and meter resources. It enables fairly quickly and isn’t overly intrusive to the client, making it popular in high-turnover areas such as your local hotel or Starbucks. This ease of use ensures that most of it happens without the client being aware it is ever being used—client usability is king, after all. MAC filtering has its share of issues, though. 

Security Can Be An Issue 

There’s an oft-repeated phrase in wireless networking: “A hidden network is not security.” That applies to a degree to MAC filtering. It should be regarded as a tool of ease rather than a true security control for a network that requires it. Remember the difference above between a locally administered and a universal address?

When you use MAC filtering, the simple truth is that anyone can change the MAC of nearly any device to whatever it is that they please. To compound this issue, all of your information, particularly on wireless networks, is visible to anyone listening. As such, someone could grab a frame out of the air and simply pretend to be you. (If you’re interested in how that happens, check out CBT Nuggets Wireless Analysis Professional online training.)

Fix MAC Filtering Issues 

The best solution to that problem is to use additional criteria. You wouldn’t “lock” your front door by just putting a sheet over it and assuming no one wanting to get in wouldn’t check, and it’s the same here. MAC filtering is a great tool but should be used in low-security areas for ease of use. 

It can be an additional control in higher security areas but needs to be paired with other, stronger controls, such as RBAC based on certificates and some sort of MFA. (EAP is an excellent solution for this, explained more here: CBT Nuggets Wireless Security Professional online training)  Always have multiple options from the list: “Something you know, something you have, something you are.” If you keep your security solutions appropriate to the risk, you’ll never have an issue.

Final Thoughts

MAC filtering can be a very useful tool to manage your network and keep things running smoothly, but the key is time and place. Use it for what it does best (casual access), and in other situations, use a more layered approach! The right tools make your life much easier.

Want to learn more about networking? Check out our Intro to Networking training.