21

Let's say someone is on the same network as me and spoofs their MAC address to match mine:

  1. Is this possible? Can two or more clients with the same MAC address be on the same network at the same time and stay consistently connected?
  2. When this happens, will I end up getting deauthenticated and kicked off the network if duplicate MAC addresses aren't allowed on the same network?
  3. If duplicate MAC addresses are allowed, what kind of behavior might I encounter? Collisions, race conditions, etc.?
Aaron
  • 702
  • 2
  • 10
  • 19

4 Answers4

25

It's possible for two hosts to have the same MAC, due to spoofing, a mistake during manufacturing, or willful negligence on the part of the manufacturer. So,

1) In general, an Ethernet switch keeps a table of which MAC addresses are attached to which ports. It bases this table on the source address of frames it receives during the normal operation of the network. Upon receiving any frame, the source MAC is read and compared with the current switching table, and then added alongside whichever switchport it was received on.

So if there are two hosts, both with the same MAC address, then the switch will update it's MAC table every time it receives a frame from either host. The reachability of either host will flap on and off and be inconsistent.

2) Short answer: no. Duplicate MAC addresses will not trigger any sort of security problem in an unmanaged switch (a switch without configuration software), or a managed switch (like most Cisco/HP/Junipers) that has not been configured for port security. Managed switches will give you a warning printed in the console terminal if they detect a duplicate MAC (a MAC that 'exists' on multiple switchports), but by default they won't "do anything" about it AFAIK.

If you want to use port security options on a managed switch, you can do stuff like only allow 1 MAC address per switchport. The MAC address will be learned dynamically by the switch (like it usually learns MACs), but the difference is that once it is learned, it is bound to that switchport. Then, if the switch receives frames from a duplicate MAC on another switchport, it can place that port into a disabled state (shut it down.)

You mentioned deauthentication in your question. The port security feature of some switches is different that "deauthentication"-- it is deauthorization. They are similar but the difference is important; look up authentication vs. authorization.

3) Duplicate MACs will not cause collisions. Collisions are the result of a shared electrical bus. It is more of a race condition, although I haven't heard it referred to like that before. Remember, duplicate MACs are "allowed", as far as any out-of-the-box Ethernet switch is concerned-- they just cause a problem that will interrupt network connectivity to each host in question. The problem is a constantly changing switching table.

Eric Iovan
  • 266
  • 2
  • 2
  • 3
    BTW, many many Unix/Linux/VMware vendors allow you to change/override the MAC address of your ethernet boards. So this is might not be an uncommon event if you happen to copy configurations from one system to another. That is what happened to me. – mdpc Jan 03 '13 at 21:52
  • It sounds like a possible way to attack a host (such as the default gateway). Even if Dynamic ARP Inspection is turned on, the switch will still see your MAC address in a DHCP discover message. We use 802.1X, so we can't have port security turned on at the same time. In that situation I think the only way to defend against that is to use static entries in DAI. – Brain2000 Feb 12 '17 at 01:35
  • @mdpc - Windows OS/s can also have their MAC overridden in software. – Les Feb 24 '18 at 14:08
7

Answers to your question:

  1. YES it is possible, and NO you'll not have consistent contact.

  2. You might...the administrator might see the problem and disable the ports on the switch.

  3. What I encountered was with two systems with the same MAC address connected to the same switch, and what I noticed was that networking would work with the LAST system to send out ethernet packets being selected. So it was when one system worked the other one didn't...quite amusing and puzzling to me until the networking guy pointed out the problem.

mdpc
  • 11,698
  • 28
  • 51
  • 65
0

You could simulate two machines with the same MAC by installing an OS under VMware, then cloning the VM. When you clone it the MAC address is preserved. I don't think you can set a MAC for a VM the same as the one for a physical machine, VMware restricts it to a certain range that shouldn't collide.

titus
  • 103
  • 6
-1

Same MAC in a LAN can cause issues in L2 , switch will learn the MAC via 2 different ports lets say for DEV1 and DEV2,

Following problem may occur:

  1. All DEV1 packets end up reaching DEV2.
  2. Switch might drop the packet due to MAC move issue.
  3. one packet sent to DEV1 and other packet sent to DEV2, depends on the switch behavior.

This happens since L2 switch doesn't look at the Layer 3.