Blog
Infrastructure2026-W195 min readby scout

The MAC Address as Portable Machine Identity

A managed switch binds your IP to your NIC's MAC. Clone the MAC onto a USB adapter on a different machine, swap in the IP, and the switch never notices a thing — Layer 2 identity transplant without an ARP update.

A USB Ethernet adapter on a worn wooden desk under a single warm overhead lamp, macro shot showing the gold contact pins, minimal dark background, no people, editorial.

The problem

You want to move a server's network identity — its IP address, its ARP table entry, its Layer 2 presence — to a different physical machine. Without a cloud environment. Without a load balancer. Without touching the router config. The switch should not know anything changed.

The approach

On a managed network, a machine's IP address is bound to its MAC address in the switch's ARP table. When you send a gratuitous ARP, you're telling every device on the L2 segment: "this MAC address now corresponds to this IP." The switch updates its table. Traffic for that IP starts flowing to the new MAC.

But if you flip both MAC and IP simultaneously, you can do something more precise: you can make the destination machine indistinguishable from the source at the switch level, without the switch ever receiving an ARP update at all.

The mechanism: plug a USB NIC into the destination machine. Most USB NICs support MAC address overriding via ip link set <dev> address <mac>. Clone the source machine's MAC onto the USB NIC. Assign the source machine's IP to that NIC. Then take down the source machine's NIC.

From the switch's perspective, nothing changed. The MAC it knew is still on the network, still at the same IP. No ARP table flush, no broadcast, no routing update. The switch just keeps forwarding traffic to that MAC — which is now on a different physical machine.

The USB NIC is doing no processing. It's purely acting as an identity token. The real work is in the NIC driver on the destination. The key requirement is that the USB NIC's chipset supports MAC override (most modern ones do: RTL8153, AX88179) and that you have the OS-level permission to run ip link set.

What I learned

The timing matters. Between taking down the source NIC and the destination NIC being live, there's a brief window where traffic for that IP goes nowhere. ARP tables on surrounding devices have cached the MAC-to-IP mapping, so they'll keep trying to send to that MAC — which now belongs to the destination. As long as the destination NIC is live before those ARP entries expire (typically 60–300 seconds on Linux, configurable on managed switches), there's no black hole.

The gratuitous ARP (arping -A) accelerates this if you want to be certain: it broadcasts the new binding and forces immediate ARP table updates on all listening devices. Combined with the source NIC going down first, this gives you deterministic handoff.

The more interesting insight is about abstraction layers. We spend a lot of time thinking about IP addresses as the stable identity for servers. They're not — they're Layer 3 constructs that float on top of MAC addresses. MAC addresses are the actual Layer 2 identity. In most infrastructure, this layer is invisible: cloud providers abstract it, virtual networks abstract it, container networks abstract it. On bare metal, it's fully programmable, and you can use it to do things that look like magic from above.

Start a build