One other thing to note is that many sites are set up without any internal routing protocols; imagine a cisco 7000 with 5 ethernets and 5 class C networks attached to the ethernets (and a serial out to the rest of the Internet). If you were to somehow implement a MAC check for the addresses, anything coming from the Internet or any of the other 4 (local) C's will come from the router's MAC. If you trust a machine on one of the other ethernets, you will have no way of telling where the packet came from. If you implemented an access list which denies the local addresses from coming in over the serial but lets everything else in, you can be reasonably sure that a packet from a local address is at least within your network and not from the Internet.