MAC Address – Format, Types, and Role in Layer 2 Networking

1. What Is a MAC Address?

A MAC address (Media Access Control address) is a unique hardware identifier assigned to a network interface card (NIC). It operates at Layer 2 (Data Link Layer) of the OSI model and is used to deliver Ethernet frames within a local network segment.

While an IP address identifies a device logically and can change, a MAC address is permanently burned into the hardware at the factory and is intended to be globally unique. Every Ethernet NIC, Wi-Fi adapter, Bluetooth chip, and many other network interfaces carries its own MAC address. 

  Ethernet Frame
  ┌──────────────┬──────────────┬───────────┬─────────────┬─────┐
  │  Dest MAC    │  Source MAC  │ EtherType │   Payload   │ FCS │
  │  6 bytes     │  6 bytes     │  2 bytes  │ 46-1500 B   │ 4 B │
  └──────────────┴──────────────┴───────────┴─────────────┴─────┘
       ▲
       └─ Switch forwards frame based on this field

Related pages: MAC Address Table | show mac address-table | Port Security | Port Security Violation Modes | DHCP Snooping | VLANs | show interfaces | Port Security & Sticky MAC Lab | DHCP Snooping & DAI Lab

2. MAC Address Format

A MAC address is 48 bits (6 bytes) long, written as six pairs of hexadecimal digits. Three notation styles are equally valid and represent the same address:

Notation Style Example Common On
Colon-separated 00:1A:2B:3C:4D:5E Linux, macOS, Cisco IOS
Hyphen-separated 00-1A-2B-3C-4D-5E Windows (ipconfig /all)
Dot-separated (Cisco) 001a.2b3c.4d5e Cisco show mac address-table

The 48 bits are divided into two equal halves: 

  00 : 1A : 2B  :  3C : 4D : 5E
  |<----OUI----->|  |<--Device ID-->|
   24 bits (3 B)      24 bits (3 B)
  Assigned by IEEE   Assigned by manufacturer

3. OUI and Device Identifier

The OUI (Organizationally Unique Identifier) is the first 24 bits (3 bytes) of a MAC address. It is assigned by the IEEE to each network equipment manufacturer, making it possible to identify the vendor from the address alone.

OUI (First 3 Bytes) Manufacturer
00:00:0C Cisco Systems
00:50:56 VMware (virtual NICs)
3C:5A:B4 Google (Chromecast / Nest)
F8:FF:C2 Apple
00:1A:2B Example manufacturer

The device identifier (last 24 bits) is assigned by the manufacturer to ensure every NIC they produce has a unique full address. Combined with the OUI, this provides 224 × 224 = ~281 trillion theoretically unique addresses.

4. Special Bits in the First Byte

The two least-significant bits of the first byte carry special meaning and are tested by network hardware on every received frame:

Bit Name Value 0 Value 1
Bit 0 (LSB of byte 1) I/G bit (Individual / Group) Unicast — addressed to a single interface Multicast or Broadcast — addressed to a group
Bit 1 U/L bit (Universal / Local) Globally unique (IEEE-assigned OUI) Locally administered (manually set or OS-generated)

Examples: FF:FF:FF:FF:FF:FF — I/G bit = 1 (group/broadcast). 02:00:00:00:00:01 — U/L bit = 1 (locally administered, commonly used in virtualisation).

5. Types of MAC Addresses

Type I/G Bit Address / Range Description Example Use
Unicast 0 Any address with LSB of byte 1 = 0 Identifies a single, specific network interface. All normal host traffic uses unicast MACs. 00:1A:2B:3C:4D:5E
Multicast 1 01:00:5E:00:00:0001:00:5E:7F:FF:FF (IPv4)
33:33:xx:xx:xx:xx (IPv6)		 Delivered to all interfaces that have joined a multicast group. Used by routing protocols and streaming. 01:00:5E:00:00:05 (OSPF all routers)
Broadcast 1 FF:FF:FF:FF:FF:FF (only one address) Delivered to every device on the local broadcast domain. Used by ARP requests, DHCP Discover, and other protocols that must reach all hosts. ARP “Who has 192.168.1.20?”

6. How MAC Addresses Are Assigned

Assignment Type Also Called How Set U/L Bit Use Case
Factory-assigned BIA — Burned-In Address Programmed into NIC ROM at manufacture 0 (universal) Normal operation; globally unique per device
Locally administered LAA — Locally Administered Address Set via OS, driver, or device config; overrides BIA in software 1 (local) Privacy (randomised MACs on Wi-Fi), VM NICs, testing, bypassing port security filters

Note: Modern operating systems (iOS 14+, Android 10+, Windows 10+) use randomised (locally administered) MAC addresses by default when probing for Wi-Fi networks, to prevent tracking across locations. The BIA is only used once associated.

7. MAC Address vs. IP Address

Aspect MAC Address IP Address
OSI layer Layer 2 — Data Link Layer 3 — Network
Address length 48 bits (6 bytes) 32 bits IPv4 / 128 bits IPv6
Nature Hardware identifier — tied to the NIC Logical identifier — tied to the network
Scope Local segment only — not forwarded by routers Global — routed across networks and the Internet
Changeability Fixed in hardware; can be overridden in software (LAA) Fully configurable; assigned statically or via DHCP
Format Hexadecimal pairs: 00:1A:2B:3C:4D:5E Dotted decimal: 192.168.1.10
Assigned by IEEE (OUI) + manufacturer (device ID) IANA / RIRs (public) or admin / DHCP (private)
Used by Ethernet switches, Wi-Fi APs, ARP Routers, firewalls, IP-based applications

See also: MAC Address Table | VLANs

8. MAC Addresses and ARP

IP addresses identify destinations logically, but Ethernet frames require a MAC address in the header for local delivery. ARP (Address Resolution Protocol) bridges this gap by resolving a known IP address to its MAC address on the local subnet. 

  Host A wants to reach 192.168.1.20 (Host B):

  1. ARP Request (broadcast)
     Src MAC: AA:AA:AA:AA:AA:AA  Dst MAC: FF:FF:FF:FF:FF:FF
     "Who has 192.168.1.20? Tell 192.168.1.10"

  2. ARP Reply (unicast from Host B)
     Src MAC: BB:BB:BB:BB:BB:BB  Dst MAC: AA:AA:AA:AA:AA:AA
     "192.168.1.20 is at BB:BB:BB:BB:BB:BB"

  3. Host A caches the mapping and sends the data frame:
     Src MAC: AA:AA:AA:AA:AA:AA  Dst MAC: BB:BB:BB:BB:BB:BB

The ARP cache (viewable with arp -a) stores IP-to-MAC mappings temporarily. Entries expire after a few minutes; stale entries are a common source of connectivity issues.

See also: How DHCP Works | IPv6 NDP

9. How Switches Learn and Use MAC Addresses

An Ethernet switch builds a MAC address table (also called the CAM table) dynamically by inspecting the source MAC of every incoming frame and recording which port it arrived on. Forwarding decisions are then made on the destination MAC:

Situation Switch Action
Destination MAC known in table Forward — send frame only out the mapped port
Destination MAC unknown in table Flood — send frame out all ports in the VLAN except the source port
Destination MAC is FF:FF:FF:FF:FF:FF Flood — broadcast frames are always flooded
Source MAC seen on a different port than recorded Update — overwrites the old port mapping (MAC move / flapping)
Entry not refreshed within the aging timer (default 300 s) Remove — entry is deleted; next frame triggers a flood again

See also: MAC Address Table | show mac address-table | VLANs

10. MAC Address Spoofing and Security

Because a MAC address can be overridden in software, it is possible to make a NIC advertise any address regardless of its BIA. This is called MAC spoofing.

Scenario Legitimate or Malicious? Detail
Privacy randomisation Legitimate OS randomises MAC during Wi-Fi scanning to prevent location tracking by APs
VM / container NICs Legitimate Hypervisors generate locally administered MACs for virtual interfaces
ISP MAC binding bypass Grey area Cloning a router’s MAC to satisfy an ISP that ties services to a specific address
MAC flooding attack Malicious Attacker sends frames with thousands of fake source MACs, overflowing the CAM table; switch then floods all traffic (failopen), enabling eavesdropping
Bypassing port security / NAC Malicious Attacker spoofs an authorised device’s MAC to gain network access
ARP spoofing / poisoning Malicious Attacker sends fake ARP replies associating their MAC with another host’s IP, intercepting traffic (Man-in-the-Middle)

Defences Against MAC-Based Attacks

  • Port Security: Limits the number of MACs per switch port and optionally locks to specific addresses. Violation modes (shutdown, restrict, protect) define the response to violations.
  • Dynamic ARP Inspection (DAI): Validates ARP packets against the DHCP snooping binding table, dropping spoofed ARP replies.
  • DHCP Snooping: Builds a table of legitimate IP-to-MAC-to-port bindings; used by DAI and IP Source Guard.
  • 802.1X / NAC: Authenticates the device or user before granting port access, making MAC-only checks redundant.

See also: Port Security | Port Security Violation Modes | Step-by-Step: Port Security

11. Viewing MAC Addresses

Platform Command What It Shows
Windows ipconfig /all “Physical Address” for each adapter, shown with hyphens
Windows (PowerShell) Get-NetAdapter | Select Name, MacAddress Adapter name and MAC in a clean table
Linux ip link show or ifconfig “link/ether” field shows the MAC; ifconfig on older systems
macOS ifconfig en0 “ether” field shows the MAC for the interface
Cisco IOS — interface MAC show interfaces “Hardware is ... address is” line shows the interface BIA and current MAC
Cisco IOS — switch table show mac address-table Full CAM table: VLAN, MAC address, type (dynamic/static), and port
Cisco IOS — ARP cache show arp IP-to-MAC mappings the device has resolved locally

12. Practical Example – End-to-End Frame Delivery

Scenario: Three PCs on the same switch. PC1 sends data to PC2 for the first time. 

  PC1: IP 192.168.1.10 / MAC AA:AA:AA:AA:AA:AA  (Port 1)
  PC2: IP 192.168.1.20 / MAC BB:BB:BB:BB:BB:BB  (Port 2)
  PC3: IP 192.168.1.30 / MAC CC:CC:CC:CC:CC:CC  (Port 3)

  Step 1: PC1 checks its ARP cache — no entry for 192.168.1.20
  Step 2: PC1 sends ARP Request
          Src MAC: AA:AA:AA:AA:AA:AA
          Dst MAC: FF:FF:FF:FF:FF:FF  (broadcast)
          Switch floods out Ports 2 and 3; learns AA:AA:AA:AA:AA:AA → Port 1

  Step 3: PC2 replies with ARP Reply (unicast)
          Src MAC: BB:BB:BB:BB:BB:BB
          Dst MAC: AA:AA:AA:AA:AA:AA
          Switch learns BB:BB:BB:BB:BB:BB → Port 2

  Step 4: PC1 sends data frame
          Src MAC: AA:AA:AA:AA:AA:AA
          Dst MAC: BB:BB:BB:BB:BB:BB
          Switch looks up BB:BB:BB:BB:BB:BB → Port 2
          Frame forwarded ONLY to Port 2; PC3 never sees it

13. Key Points & CCNA Exam Tips

  • MAC = Media Access Control; 48 bits / 6 bytes; written in hex pairs
  • First 3 bytes = OUI (manufacturer, IEEE-assigned); last 3 bytes = device ID (manufacturer-assigned)
  • I/G bit (bit 0 of byte 1): 0 = unicast, 1 = multicast/broadcast
  • U/L bit (bit 1 of byte 1): 0 = globally unique (BIA), 1 = locally administered (LAA)
  • Broadcast MAC = FF:FF:FF:FF:FF:FF — always flooded by switches; never forwarded by routers
  • IPv4 multicast MACs begin with 01:00:5E; IPv6 multicast MACs begin with 33:33
  • ARP resolves IP → MAC on the local subnet; NDP does the same for IPv6
  • Switches learn source MACs and forward on destination MACs; unknown destinations are flooded
  • MAC table entries age out after 300 seconds by default; adjust with mac address-table aging-time
  • MAC spoofing can be used legitimately (privacy, VMs) or maliciously (flooding, ARP poisoning)
  • Port security limits MACs per port and can lock to sticky MACs to defend against spoofing and flooding
  • show mac address-table on Cisco displays the CAM table; show interfaces shows the interface’s own BIA

MAC Address Quiz

1. What does MAC in MAC address stand for?

Correct answer is C. MAC stands for Media Access Control. The MAC address uniquely identifies a network interface at Layer 2 (Data Link Layer) of the OSI model.

2. How many bits long is a MAC address?

Correct answer is A. MAC addresses are 48 bits (6 bytes) long, written as six pairs of hexadecimal digits. Compare: IPv4 = 32 bits, IPv6 = 128 bits.

3. What does the OUI in a MAC address represent?

Correct answer is D. The OUI is the first 24 bits (3 bytes) of a MAC address, assigned by the IEEE to each manufacturer. It allows you to identify the vendor from the address — e.g., 00:00:0C belongs to Cisco.

4. At which OSI layer does a MAC address operate?

Correct answer is B. MAC addresses operate at Layer 2 (Data Link Layer). Ethernet switches make forwarding decisions based on MAC addresses. IP addresses operate at Layer 3, used by routers.

5. Which MAC address type identifies a single device?

Correct answer is A. A unicast MAC address (I/G bit = 0) uniquely identifies a single network interface. It is used for all normal host-to-host communication on a LAN.

6. What MAC address is used to reach all devices in the local broadcast domain?

Correct answer is D. FF:FF:FF:FF:FF:FF is the broadcast MAC address. A switch floods any frame with this destination out all ports in the VLAN except the source port. ARP requests and DHCP Discover use this address.

7. How are MAC addresses typically assigned to devices?

Correct answer is C. Most MAC addresses are factory-programmed into the NIC ROM as a Burned-In Address (BIA). While software can override this with a Locally Administered Address (LAA), the BIA is permanent in hardware.

8. What protocol resolves an IP address to a MAC address on a local network?

Correct answer is A. ARP sends a broadcast request (“Who has IP x.x.x.x?”) and the owner replies with its MAC address. The mapping is cached in the ARP table. IPv6 uses NDP (Neighbor Discovery Protocol) for the same purpose.

9. Why might someone change (spoof) a MAC address?

Correct answer is B. Legitimate uses of MAC spoofing include privacy (OS randomisation on Wi-Fi), VM NICs, and ISP compatibility. Malicious uses include bypassing port security, MAC flooding attacks, and ARP poisoning. Port Security and Dynamic ARP Inspection are the primary defences.

10. Which command shows the MAC address table on a Cisco switch?

Correct answer is C. show mac address-table displays the switch’s CAM table, showing each learned MAC address, its VLAN, type (dynamic or static), and the port it was learned on. Use show interfaces to see the BIA of the switch’s own interfaces.

← Back to Home