MAC Address vs IP Address – How They Work Together Across Every Network Hop

1. Overview — Two Addresses, Two Jobs

Every device on a modern network carries two completely different addresses simultaneously, each serving a distinct purpose at a different layer of the OSI model. Confusing them — or not understanding why both are needed — is one of the most common sources of networking errors and misconceptions.

Feature	MAC Address	IP Address
Full Name	Media Access Control Address	Internet Protocol Address
OSI Layer	Layer 2 — Data Link	Layer 3 — Network
Address Type	Physical (hardware)	Logical (software-configurable)
Scope	Local link only — never forwarded by routers	Local (private) or global (public) — routable across networks
Assigned by	NIC manufacturer (burned in); can be overridden in software	Administrator (static) or DHCP server (dynamic)
Changes at router hops?	Yes — replaced at every router with new source/destination MACs	No — same source and destination IP end-to-end (except NAT)
Size	48 bits (6 bytes)	32 bits (IPv4) or 128 bits (IPv6)
Format	Hexadecimal pairs: `00:1A:2B:3C:4D:5E`	Dotted decimal (IPv4): `192.168.1.10` Colon-hex groups (IPv6): `2001:db8::1`
PDU that carries it	Ethernet frame header	IP packet header
Primary device that uses it	Switch (MAC address table lookup)	Router (routing table lookup)

2. MAC Address — Structure, OUI, and Types

A MAC address is a 48-bit (6-byte) identifier permanently associated with a network interface card (NIC). It is expressed as twelve hexadecimal digits, conventionally written in colon-separated pairs (e.g. 00:1A:2B:3C:4D:5E) or hyphen-separated pairs (e.g. 00-1A-2B-3C-4D-5E). Both notations refer to the same address.

MAC Address Structure

  48-bit MAC address: 00:1A:2B:3C:4D:5E
  ├─────────────────┤ ├───────────────┤
    OUI (24 bits)       NIC-specific (24 bits)
    First 3 bytes       Last 3 bytes
    Identifies the      Assigned by manufacturer
    manufacturer        to uniquely identify the NIC

  Bit 1 of byte 1 (LSB) — Individual/Group (I/G) bit:
    0 = Unicast address (sent to one specific device)
    1 = Multicast/Broadcast address (sent to a group)

  Bit 2 of byte 1 — Universal/Local (U/L) bit:
    0 = BIA — Burned-In Address (globally administered by IEEE)
    1 = LAA — Locally Administered Address (overridden by software)

OUI — Organisationally Unique Identifier

The first 24 bits of every MAC address form the OUI, which identifies the manufacturer of the NIC. The IEEE Registration Authority assigns OUIs to vendors. Examples: 00:1A:2B → Cisco, 00:50:56 → VMware, 00:0C:29 → VMware (workstation). You can look up any OUI in the IEEE OUI registry.

BIA vs LAA

Type	Full Name	U/L Bit	How Set	Use Case
BIA	Burned-In Address	0 (Universal)	Programmed by manufacturer into the NIC's ROM/EEPROM at the factory — globally unique	Default for all network communication; used to identify the physical hardware
LAA	Locally Administered Address	1 (Local)	Set by software — OS, hypervisor, or administrator overrides the BIA	MAC spoofing; virtual machine NIC assignment; privacy (randomised MACs on modern mobile devices); bypassing MAC filters; network testing

MAC Address Types

Type	I/G Bit	Example Address	Delivery	Common Use
Unicast	0	`00:1A:2B:3C:4D:5E`	To one specific NIC	All normal frame delivery (HTTP, SSH, file transfers)
Broadcast	1 (all bits set)	`FF:FF:FF:FF:FF:FF`	To all devices in the broadcast domain	ARP requests, DHCP Discover — any protocol that needs to reach all devices on the segment
Multicast	1 (I/G bit only)	`01:00:5E:xx:xx:xx` (IPv4) `33:33:xx:xx:xx:xx` (IPv6)	To a specific group of subscribed devices	IPv4 multicast (OSPF hellos on `01:00:5E:00:00:05`), IPv6 NDP, streaming video with IGMP snooping

See: MAC Address Guide | CAM Table | show mac-address-table | Frame Forwarding

3. IP Address — IPv4 and IPv6 Structure

An IP address is a logical, software-assigned address that identifies a device on a network — not the hardware itself. The same NIC can have its IP address changed at any time without altering the MAC. There are two current versions in use.

IPv4

  IPv4 address: 192.168.1.10  /  255.255.255.0
  ─────────────────────────────────────────────
  32 bits written as four decimal octets (0–255) separated by dots.

  Structure with /24 subnet mask:
  ┌──────────────────────┬─────────────┐
  │   Network portion    │ Host portion│
  │   192.168.1          │    .10      │
  │   (24 bits)          │  (8 bits)   │
  └──────────────────────┴─────────────┘
  Network address:   192.168.1.0    (host bits all 0)
  Broadcast address: 192.168.1.255  (host bits all 1)
  Usable hosts:      192.168.1.1 – 192.168.1.254  (254 hosts)

IPv6

  IPv6 address: 2001:0DB8:ACAD:0001:020C:29FF:FE4B:A8E3 /64
  ─────────────────────────────────────────────────────────
  128 bits written as eight groups of four hex digits, colon-separated.
  Consecutive all-zero groups may be collapsed to "::" (once per address).

  Structure:
  ┌──────────────────────────┬────────────────────────────────────┐
  │  Network prefix (64 bits) │  Interface Identifier (64 bits)   │
  │  2001:0DB8:ACAD:0001      │  020C:29FF:FE4B:A8E3              │
  │  (ISP prefix + subnet ID) │  (EUI-64 from MAC or random)      │
  └──────────────────────────┴────────────────────────────────────┘

Private vs Public IPv4

Range	CIDR	Scope	Common Use
`10.0.0.0 – 10.255.255.255`	10.0.0.0/8	Private (RFC 1918)	Large enterprise networks
`172.16.0.0 – 172.31.255.255`	172.16.0.0/12	Private (RFC 1918)	Medium enterprise networks
`192.168.0.0 – 192.168.255.255`	192.168.0.0/16	Private (RFC 1918)	Home and small office networks
`169.254.0.0 – 169.254.255.255`	169.254.0.0/16	Link-local (APIPA)	Auto-assigned when DHCP fails
Everything else (assigned by RIRs)	Various	Public — globally routable	Internet-facing servers, ISP infrastructure

4. How MAC and IP Work Together — ARP and Hop-by-Hop Delivery

The key insight that unlocks how networking actually works is this: IP addresses identify the final destination; MAC addresses identify the next hop. Every time a packet crosses a router, the IP header stays the same but the Ethernet frame around it is completely replaced.

ARP — Address Resolution Protocol

Before a host can send a frame to another device on the same subnet, it needs that device's MAC address. ARP (RFC 826) resolves a known IPv4 address to an unknown MAC address using a two-message exchange:

  ARP Request (broadcast):
  ┌─────────────────────────────────────────────────────────┐
  │ Ethernet: Dst=FF:FF:FF:FF:FF:FF  Src=00:1A:2B:3C:4D:5E │
  │ ARP:  "Who has 192.168.1.20? Tell 192.168.1.10"        │
  └─────────────────────────────────────────────────────────┘
  → Sent as a broadcast — every device on the segment receives it

  ARP Reply (unicast):
  ┌─────────────────────────────────────────────────────────┐
  │ Ethernet: Dst=00:1A:2B:3C:4D:5E  Src=00:1B:4C:7D:8E:9F │
  │ ARP:  "192.168.1.20 is at 00:1B:4C:7D:8E:9F"          │
  └─────────────────────────────────────────────────────────┘
  → Sent directly back to the requester

The resolved mapping is stored in the host's ARP cache for a short period (typically 2–20 minutes) to avoid repeating the broadcast for every frame. View it with arp -a (Windows/Linux) or show ip arp (Cisco IOS).

IPv6 uses NDP instead of ARP: In IPv6, Neighbor Discovery Protocol (NDP) performs address resolution using ICMPv6 Neighbor Solicitation and Neighbor Advertisement messages — no broadcasts, using solicited-node multicast instead.

What Happens Across Multiple Hops

This is the most important concept in this entire topic and a favourite exam question: MAC addresses are replaced at every single router hop; IP addresses are preserved end-to-end.

  Scenario: John's PC (192.168.1.10) sends to Web Server (203.0.113.50)
  Path: PC → Switch → Router → Internet → Web Server

  ── Hop 1: PC to Router (on 192.168.1.0/24 LAN) ──────────────────
  IP Packet:  Src IP = 192.168.1.10     Dst IP = 203.0.113.50  ← unchanged
  ETH Frame:  Src MAC = PC's MAC        Dst MAC = Router's LAN MAC

  Router receives frame, strips Ethernet header, reads IP header.
  Looks up 203.0.113.50 in routing table → forward out WAN interface.
  Builds NEW Ethernet frame for the next link:

  ── Hop 2: Router to Next-Hop ISP Router ──────────────────────────
  IP Packet:  Src IP = 192.168.1.10     Dst IP = 203.0.113.50  ← still unchanged
  ETH Frame:  Src MAC = Router's WAN MAC   Dst MAC = ISP Router's MAC
              ↑ completely different MACs from Hop 1

  ... (repeated at every router across the internet) ...

  ── Final Hop: Last Router to Web Server ──────────────────────────
  IP Packet:  Src IP = 192.168.1.10     Dst IP = 203.0.113.50  ← same as Hop 1
  ETH Frame:  Src MAC = Last Router's MAC  Dst MAC = Web Server's MAC

The IP source address remains 192.168.1.10 all the way to the web server across every router hop. The Ethernet frame, however, is completely rebuilt at every single router. The web server never sees John's laptop's MAC address — it only ever sees the MAC of the last router in the path.

See: ARP and arp -a | Frame Forwarding | How Routers Work | show ip route

5. Address Format and Representation

Address Type	Size	Format	Example	Notation Variants
MAC Address	48 bits (6 bytes)	12 hexadecimal digits in 6 pairs	`00:1A:2B:3C:4D:5E`	Colons: `00:1A:2B:3C:4D:5E` Hyphens: `00-1A-2B-3C-4D-5E` Cisco dot notation: `001A.2B3C.4D5E`
IPv4 Address	32 bits (4 bytes)	4 decimal octets (0–255) separated by dots	`192.168.1.10`	With prefix length: `192.168.1.10/24` With subnet mask: `255.255.255.0`
IPv6 Address	128 bits (16 bytes)	8 groups of 4 hex digits, colon-separated	`2001:db8::1`	Full: `2001:0DB8:0000:0000:0000:0000:0000:0001` Compressed: leading zeros dropped, `::` replaces longest all-zero run (once only)

6. Assignment — Static, Dynamic, and Burned-In

Address Type	Default Assignment	Can Be Changed?	How	Persistence
MAC (BIA)	Factory-programmed into NIC ROM/EEPROM by manufacturer	Yes — software override (becomes LAA)	OS network settings; `ip link set dev eth0 address XX:XX:XX:XX:XX:XX` (Linux); Device Manager (Windows); Cisco: `mac-address XXXX.XXXX.XXXX` on interface	BIA persists forever; LAA resets to BIA on some systems after reboot unless made persistent
IP — Static	Manually configured by administrator	Yes — change at any time	Network settings GUI; `ip addr add` (Linux); Cisco: `ip address x.x.x.x y.y.y.y` on interface	Persists until changed; never expires
IP — Dynamic (DHCP)	Assigned by a DHCP server from a configured pool	Yes — expires and renews	DHCP client sends DORA sequence (Discover, Offer, Request, Ack); `ipconfig /renew` (Windows); `dhclient eth0` (Linux)	Lease-based — expires after configured time (minutes to days); automatically renewed while host stays online

See: How DHCP Works | DHCP Configuration | ipconfig & ifconfig | Sticky MAC

7. Scope — Where Each Address Is Valid

  ┌──────────────────────────────────────────────────────────────────┐
  │                       NETWORK DIAGRAM                            │
  │                                                                  │
  │  PC-A          Switch         Router           Web Server        │
  │  192.168.1.10 ────────────── [L3] ──────────── 203.0.113.50     │
  │  MAC: AA:AA    MAC table       │                MAC: DD:DD       │
  │                                │                                  │
  │  ◄── MAC addresses meaningful only within each LAN segment ──►   │
  │  PC-A's MAC known to Switch.   Router's WAN MAC known to ISP.    │
  │  PC-A's MAC NEVER reaches Web Server — stops at the router.      │
  │                                                                  │
  │  ◄────────── IP addresses meaningful end-to-end ─────────────►   │
  │  192.168.1.10 and 203.0.113.50 are in every IP packet header,   │
  │  unchanged, from PC-A all the way to Web Server.                 │
  └──────────────────────────────────────────────────────────────────┘

Characteristic	MAC Address	IP Address
Valid scope	Single physical/logical link (LAN segment or VLAN)	End-to-end across any number of networks (routed scope)
Forwarded by routers?	No — the Layer 2 frame (and its MACs) is stripped and discarded at every router; a new frame is built for the next link	Yes — the IP packet passes through routers unchanged (TTL decremented; NAT may modify addresses)
Unique globally?	BIAs are globally unique (theoretically); LAAs are locally unique only. The same `FE80::1` link-local IPv6 MAC-derived address can exist on every subnet simultaneously.	Public IPs are globally unique; private RFC 1918 IPs may overlap across different organisations

8. Security — MAC Spoofing and IP Spoofing

Both address types can be forged by an attacker. Understanding the attack vectors and their mitigations is a CCNA security requirement.

Attack	What Happens	Impact	Mitigation
MAC Spoofing	Attacker changes their NIC's MAC to match that of a legitimate device — either to impersonate it or to bypass a MAC-based access control list (ACL) or Wi-Fi MAC filter	Bypass port security or Wi-Fi MAC filtering; receive traffic intended for another device; trigger MAC table instability on switches if two ports claim the same MAC	Port Security with sticky MAC and violation shutdown mode; Dynamic ARP Inspection (DAI); 802.1X port-based authentication; monitoring for MAC flapping in switch logs
ARP Poisoning / ARP Spoofing	Attacker sends unsolicited ARP replies with a false MAC mapping (e.g. claiming the gateway's IP maps to the attacker's MAC), poisoning the ARP cache of hosts on the segment — a classic man-in-the-middle attack	All traffic from victims flows through the attacker, who can read, modify, or drop it; credentials and session tokens exposed	Dynamic ARP Inspection (DAI) on switches validates ARP packets against the DHCP snooping binding table; static ARP entries for critical hosts; encrypted protocols (HTTPS, SSH) limit impact
IP Spoofing	Attacker sends packets with a forged source IP address to hide their identity, impersonate another host, or trigger amplification attacks (sending requests that cause large responses to be sent to the spoofed victim IP)	DDoS amplification (DNS, NTP, SSDP reflection attacks); bypassing IP-based ACLs; evading intrusion detection	Ingress filtering (BCP38/RFC 2827) — ISPs drop packets with source IPs that cannot be valid from the ingress interface; ACLs blocking RFC 1918 sources on internet-facing interfaces; stateful firewalls and IPS
MAC Flooding	Attacker floods the switch with frames containing thousands of fake source MACs, overflowing the CAM table — the switch falls back to flooding all frames, allowing the attacker to intercept all traffic	Full LAN traffic visible to attacker; equivalent to placing the attacker on a hub	Port Security with a maximum MAC limit per port; sticky MAC learning

See: Firewalls | ACLs | Port Security Violation Modes | Sticky MAC | DHCP Snooping & DAI

9. Viewing MAC and IP Addresses — Key Commands

Task	Windows	Linux / macOS	Cisco IOS
View IP address	`ipconfig`	`ip addr show` or `ifconfig`	`show ip interface brief`
View MAC address	`ipconfig /all` (Physical Address field)	`ip link show` (link/ether field)	`show interfaces` (Hardware is line)
View ARP cache	`arp -a`	`arp -n` or `ip neigh show`	`show ip arp`
View MAC address table	N/A (host, not switch)	N/A (host, not switch)	`show mac address-table`
Clear ARP cache	`arp -d *` (admin)	`ip neigh flush all`	`clear arp-cache`
Test IP connectivity	`ping <IP>`	`ping <IP>`	`ping <IP>`

10. End-to-End Scenario — ARP, Frames, and Packets

John's laptop (192.168.1.10 / MAC: AA:AA:AA:AA:AA:AA) wants to load https://netstuts.com (server at 203.0.113.50 / MAC: DD:DD:DD:DD:DD:DD). The default gateway is 192.168.1.1 / MAC: BB:BB:BB:BB:BB:BB.

  Step 1 — DNS resolution (not shown for brevity)
  DNS resolves "netstuts.com" → 203.0.113.50

  Step 2 — Is the destination on the same subnet?
  John's IP: 192.168.1.10 /24
  Server IP: 203.0.113.50  ← different /24 network
  Decision:  Send to default gateway (192.168.1.1)

  Step 3 — ARP for the gateway's MAC
  John checks ARP cache: Is 192.168.1.1 there?
  If not: Send ARP Request (broadcast FF:FF:FF:FF:FF:FF)
    "Who has 192.168.1.1? Tell 192.168.1.10"
  Router replies: "192.168.1.1 is at BB:BB:BB:BB:BB:BB"
  John caches: 192.168.1.1 → BB:BB:BB:BB:BB:BB

  Step 4 — Build and send the Ethernet frame
  ETH Frame:
    Dst MAC: BB:BB:BB:BB:BB:BB  ← gateway's MAC
    Src MAC: AA:AA:AA:AA:AA:AA  ← John's MAC
  IP Packet (inside frame):
    Dst IP: 203.0.113.50        ← web server's IP (unchanged)
    Src IP: 192.168.1.10        ← John's IP (unchanged)

  Step 5 — Router processes the frame
  Router strips the Ethernet frame.
  Reads IP header: destination 203.0.113.50
  Routing table lookup: forward toward ISP
  ARP for next-hop ISP router (CC:CC:CC:CC:CC:CC)
  Builds NEW Ethernet frame:
    Dst MAC: CC:CC:CC:CC:CC:CC  ← ISP router's MAC (different!)
    Src MAC: Router's WAN MAC   ← router's WAN MAC (different!)
  IP Packet (same as before — unchanged):
    Dst IP: 203.0.113.50
    Src IP: 192.168.1.10

  ... (repeated across every router hop) ...

  Step 6 — Final delivery to web server
  Last router builds frame:
    Dst MAC: DD:DD:DD:DD:DD:DD  ← web server's MAC
    Src MAC: Last Router's MAC
  IP Packet:
    Dst IP: 203.0.113.50        ← same as Step 4
    Src IP: 192.168.1.10        ← same as Step 4

  The web server sees John's IP but NEVER sees John's MAC address.

11. Exam Tips & Key Points

MAC is Layer 2 (physical/hardware); IP is Layer 3 (logical/software). Know which OSI layer each belongs to — this is tested directly.
MAC addresses are 48 bits (6 bytes) in hexadecimal; IPv4 is 32 bits in dotted decimal; IPv6 is 128 bits in colon-separated hex.
The first 24 bits of a MAC form the OUI (manufacturer identifier assigned by IEEE); the last 24 bits are device-specific.
BIA = Burned-In Address (factory default); LAA = Locally Administered Address (software override). The U/L bit distinguishes them.
ARP resolves an IP address to a MAC address on the local segment. It sends a broadcast ARP Request and receives a unicast ARP Reply. IPv6 uses NDP (Neighbor Solicitation/Advertisement) instead.
MAC addresses change at every router hop; IP addresses stay the same end-to-end. This is the single most important MAC vs IP concept for the CCNA.
The destination MAC in an outgoing frame is always the next-hop device's MAC (gateway router) — never the final destination's MAC unless both devices are on the same subnet.
MAC spoofing bypasses MAC-based controls; mitigated by port security and Dynamic ARP Inspection. IP spoofing forges source IPs; mitigated by ingress filtering and stateful firewalls.
On Windows, ipconfig /all shows MAC as "Physical Address"; on Linux, ip link show shows it as "link/ether".
Use arp -a (Windows/Linux) or show ip arp (Cisco IOS) to view the current MAC-to-IP mapping table.

12. Summary

Aspect	MAC Address	IP Address
OSI Layer	Layer 2 — Data Link	Layer 3 — Network
Size	48 bits	32 bits (IPv4) / 128 bits (IPv6)
Format	Hex pairs: `00:1A:2B:3C:4D:5E`	Dotted decimal: `192.168.1.10` / colon-hex: `2001:db8::1`
Assigned by	Manufacturer (BIA) or software (LAA)	Admin (static) or DHCP server (dynamic)
Scope	Local link only — never routed	End-to-end across all networks
Changes at router hops	Yes — completely replaced at every hop	No — same end-to-end (except NAT)
Resolution protocol	Target of ARP (IPv4) / NDP (IPv6)	Source for ARP request; resolved by DNS (name to IP)
Used by device	Switch (CAM table lookup)	Router (routing table lookup)
Security threat	MAC spoofing, ARP poisoning, MAC flooding	IP spoofing, DDoS amplification
View command (Windows)	`ipconfig /all` (Physical Address)	`ipconfig`

MAC Address vs IP Address Quiz

1. At which OSI layer does the MAC address operate, and what is its primary role?

A. Layer 3 — it identifies devices across multiple networks using logical addressing B. Layer 1 — it defines the physical signal characteristics of the NIC C. Layer 2 — it uniquely identifies a NIC on a local network segment, enabling frame delivery within a LAN D. Layer 4 — it identifies application processes using port numbers

Correct answer is C. MAC addresses operate at OSI Layer 2 (Data Link Layer). A MAC address is a 48-bit hardware identifier burned into the NIC by its manufacturer — it uniquely identifies the physical interface on the local network segment. Switches use MAC addresses to make forwarding decisions, consulting their CAM (MAC address) table to deliver frames only to the correct port. Critically, MAC addresses are strictly local — a router strips the Ethernet frame (including its MAC addresses) at every hop and builds a brand-new frame for the next link. The MAC address of John's laptop is therefore never seen by a web server on the other side of the internet.

2. A MAC address is 48 bits long. How is that expressed in the address you see, and what do the first 24 bits identify?

A. 32 bits expressed as four decimal octets; the first 16 bits identify the device model B. 48 bits expressed as twelve hexadecimal digits in six pairs; the first 24 bits (three pairs) form the OUI which identifies the NIC manufacturer C. 64 bits expressed as eight hex pairs; the first 32 bits identify the network D. 128 bits expressed as colon-separated groups; the first 24 bits identify the country of manufacture

Correct answer is B. A MAC address is exactly 48 bits (6 bytes) long, displayed as twelve hexadecimal digits conventionally grouped into six colon-separated pairs, e.g. 00:1A:2B:3C:4D:5E. The address has two halves: the first 24 bits (first three pairs) form the OUI (Organisationally Unique Identifier), which is assigned by the IEEE Registration Authority to the manufacturer. The last 24 bits are assigned by the manufacturer to uniquely identify the individual NIC. So 00:1A:2B might identify Cisco, and 3C:4D:5E is that specific NIC's serial number within Cisco's product line.

3. John's PC (192.168.1.10) is sending a packet to a web server (203.0.113.50). What is the destination MAC address in the Ethernet frame that leaves John's PC?

A. The MAC address of John's default gateway (router) — because the web server is on a different subnet, the frame must first go to the router B. The MAC address of the web server (203.0.113.50) — because that is the final IP destination C. The broadcast MAC FF:FF:FF:FF:FF:FF — so all devices can see it and forward it toward the server D. The MAC address of the nearest DNS server — because DNS must resolve the route first

Correct answer is A. This is the most frequently tested concept in MAC vs IP: the destination MAC in an outgoing frame is always the next hop's MAC — not the final destination's MAC. John's PC compares the destination IP (203.0.113.50) against its own subnet (192.168.1.0/24) and determines the server is on a different network. It therefore sends the frame to the default gateway router. John's PC uses ARP to resolve the router's IP (192.168.1.1) to its MAC, then builds the Ethernet frame with the router's MAC as the destination. The IP packet inside the frame still has 203.0.113.50 as the destination IP — that never changes. The router will then strip this frame, build a new one for the next link, and so on until the packet reaches the web server's LAN.

4. What protocol resolves an IPv4 address to a MAC address, and how does it work?

A. DHCP — it assigns both IP and MAC addresses to new devices on the network B. DNS — it resolves hostnames to IP addresses, and separately resolves IPs to MACs C. ICMP — it sends ping messages that include the target's MAC address in the reply D. ARP — it broadcasts a request asking "Who has this IP?" and the owning host unicasts back its MAC address, which the requester caches for future frames

Correct answer is D. ARP (Address Resolution Protocol, RFC 826) is the glue between Layer 3 and Layer 2 in IPv4 networks. The process: (1) The host checks its ARP cache for the target IP. (2) If not found, it sends an ARP Request — a Layer 2 broadcast (destination FF:FF:FF:FF:FF:FF) containing the target IP and asking for the MAC. (3) The device that owns that IP sends an ARP Reply — a unicast frame back to the requester containing its MAC address. (4) The requester caches the IP→MAC mapping. IPv6 does not use ARP — it uses NDP (Neighbor Discovery Protocol) with ICMPv6 Neighbor Solicitation and Neighbor Advertisement messages sent to a solicited-node multicast address instead of broadcast.

5. What does the OUI portion of a MAC address identify, and how many bits does it occupy?

A. The unique device ID assigned by the OS — 32 bits in the second half of the MAC B. The NIC manufacturer, assigned by the IEEE — the first 24 bits (3 bytes) of the MAC address C. The IP subnet the device belongs to — derived from the last 16 bits D. The network segment — all devices on the same LAN share the same OUI

Correct answer is B. OUI stands for Organisationally Unique Identifier. It occupies the first 24 bits (3 bytes — the first three pairs in colon notation) of a MAC address and is assigned by the IEEE Registration Authority to NIC manufacturers. This means you can identify who made the NIC from its MAC address prefix — for example, 00:1A:2B indicates Cisco, 00:50:56 indicates VMware. The remaining 24 bits are assigned by the manufacturer to uniquely identify the individual device within their product range. The OUI system is what makes BIAs globally unique — as long as no two manufacturers are assigned the same OUI and each uses their 24-bit device field uniquely.

6. Which MAC address is sent to all devices in a broadcast domain, and what common protocols use it?

A. A unicast MAC address — sent to one device; used by HTTP and SSH B. A multicast MAC address — sent to a subscribed group; used by OSPF and IGMP C. The broadcast MAC FF:FF:FF:FF:FF:FF — received by every device on the LAN segment; used by ARP requests and DHCP Discover D. An anycast MAC address — delivered to the nearest member of a group

Correct answer is C. The broadcast MAC address FF:FF:FF:FF:FF:FF (all 48 bits set to 1) is delivered by switches to every port in the broadcast domain except the source port. Every NIC receives and processes frames with this destination MAC. This is used whenever a protocol needs to reach all devices on the segment before knowing anyone's MAC: ARP Requests ("Who has 192.168.1.1?"), DHCP Discover (client seeking any DHCP server), and some routing protocol hellos. Broadcasts are the reason broadcast domains should be kept small — too many devices broadcasting simultaneously wastes bandwidth and CPU time on all hosts.

7. What is the difference between a BIA and an LAA, and when would a network administrator use an LAA?

A. BIA (Burned-In Address) is the factory-assigned MAC stored in NIC hardware; LAA (Locally Administered Address) is a software override that replaces it — used for MAC spoofing, virtualisation, privacy randomisation, or bypassing MAC filters B. BIA is assigned dynamically by DHCP at boot; LAA is the permanent MAC burned into the NIC C. BIA is the IP address assigned by the router; LAA is the MAC address assigned by the switch D. BIA is a broadcast MAC address; LAA is a link-local MAC used for ARP

Correct answer is A. The BIA (Burned-In Address) is the globally unique MAC address programmed into the NIC's ROM or EEPROM by the manufacturer at the factory — it is persistent and survives reboots. The LAA (Locally Administered Address) is a software-configured override: the OS or hypervisor presents a different MAC to the network while the BIA is unchanged in hardware. The U/L bit (bit 2 of the first byte) distinguishes them: 0 = BIA (universally administered), 1 = LAA (locally administered). Legitimate uses of LAAs include: hypervisors assigning virtual MACs to VMs; mobile OSes randomising MACs per network for privacy (iOS 14+, Android 10+); network testing; and disaster recovery where a replacement NIC must present the original MAC to avoid reconfiguring upstream systems.

8. An attacker connects to a switch port and sends thousands of frames with random source MAC addresses. What attack is this, and what is the most effective mitigation?

A. IP spoofing — mitigated by configuring ACLs on the router to block invalid source IPs B. ARP poisoning — mitigated by enabling Dynamic ARP Inspection on the switch C. DHCP starvation — mitigated by enabling DHCP snooping to limit DHCP requests per port D. MAC flooding — the CAM table overflows and the switch begins flooding all frames to all ports, allowing the attacker to intercept traffic; mitigated by port security with a maximum MAC limit per port

Correct answer is D. This is a MAC flooding attack. A switch's CAM (MAC address) table has a finite size. When an attacker sends thousands of frames with unique, random source MACs, they fill the table. Once full, the switch cannot add new legitimate entries and begins to flood all frames to all ports (behaving like a hub), because it has no valid forwarding entry for any real destination MAC. This allows the attacker to capture traffic intended for other devices using a packet sniffer. The primary mitigation is port security: configure switchport port-security maximum 1 (or an appropriate limit) on access ports so the switch only learns a defined number of MACs per port, then takes action (shutdown/restrict/protect) if the limit is exceeded.

9. A packet travels from PC-A (192.168.1.10) to Server-B (10.20.30.40) through three routers. At the third and final router, what are the source and destination MAC addresses in the Ethernet frame being forwarded to Server-B?

A. Source MAC = PC-A's MAC; Destination MAC = Server-B's MAC — because both were set when PC-A first sent the packet B. Source MAC = the third router's outgoing interface MAC; Destination MAC = Server-B's MAC — the frame was rebuilt completely at each hop, and PC-A's original MAC has not appeared since the first hop C. Source MAC = the first router's MAC; Destination MAC = Server-B's MAC — the source MAC is fixed at the first router and carried throughout D. Source MAC = PC-A's MAC; Destination MAC = the broadcast address, so Server-B can identify itself

Correct answer is B. This question tests understanding of hop-by-hop MAC replacement — the single most important concept in the MAC vs IP comparison. At every router, the incoming Ethernet frame is completely stripped and a brand-new frame is constructed for the next outgoing link. By the time the packet reaches the third router, the source MAC of PC-A has not been present in any frame since the very first link (PC-A → Router 1). At the third router's outgoing interface, the frame contains: Source MAC = the third router's outgoing interface MAC (determined by an ARP lookup for Server-B or its gateway); Destination MAC = Server-B's MAC (obtained by ARP). Throughout all three hops, the IP source (192.168.1.10) and IP destination (10.20.30.40) inside the packet are completely unchanged.

10. Which command on Windows shows both the IP address and the MAC address (listed as "Physical Address") of each network adapter?

A. ipconfig /display — not a valid ipconfig option B. netstat -mac — not a valid netstat option; netstat shows connections and ports C. ipconfig /all — displays complete adapter information including IPv4/IPv6 addresses, subnet mask, gateway, DNS servers, DHCP status, lease times, and the Physical Address (MAC) D. ifconfig -a — the Linux/macOS equivalent; not available on Windows by default

Correct answer is C. ipconfig /all is the most information-rich Windows network diagnostic command. It displays every adapter's complete configuration: Physical Address (MAC in hyphen-separated hex, e.g. 00-1A-2B-3C-4D-5E), IPv4 Address, Subnet Mask, Default Gateway, DHCP Enabled status, DHCP Server, Lease Obtained/Expires, and DNS Servers. Plain ipconfig only shows IP, mask, and gateway — omitting the MAC. On Linux/macOS, the equivalent is ip link show (shows MAC as "link/ether") combined with ip addr show (shows IP addresses). On Cisco IOS, use show interfaces which includes the "Hardware is" line showing the interface's MAC address.