What Is a MAC Address? Format, Bits, and How Switches Use It

2026-06-12 · 9 min read

Every network interface — whether in a laptop, a smartphone, a data center server, or a managed switch — has a MAC address (Media Access Control address). This 48-bit identifier is what Layer 2 networking uses to deliver frames across a single Ethernet segment. While IP addresses move traffic across routers and networks, MAC addresses move frames between devices sharing the same physical or logical link. Understanding MAC addresses is foundational to understanding Ethernet, ARP, IPv6 address autoconfiguration, and the security properties — and weaknesses — of local area networks.

Format and Structure

A MAC address is 48 bits (6 bytes) written as six pairs of hexadecimal digits, separated by colons, hyphens, or dots depending on platform convention:

3C:22:FB:4A:8D:01   (Linux/macOS colon notation)
3C-22-FB-4A-8D-01   (Windows hyphen notation)
3C22.FB4A.8D01      (Cisco dot notation)

The address is divided into two 24-bit halves. The upper 24 bits form the OUI (Organizationally Unique Identifier), assigned by the IEEE to device manufacturers. The lower 24 bits are the device identifier, assigned by the manufacturer to each individual interface. Together they should produce a globally unique address — the IEEE's assignment of OUI blocks theoretically guarantees no two manufacturers share the same prefix, and each manufacturer is responsible for uniqueness within their block. In practice, hardware bugs and MAC conflicts occur but are rare.

The OUI 3C:22:FB belongs to Apple. When you see a device with a MAC starting with 3C:22:FB, it was manufactured by Apple. OUI lookups are publicly available and are a practical tool for device identification on a network. Use this site's lookup tool or the IEEE's public registry.

The Two Special Bits: I/G and U/L

Two bits in the least significant byte of the first octet carry special meaning. They are the I/G bit (Individual/Group, bit 0 of the first byte) and the U/L bit (Universal/Local, bit 1 of the first byte).

The I/G bit (bit 0, least significant bit of the first byte) distinguishes unicast from group addresses. When 0, the frame is destined for a single interface. When 1, the frame is for a group — either a multicast group or the broadcast address. Every switch on the segment delivers group-addressed frames to multiple ports. This is why the broadcast address FF:FF:FF:FF:FF:FF (all bits 1, so I/G=1) is delivered to every device on the segment.

The U/L bit (bit 1) distinguishes universally administered addresses (U/L=0) from locally administered ones (U/L=1). A burned-in hardware MAC has U/L=0, meaning the IEEE guarantees its global uniqueness through OUI assignment. When software overrides the MAC — for a virtual machine, a container, a VPN interface, or a privacy-randomized address — it sets U/L=1, signaling that the address was assigned locally and may not be globally unique.

Note that the I/G and U/L bits are in the first transmitted byte, and Ethernet transmits bytes LSB-first (least significant bit first on the wire). This creates a subtle confusion: in hexadecimal notation, what appears as bit 0 of the first byte is actually the first bit transmitted on the wire — the I/G bit. When reading about MAC address bits in literature, confirm whether the author is referring to the wire bit order or the numerical bit order.

Broadcast and Multicast MAC Addresses

The broadcast MAC FF:FF:FF:FF:FF:FF causes every device on the Ethernet segment to receive and process the frame. ARP requests use broadcast: a device wanting to reach an IP address it has no MAC entry for sends an Ethernet frame with broadcast destination and asks "who has 192.168.1.1?" Every device receives it; only the owner of that IP replies.

Layer 2 multicast addresses map to specific protocol groups. The most important mappings:

MAC Address Pattern	Purpose
`01:00:5E:00:00:00` – `01:00:5E:7F:FF:FF`	IPv4 multicast (lower 23 bits of group address mapped in)
`33:33:xx:xx:xx:xx`	IPv6 multicast (lower 32 bits of IPv6 group address)
`01:80:C2:00:00:00`	Spanning Tree Protocol BPDUs
`01:80:C2:00:00:02`	LACP (Link Aggregation Control Protocol)
`01:00:0C:CC:CC:CC`	Cisco CDP / VTP multicast

For IPv4 multicast, the mapping works as follows: IANA owns OUI 01:00:5E. The 23 low-order bits of the IPv4 multicast group address are placed into the low-order 23 bits of the MAC address. The group 224.0.0.1 (all-hosts) maps to 01:00:5E:00:00:01. Because IPv4 multicast addresses use only 28 significant bits but MAC gets only 23, there is a 32-to-1 mapping ambiguity — 32 different IP multicast groups can map to the same MAC. IGMP snooping on switches resolves this by tracking group memberships at the IP level.

For IPv6, the multicast MAC prefix is 33:33 (locally administered, multicast), and the low 32 bits of the IPv6 multicast address fill the last 4 bytes. The solicited-node multicast address used by Neighbor Discovery (NDP) maps to 33:33:FF:xx:xx:xx, enabling a switch to deliver neighbor discovery frames only to devices whose addresses share the same low 24 bits — far more efficient than broadcasting.

How Switches Learn MAC Addresses

Ethernet switches build their CAM table (Content-Addressable Memory, also called the MAC address table) dynamically through passive observation. No configuration is required:

A frame arrives on port 4 with source MAC AA:BB:CC:DD:EE:01.
The switch records: AA:BB:CC:DD:EE:01 is reachable via port 4. Entry expires after ~300 seconds of inactivity.
If the destination MAC is known in the table, the switch forwards out only that port (unicast forwarding).
If the destination is not known, the switch floods the frame out every port except the ingress port (unknown unicast flooding).

This self-learning mechanism is remarkably simple and scales well. A high-end data center switch may hold 128,000 or more MAC entries. The expiry timer matters: too short and the switch floods unnecessarily on quiet networks; too long and stale entries from moved devices cause initial packet loss when a device migrates to a new port.

MAC Flooding Attacks

The CAM table has a fixed capacity. An attacker on the network can send frames with rapidly changing, random source MAC addresses. The switch dutifully learns each one. When the CAM table fills, the switch can no longer learn new legitimate MACs. Its fallback behavior — flooding unknown unicast frames — turns the switch into a hub: every frame is delivered to every port, and the attacker on one port sees all traffic on the segment. This is a MAC flooding attack and is the Layer 2 equivalent of a man-in-the-middle attack.

Mitigations include port security (limiting the number of learned MACs per port, shutting down violating ports), 802.1X authentication (requiring devices to authenticate before the port forwards any traffic), and dynamic ARP inspection. In modern networks with VLANs, the blast radius is limited to the VLAN — an attacker on VLAN 10 cannot flood VLAN 20.

Locally Administered Addresses and MAC Randomization

With the U/L bit set to 1, a software-assigned MAC address is signaled as locally administered. This pattern is used everywhere:

Virtual machines — hypervisors assign locally administered MACs to VM virtual NICs to avoid conflicts with physical hardware MACs.
Containers — Docker and container runtimes assign locally administered MACs to veth interfaces.
VPN tunnels — TUN/TAP interfaces in WireGuard, OpenVPN, and similar tools use locally administered MACs.
MAC randomization — iOS (since iOS 14), Android (since Android 10), Windows 10, and macOS randomize the MAC address used during Wi-Fi scanning and, optionally, during connections. A device sends probe requests (scanning for known networks) with a random locally administered MAC rather than its real hardware MAC, preventing passive tracking across locations. Apple and Google generate per-network randomized stable MACs — the same random MAC is reused each time you connect to the same SSID, but a different one is used for each network.

MAC randomization has implications for network management: DHCP leases that were tied to hardware MACs become less reliable for identifying devices; enterprise network access control (NAC) systems that fingerprint devices by MAC address require adaptation; and per-device Wi-Fi traffic analytics based on MAC observation are defeated by design.

EUI-64 and IPv6 Address Autoconfiguration

IPv6 SLAAC (Stateless Address Autoconfiguration) can derive a host's link-local and global IPv6 addresses directly from its MAC address using the EUI-64 (Extended Unique Identifier) process:

Take the 48-bit MAC address: 3C:22:FB:4A:8D:01
Split it at the 24-bit midpoint and insert FF:FE to expand to 64 bits: 3C:22:FB:FF:FE:4A:8D:01
Flip the U/L bit (bit 1 of the first byte): 3C is 0011 1100, flip bit 1 → 0011 1110 = 3E
Result: 3E:22:FB:FF:FE:4A:8D:01 — the 64-bit interface identifier

Combined with a /64 prefix from a router advertisement (e.g. 2001:db8:1::/64), the full IPv6 address becomes 2001:db8:1::3e22:fbff:fe4a:8d01. Because the MAC address is embedded, EUI-64 addresses are globally unique and stable — but also trackable. A device's MAC is visible in its IPv6 address, enabling cross-network tracking. This is why RFC 4941 (Privacy Extensions for SLAAC) generates randomized, temporary addresses that rotate over time, and why modern systems (including iOS, Android, Windows, and Linux) use privacy addresses by default rather than EUI-64.

MAC vs. IP: Layer Separation

The critical architectural principle is that MAC addresses are link-local. They are replaced at every Layer 3 hop. When your computer sends a packet to a web server across the internet:

The IP packet's source and destination addresses (192.168.1.100 → 93.184.216.34) remain unchanged across the entire path.
The Ethernet frame's source and destination MACs change at every router. On your LAN, the frame's destination MAC is your router's MAC. The router receives it, strips the Ethernet header, routes the IP packet, builds a new Ethernet frame with its WAN interface MAC as source and the next hop's MAC as destination.

No device beyond your local router ever sees your MAC address. MAC addresses do not appear in IP headers, BGP routes, or any Layer 3 construct. The popular misconception that MAC addresses can be traced across the internet is false — they are stripped at the first router and replaced with the router's MAC for the next link.

Explore It Live

MAC addresses operate at the edge, below the routing layer. To explore the Layer 3 world that sits on top of Layer 2, look up IP addresses and the networks that own them:

1.1.1.1 — Cloudflare's resolver: arrives at your router via Ethernet before any BGP routing
8.8.8.8 — Google's DNS: the packet crosses many Ethernet links, each with different source/dest MACs
AS16509 — Amazon Web Services — see how IP address blocks are organized above the MAC layer