The Two Names of a Device
Deconstructing MAC and IP Addressing
1. MAC Address: The Physical DNA
The Media Access Control (MAC) address is a 48-bit hexadecimal string. Often called the "Physical Address" or "Burned-In Address" (BIA), it is globally unique and assigned by the manufacturer at the time of fabrication.
Binary Anatomy: 00:0C:29:ab:cd:ef
- Organizationally Unique Identifier (OUI): The first 24 bits (00:0C:29). This prefix is purchased by manufacturers from the IEEE. In this case, it identifies VMware, Inc.
- Individual/Group Bit (I/G): The least significant bit of the first byte. If it's 0, it's a unicast address. If it's 1, it's a multicast address.
- Universal/Local Bit (U/L): The second to last bit of the first byte. It specifies whether the address is globally unique (assigned by IEEE) or locally administered (overridden by an administrator).
- NIC-Specific Bits: The final 24 bits (ab:cd:ef). This is the "Serial Number" assigned by the manufacturer to ensure no two devices share the same OUI+Serial combination.
While we think of MAC addresses as permanent, modern network cards allow for MAC Spoofing, where the software driver overrides the burned-in address. This is frequently used in network testing and, unfortunately, in malicious bypasses of MAC-based security filters.
2. IP Address: The Dynamic Label
The Internet Protocol (IP) address is a logical address. It tells the internet where you are relative to other routers. Unlike the MAC address, which stays with the hardware, the IP address often changes as you move between different WiFi networks or offices. This identity is typically assigned by a DHCP server.
3. The Interaction: Delivery vs Routing
The duality of MAC and IP is best understood through the Hierarchy of Delivery.
IP Address (The GPS)
Identifies the "Logical City". Routers use this to move packets across the country. It is hierarchical: the first part tells you the state, the second the city, the third the street.
MAC Address (The Fingerprint)
Identifies the "Physical Body". Once the packet arrives at the correct "Logical Building" (the local subnet), the switch uses the MAC address to find the exact door (physical port) where the device lives.
Without this two-tier system, the internet would collapse. If routers had to track every individual MAC address on Earth (billions of them), routing tables would be too massive to function. Instead, routers only track IP Prefixes (groups of addresses), only caring about the specific MAC address when the packet is in its "Last Mile" of delivery.
4. Layer 2 vs Layer 3 Intelligence
| Feature | MAC Address | IP Address |
|---|---|---|
| OSI Layer | Layer 2 (Data Link) | Layer 3 (Network) |
| Scope | Local Network ONLY (Unroutable) | Global (End-to-End Routing) |
| Hardware Device | Network Switch (ASIC) | Network Router (CPU/NPU) |
| Analogy | Social Security Number | Current Street Address |
5. The Handshake: ARP and NDP Binding
The link between these two addresses is maintained by specific protocols that "Glue" the layers together.
- IPv4 / ARP: The Address Resolution Protocol. When a host knows an IP but not the MAC, it sends a broadcast: "Who has 192.168.1.1?" The owner replies with its MAC.
- IPv6 / NDP: The Neighbor Discovery Protocol. IPv6 replaces broadcasts with efficient Solicited-Node Multicast. It performs the same mapping but with significantly less network noise.
6. Modern Forensics: MAC Randomization
In the early days of WiFi, a device's MAC address was a tracking beacon. Retailers could use physical sensors to track a customer's path through a store by watching their unique MAC address probe for WiFi.
To solve this, modern OSes (iOS 14+, Android 10+, Windows 10) use MAC Randomization. The device generates a "Private" MAC address for each SSID.
7. Virtualization Forensics: The Cloud Prefix
In a data center, there are more "Virtual" MACs than physical ones. Hypervisors must ensure they don't generate duplicates. They do this by reserving specific OUIs:
- VMware: Uses
00:05:69,00:0c:29, or00:50:56. - Microsoft Hyper-V: Uses
00:15:5D. - Amazon AWS (Nitro): Uses
02:00:00(locally administered).
8. Troubleshooting Case Study: The Duplicate MAC Paradox
The Incident
A large office reported "intermittent" connectivity. Host A would work for 10 minutes, then lose connection while Host B started working.
Forensic Discovery: Two low-cost NICs from a generic manufacturer had the exact same MAC address (a manufacturing error). The switch's MAC Address Table was "Flapping"—it would see the MAC on Port 1, then Port 2, and constantly update its forwarding logic.
16. Forensic Deep Dive: The Ethernet II Frame Header
When a packet travels across a cable, the MAC addresses are the very first thing the receiving hardware sees.
[ DESTINATION MAC (6 bytes) ] <-- Hardware checks this first
[ SOURCE MAC (6 bytes) ]
[ ETHERTYPE (2 bytes) ] <-- Tells the NIC if the payload is IPv4 or IPv6
[ IP PAYLOAD (46-1500 bytes) ]
[ FCS (4 bytes) ] <-- Error checking
Because the Destination MAC is at the very front of the frame, a switch can start forwarding the packet even before it has received the entire data payload. This is called Cut-Through Switching and is the secret to low-latency financial and gaming networks.
17. Multicast Mapping: The Binary Bridge
One of the most complex interactions between MAC and IP occurs in multicast. Since there is no single destination, how does the switch know which port to send the data to?
IPv4 multicast addresses (224.0.0.0/4) are mathematically mapped to a specific MAC range: 01:00:5E. The last 23 bits of the IP address are copied into the MAC. Because 5 bits of the IP are "lost" in this translation, 32 different IP addresses can share the same MAC. This "Collision" requires the NIC to perform additional filtering at the driver level.
18. Security: The "Sticky" MAC Logic
In high-security environments, administrators use Sticky MAC. The switch "learns" the MAC address of the device first plugged into a port and writes it to the running configuration. If a different MAC (like an attacker's laptop) is plugged in, the port instantly shuts down. This creates a physical anchor between the hardware and the network fabric.
19. Conclusion: The Layered Identity
The relationship between MAC and IP is a masterpiece of computer science engineering. By separating the Physical Identity from the Logical Location, the internet gained the flexibility to grow from a few research labs to a global utility. Whether you are troubleshooting a "Duplicate MAC" flap in a data center or analyzing "MAC Randomization" on a mobile device, remembering that these two addresses are the two halves of a single map is the key to mastering network forensics.
11. Industrial Forensics: MAC in Real-Time Systems
In industrial automation protocols like PROFINET or EtherNet/IP, the relationship between MAC and IP is even more critical.
Some real-time industrial protocols bypass the IP layer entirely for critical safety messages. They use the MAC address to achieve sub-millisecond latency, sending "Raw Ethernet" frames directly to the motor controller. In these environments, an IP address is only used for management (HMI screens), while the actual physical work is controlled by Layer 2 MAC logic.
12. Wireless Mesh: The MAC Rewrite Hydraulic
In a wireless mesh network (like Eero or Google WiFi), a packet may hop through three different nodes before hitting the internet.
As the packet hops, the Source MAC and Destination MAC change at every hop to reflect the physical transmitters and receivers. However, the Source IP and Destination IP stay the same. This is the fundamental magic of the OSI model: the "Envelope" (MAC) is changed at every post office, but the "Letter" (IP) remains sealed.
13. Proxy ARP: The Helpful Liar
Sometimes, a router will purposefully lie about its MAC address. This is called Proxy ARP.
If Host A tries to reach an IP on a different subnet but doesn't have a gateway configured, it might send a broadcast ARP. A router with Proxy ARP enabled will see the request and reply with its own MAC address, essentially saying: "I'm not that IP, but I know how to get there. Send the data to me." This was common in legacy networks but is now considered a security risk.
14. Security Hardening: Enforcing the Binding
To prevent MAC spoofing and ARP poisoning, enterprise switches use a suite of features to "Lock" the MAC and IP together.
- Port Security: Limits the number of MAC addresses allowed on a single physical port.
- DHCP Snooping: The switch "listens" to DHCP conversations to build a database of which MAC owns which IP.
- IP Source Guard: If a device tries to send a packet with an IP address that doesn't match its MAC in the DHCP Snooping table, the switch drops the packet instantly.
15. Technical Encyclopedia: Identity & Layering
Burned-In Address. The permanent physical MAC address assigned at the factory.
Dynamic ARP Inspection. A security feature that validates ARP packets against a trusted DHCP binding table.
A method in IPv6 to generate a 64-bit interface ID from a 48-bit MAC address by inserting 'FFFE' in the middle.
Locally Administered Address. A MAC address that has been overridden by software or an administrator.
Neighbor Discovery Protocol. The IPv6 successor to ARP, used for discovering other devices on the same local link.
Organizationally Unique Identifier. The first 24 bits of a MAC address that identify the hardware vendor.
A special IPv6 multicast address used by NDP to reduce broadcast traffic during address resolution.
An 802.1Q header field that allows multiple logical networks to share the same physical MAC-based fabric.
6. The Binding Protocol: ARP and NDP
The link between these two addresses is maintained by specific protocols. In IPv4, the ARP (Address Resolution Protocol) maps them. In IPv6, the NDP (Neighbor Discovery Protocol) handles the job. These protocols are the reason your "Logical" data package correctly hits the "Physical" cable. See the IPv6 Header Breakdown ; for more.
Conclusion: The Two Halves of a Map
Understanding the difference between MAC and IP is the first step toward understanding network architecture. One represents the unchangeable hardware, and the other represents the temporary logical location. Together, they allow billions of devices to communicate with perfect accuracy across global distances.
Frequently Asked Questions
Can I hide my MAC address?
No. You need a source MAC address to send an Ethernet frame. However, you can use MAC Randomization (common on Android and iOS) which generates a fake, random MAC for every new network you join to prevent tracking.
What is a 'Loopback' address?
The loopback IP (127.0.0.1) is a logical IP that refers only to 'this' computer. It never reaches the physical NIC or uses a MAC address, allowing software to test network logic without needing a cable.
Which address does a Switch care about?
A standard Layer 2 switch only cares about the MAC address. It builds a 'Source Address table' to remember which MAC address is on which physical port, ensuring data only goes to the intended recipient.