The simple answer

A MAC address (Media Access Control address) is a unique identifier assigned to a network interface card (NIC) at the time it's manufactured. It's permanently embedded in the hardware — every Wi-Fi card, Ethernet adapter, and Bluetooth chip has one, and no two are supposed to be the same anywhere in the world.

If an IP address is like your current home address (it can change when you move), a MAC address is like your fingerprint — it stays with the hardware forever regardless of where it connects.

What a MAC address looks like

A MAC address is 48 bits long, written as six pairs of hexadecimal characters separated by colons or hyphens. It always looks something like this:

🔍 MAC Address Anatomy
A4 : C3 : F0 : 7B : 2D : 91
First 3 pairs — OUI
Organizationally Unique Identifier — identifies the manufacturer. Every NIC made by the same company shares these first 3 bytes.
Last 3 pairs — Device ID
Assigned by the manufacturer to uniquely identify that specific device. This makes the full address globally unique.

Hexadecimal uses digits 0–9 and letters A–F, so each pair can represent values from 00 to FF. You don't need to memorize the math — just recognize the format on the exam.

⚡ A+ Exam Format Notes

MAC addresses appear on the exam written with colons (A4:C3:F0:7B:2D:91) or hyphens (A4-C3-F0-7B-2D-91). Both are the same address — Windows tends to use hyphens, Linux and Mac use colons. Either format is valid.

The exam may also call the first half the OUI (Organizationally Unique Identifier) — this identifies the manufacturer and is worth knowing by name.

MAC address vs IP address — the key difference

This is one of the most commonly tested comparisons on the A+ exam. The short version: a MAC address is a permanent hardware identity, while an IP address is a temporary logical assignment. They operate at different layers of the OSI model and serve different purposes.

MAC Address IP Address
What it is Hardware address Logical address
Assigned by Manufacturer (burned in) DHCP server or manually
Can it change? No (permanent)* Yes — changes per network
OSI Layer Layer 2 — Data Link Layer 3 — Network
Format A4:C3:F0:7B:2D:91 192.168.1.25
Scope Local network only Global (internet-routable)
Used by Switches, ARP Routers, DNS, internet

* MAC addresses can be spoofed in software, but the physical address burned into the hardware doesn't change.

How to find your MAC address on Windows

The fastest way is with ipconfig /all — the same command from the network troubleshooting commands guide. Look for the line labeled Physical Address.

ipconfig /all Windows CMD
C:\>ipconfig /all
Sample output (Ethernet adapter) Ethernet adapter Ethernet:

  Connection-specific DNS Suffix . :
  Description . . . . . . . . . . . : Intel(R) Ethernet Connection
  Physical Address. . . . . . . . . : A4-C3-F0-7B-2D-91
  DHCP Enabled. . . . . . . . . . . : Yes
  IPv4 Address. . . . . . . . . . . : 192.168.1.25
  Subnet Mask . . . . . . . . . . . : 255.255.255.0
  Default Gateway . . . . . . . . . : 192.168.1.1

The Physical Address line is your MAC address. Windows displays it with hyphens. Notice it appears right alongside the IP address — both are shown by ipconfig /all but serve completely different purposes.

How switches use MAC addresses

This is where MAC addresses do their most important work. A switch operates at Layer 2 of the OSI model and uses MAC addresses — not IP addresses — to decide where to send frames on a local network.

🔀 How a Switch Learns and Forwards Using MAC Addresses
1
A frame arrives on a port
When Device A sends data, the switch receives the frame on the port Device A is plugged into. The frame contains Device A's source MAC address.
2
The switch records the MAC address
The switch adds the source MAC address and the port number to its MAC address table (also called a CAM table). Over time it learns where every device lives.
A4:C3:F0:7B:2D:91 → Port 3
3
The switch checks the destination MAC
It looks up the destination MAC address in its table. If it finds a match, it sends the frame only to that specific port — not to everyone.
4
Unknown MAC = flood
If the destination MAC is not in the table yet, the switch floods the frame out all ports (except the one it came in on) until it gets a response and learns where that device is.

This is why switches are more efficient than hubs — a hub blindly sends every frame to every device, while a switch uses MAC addresses to deliver frames only where they need to go.

ARP — how IP addresses get matched to MAC addresses

Here's a question worth thinking about: if switches use MAC addresses and routers use IP addresses, how does a device know the MAC address of another device it wants to talk to?

The answer is ARP — Address Resolution Protocol. When Device A wants to send data to 192.168.1.30 but doesn't know its MAC address, it broadcasts an ARP request to the whole network: "Who has 192.168.1.30? Tell me your MAC address."

🔗 ARP — The Bridge Between IP and MAC

ARP Request (broadcast): "Who has 192.168.1.30? Tell A4:C3:F0:7B:2D:91."

ARP Reply (unicast): "192.168.1.30 is at B8:27:EB:4A:1C:55."

Device A stores this mapping in its ARP cache so it doesn't have to ask again. You can view your ARP cache by running arp -a in a Windows command prompt.

What the A+ exam tests on MAC addresses

📋
MAC = Layer 2 / Data Link
The exam will ask which OSI layer MAC addresses operate at. The answer is always Layer 2 — the Data Link layer.
🏭
OUI identifies the manufacturer
The first three bytes (six hex characters) of a MAC address identify the manufacturer. This is called the OUI — Organizationally Unique Identifier.
🔀
Switches use MACs, routers use IPs
Switches forward frames using MAC addresses at Layer 2. Routers forward packets using IP addresses at Layer 3. Classic exam distinction.
🔍
Physical Address in ipconfig /all
Windows shows the MAC address as "Physical Address" in the output of ipconfig /all. Knowing how to find it is a tested skill.
⚡ DHCP Reservations — a common A+ scenario

DHCP servers can be configured to always assign the same IP address to a specific device by matching its MAC address. This is called a DHCP reservation (or static DHCP assignment). The server says: "Whenever I see MAC address A4:C3:F0:7B:2D:91, always give it 192.168.1.50."

This is how network printers and servers get consistent IP addresses without being manually configured with a static IP. It comes up on both A+ and Network+ exams.

MAC spoofing — the Security+ attack

Although MAC addresses are burned into hardware, the operating system can override what it transmits — this is called MAC spoofing. An attacker changes their device's reported MAC address to impersonate another device on the network.

⚠️ MAC spoofing — how and why

Bypass MAC filtering: Many wireless networks use MAC address filtering as an access control measure — only allowing known MAC addresses to connect. An attacker can capture a legitimate device's MAC address from wireless traffic (MACs are transmitted in plaintext) and spoof it to gain access.

Identity impersonation: On wired networks, spoofing a MAC address can fool switches into forwarding traffic intended for the real device to the attacker instead — a form of Layer 2 interception.

📌 Why MAC filtering is weak security

MAC filtering is easily defeated by spoofing and should never be relied on as a primary security control. The Security+ exam expects you to recognise it as security through obscurity — it adds friction but provides no real protection against a determined attacker. Use 802.1X (RADIUS authentication) instead for genuine network access control.

CAM table overflow attack

Switches maintain a CAM table (Content Addressable Memory) — a mapping of MAC addresses to switch ports. This is how a switch knows which port to send traffic to, rather than flooding it everywhere like a hub. Each entry has a timeout and is refreshed when traffic is seen from that MAC address.

A CAM table overflow attack exploits the fact that the CAM table has finite memory. The attacker floods the switch with thousands of frames with fake source MAC addresses, filling the CAM table completely. When the table is full, the switch can no longer learn new entries — it falls back to flooding all traffic out of all ports, exactly like a hub. The attacker's device, connected to one of those ports, now receives a copy of every frame on the network.

CAM table overflow — attack flow
Normal operation:
Switch CAM table: AA:BB:CC → Port 1 | DD:EE:FF → Port 2 | ...
Switch sends traffic only to the correct port

Attack:
Attacker tool (macof) floods switch with 10,000+ fake MAC addresses
CAM table fills to capacity — no more entries can be added

Result:
Switch cannot find new MACs in table → floods ALL traffic to ALL ports
Attacker receives a copy of every frame → passive network interception

Port security — the defence

Port security is a switch feature that limits how many MAC addresses can be learned on a given port, and optionally locks the port to specific MAC addresses. It directly counters CAM table overflow attacks and prevents rogue devices from connecting.

Port security — violation modes
Protect   Drop frames from unknown MACs. No alert, port stays up.
Restrict  Drop frames + increment violation counter + send SNMP trap.
Shutdown  Put port into err-disabled state immediately. Requires manual re-enable.
           ← Default and most secure. The exam answer when asked "most restrictive mode".
⚡ Security+ — MAC address attacks summary

MAC spoofing — attacker changes their MAC to impersonate another device. Bypasses MAC filtering. Defence: use 802.1X instead of MAC filtering.

CAM table overflow — floods switch with fake MACs until it floods traffic like a hub. Enables passive interception. Defence: port security with maximum MAC limit per port.

Port security shutdown mode — the most restrictive violation response. Err-disables the port immediately when a violation is detected.

Broadcast vs unicast vs multicast — MAC addressing modes

Not all frames are addressed to a single device. Understanding the three MAC addressing modes is tested on both A+ and Network+:

Type MAC address Delivered to Example use
Unicast Specific device MAC One device only Normal data transfer between two devices
Broadcast FF:FF:FF:FF:FF:FF All devices on segment ARP requests, DHCP discovery
Multicast Starts with 01:00:5E (IPv4) Group of subscribed devices Video streaming, routing protocol updates

Key Takeaways

A MAC address is a permanent hardware identifier burned into a NIC at the factory — 48 bits written as 6 pairs of hex characters
The first 3 pairs are the OUI (manufacturer ID), the last 3 pairs uniquely identify the device
MAC addresses operate at OSI Layer 2 (Data Link) — IP addresses operate at Layer 3 (Network)
Switches use MAC address tables to forward frames only to the correct port — more efficient than hubs
ARP resolves IP addresses to MAC addresses on a local network — view your cache with arp -a
Find your MAC address on Windows with ipconfig /all — look for Physical Address
DHCP reservations use MAC addresses to assign a consistent IP to a specific device every time

Related Articles

OSI Model — All 7 Layers Network Troubleshooting Commands What Is DHCP? What Is DNS? What Is a Subnet Mask? What Is a Default Gateway? TCP vs UDP Explained Firewall Basics Router vs Switch Networking Master Guide

Preparing for the A+ exam?

See the books and practice exams that make the most difference.

See Best Study Resources →