MAC Addresses and the Data Link Layer

The Door Knocker vs. The Street Address

Imagine you want to send a package to a friend. You write their street address on the envelope — 42 Maple Street, Apartment 3B — and the postal service routes it across the city using that address. But when the courier finally arrives at the building, they don't use the street address anymore. They look for apartment 3B's specific door, which has a unique brass knocker shaped like a lion that has been there since the building was constructed.

That's exactly the relationship between IP addresses and MAC addresses. IP addresses are like street addresses: logical, assigned by networks, and changeable when you move. MAC addresses are like the door knocker: physical, tied to the hardware itself, permanently assigned at the factory. Both are necessary — one to get the data across the internet, one to get it to the right device on your local network.

What Is a MAC Address?

A MAC (Media Access Control) address is a 48-bit hardware identifier permanently assigned to a network interface card (NIC) at the time of manufacture. Every Ethernet card, Wi-Fi adapter, and Bluetooth chip in existence has one.

It is written in hexadecimal, typically formatted as six pairs of digits separated by colons or hyphens:

AA:BB:CC:DD:EE:FF
or
AA-BB-CC-DD-EE-FF
or
AABB.CCDD.EEFF  (Cisco notation)

Each hexadecimal pair represents 8 bits, so 6 pairs × 8 bits = 48 bits total.

Structure of a MAC Address

The 48 bits are divided into two meaningful halves:

+---------------------------+---------------------------+
|  OUI (24 bits)            |  Device ID (24 bits)      |
|  Manufacturer identifier  |  Unique per device        |
+---------------------------+---------------------------+
  AA:BB:CC                    DD:EE:FF

The first 3 bytes form the Organizationally Unique Identifier (OUI), assigned by the IEEE to manufacturers. You can look up any OUI to identify the maker:

The last 3 bytes are assigned by the manufacturer to make each device unique within their range.

Note: Modern operating systems support MAC address randomisation for Wi-Fi scanning, generating a random temporary MAC to prevent tracking across public networks. The hardware MAC is still fixed, but the system can present a different one. (RFC 7844 documents privacy considerations.)

ARP: Bridging IP and MAC

When your computer wants to send data to another device on the same local network, it knows the destination IP address (say, 192.168.1.5) but needs the corresponding MAC address to construct the Ethernet frame. This translation is performed by the Address Resolution Protocol (ARP) — defined in RFC 826 (1982).

The ARP Process Step-by-Step

Device A (192.168.1.1)               Device B (192.168.1.5)
        │                                      │
        │  1. "Who has 192.168.1.5?           │
        │     Tell 192.168.1.1"               │
        │─────── ARP Request (broadcast) ────>│
        │         (to FF:FF:FF:FF:FF:FF)      │
        │                                      │
        │  2. "I have 192.168.1.5!            │
        │     My MAC is B8:27:EB:00:01:02"    │
        │<────── ARP Reply (unicast) ──────────│
        │                                      │
        │  3. Stores in ARP cache             │
        │  4. Sends actual data frame          │
        │─────────────────────────────────────>│

Step 1 — ARP Request (Broadcast): Device A sends a broadcast frame (destination MAC FF:FF:FF:FF:FF:FF) to every device on the local network, asking "Who has IP 192.168.1.5? Please tell me your MAC."

Step 2 — ARP Reply (Unicast): Device B recognises its own IP, and replies directly to Device A with its MAC address.

Step 3 — Cache: Device A stores the IP-to-MAC mapping in its ARP cache to avoid repeating this process for every packet.

Step 4 — Communication: Device A can now send Ethernet frames directly to Device B's MAC address.

The ARP Cache

Every device maintains an ARP table — a short-term memory of known IP-to-MAC mappings. You can inspect it:

# Windows / Linux / macOS
arp -a

# Sample output:
Interface: 192.168.1.1 --- 0x5
  Internet Address    Physical Address      Type
  192.168.1.254       d8:bb:c1:44:22:11     dynamic
  192.168.1.5         b8:27:eb:00:01:02     dynamic
  224.0.0.22          01:00:5e:00:00:16     static

Entries marked dynamic expire after a timeout (typically 20 minutes on Windows, up to several hours on Linux). Static entries are manually configured and never expire.

MAC vs IP: The Scope of Each

A critical distinction:

When a packet travels from your laptop to a website in another country, the IP addresses stay constant throughout the journey, but the MAC addresses change at every router hop — each hop creates a new Ethernet frame for the next segment.

Laptop ──── Router ──── ISP Router ──── Internet ──── Web Server
 MAC: A→B    MAC: B→C     MAC: C→D                     MAC: X→Y
 IP: A→Z     IP: A→Z      IP: A→Z                      IP: A→Z

VLANs: Logical Network Segments

A VLAN (Virtual Local Area Network) allows a single physical switch to act as multiple logical switches, grouping ports into separate broadcast domains. Instead of needing separate hardware for each department, a VLAN tag (802.1Q) added to Ethernet frames tells the switch which virtual network a frame belongs to.

Physical Switch
┌────────────────────────────────────────┐
│  VLAN 10 (HR)     VLAN 20 (Engineering)│
│  Ports: 1-4       Ports: 5-8           │
│  192.168.10.x     192.168.20.x         │
└────────────────────────────────────────┘

Devices in VLAN 10 cannot directly communicate with devices in VLAN 20 without going through a router — even if they're plugged into the same physical switch. This provides security and reduces broadcast traffic.

ARP Poisoning: A Security Concern

Because ARP has no authentication, it is vulnerable to ARP poisoning (also called ARP spoofing). An attacker can send fake ARP replies to a device, claiming that a malicious MAC address corresponds to the gateway's IP address. All traffic the victim intends to send to the internet then flows through the attacker first — a Man-in-the-Middle (MITM) attack.

Defences include Dynamic ARP Inspection (DAI) on managed switches, static ARP entries for critical devices, and encrypted protocols (HTTPS, VPN) which make intercepted traffic useless even if captured.

Summary

MAC addresses are the physical identity of your network hardware — 48-bit codes split between a manufacturer OUI and a device-specific identifier. ARP is the protocol that maps IP addresses to MAC addresses on local networks, maintaining a cache for efficiency. While IP addresses route traffic across the entire internet, MAC addresses handle the final hop — getting data to exactly the right device on your local segment. VLANs extend this concept by creating logical separations within a physical network, and understanding ARP's trust model explains why network security cannot rely on Layer 2 alone.