Two Addresses, One Device — Why Every NIC Has Both
Every network-connected device carries two distinct identifiers simultaneously. One is burned into its hardware at the factory and travels with the device for life. The other is assigned by the network it joins and can change every time the device reconnects. These are the MAC address and the IP address, and confusing the two is responsible for more network troubleshooting dead-ends than almost any other misunderstanding in IT.
The analogy that actually holds up: your MAC address is your legal name — it identifies the physical object regardless of where it is. Your IP address is your current mailing address — it tells the network where to route packets to reach you right now, but it changes when you move to a different network or when your DHCP lease expires.
Both addresses are necessary. Without MAC addresses, switches could not forward frames within a local network segment. Without IP addresses, routers could not direct traffic between different networks or across the internet. They operate at different layers of the OSI model and solve different problems — but they must work together every time data moves anywhere.
What Is a MAC Address?
MAC stands for Media Access Control. It is a 48-bit identifier assigned to a Network Interface Controller (NIC) — the hardware component that physically connects a device to a network. The IEEE manages MAC address allocation. The first 24 bits are the OUI (Organizationally Unique Identifier), assigned to the manufacturer. The remaining 24 bits are assigned by the manufacturer to uniquely identify the specific device.
MAC addresses are written in hexadecimal and typically displayed as six pairs of hex digits separated by colons or hyphens: 00:1A:2B:3C:4D:5E. The OUI in this example, 00:1A:2B, identifies the manufacturer. You can look up any OUI in the IEEE public registry to find out who made the hardware.
MAC addresses operate at OSI Layer 2 (Data Link Layer). Ethernet switches use MAC address tables to forward frames directly to the correct port within a local network segment. A switch reads the destination MAC in an incoming Ethernet frame and delivers it to the exact port where that MAC address is registered — no routing required.
A few important facts about MAC addresses:
- They are theoretically globally unique, but vendor implementation errors and MAC randomization features on modern devices complicate this.
- Modern smartphones randomize their MAC address per network connection for privacy, meaning the MAC your router sees may not be the hardware MAC.
- MAC addresses are only relevant within a single network segment (broadcast domain). They are stripped and rewritten at each router hop.
- You can override the MAC address in software — this is called MAC spoofing — but the hardware address burned into the NIC remains unchanged.
What Is an IP Address?
An IP address is a logical address assigned to a network interface by the network infrastructure or by manual configuration. Unlike a MAC address, an IP address is not tied to hardware — it describes where a device sits within a network topology at a specific moment in time.
IP addresses operate at OSI Layer 3 (Network Layer). Routers use IP addresses to make forwarding decisions and move packets between networks. A router consults its routing table, matches the destination IP prefix, and forwards the packet toward the next hop — repeating this process at each router until the packet reaches its destination network.
There are two versions in active use:
- IPv4: 32-bit addresses written in dotted-decimal notation, e.g.
192.168.1.100. The total address space is approximately 4.3 billion addresses — exhausted at the IANA level in 2011. - IPv6: 128-bit addresses written in colon-separated hexadecimal groups, e.g.
2001:0db8:85a3::8a2e:0370:7334. The address space is effectively inexhaustible for practical purposes.
IP addresses can be static (manually configured, never changes) or dynamic (assigned by a DHCP server, can change on each lease renewal). Static addresses are common for servers, network equipment, and printers. Dynamic addresses are standard for end-user devices.
How ARP Bridges the Two Address Layers
Here is where things get practical. When your computer wants to send data to another device at IP address 192.168.1.50, it knows the IP destination — but Ethernet frames require a MAC address destination. Your computer needs to resolve the IP address to the corresponding MAC address on the local segment.
This is the job of ARP (Address Resolution Protocol). Your computer broadcasts an ARP request to FF:FF:FF:FF:FF:FF (the Ethernet broadcast address): Who has IP 192.168.1.50? Tell 192.168.1.1. The device that owns that IP responds with its MAC address. Your computer caches this IP-to-MAC mapping in its ARP table for a short period to avoid repeating the broadcast for every packet.
You can view your current ARP cache with arp -a on both Windows and Linux. The entries show the IP-to-MAC mappings your system has learned recently. When the cache expires, the ARP request is repeated.
For IPv6, NDP (Neighbor Discovery Protocol) performs the equivalent function using ICMPv6 Neighbor Solicitation and Neighbor Advertisement messages instead of broadcast ARP requests.
Architecture: The OSI Layer Breakdown
Understanding where each address type lives in the stack clarifies their roles precisely:
| OSI Layer | Protocol | Address Type | Device | Scope |
|---|---|---|---|---|
| Layer 2 — Data Link | Ethernet, Wi-Fi (802.11) | MAC Address | Switch | Local segment only |
| Layer 3 — Network | IP (IPv4, IPv6) | IP Address | Router | Global internet |
| Layer 2/3 Bridge | ARP / NDP | Maps IP → MAC | Host | Local segment |
When a packet crosses a router, the router strips the Layer 2 Ethernet frame entirely, consults the routing table using the Layer 3 IP destination, then wraps the IP packet in a brand new Ethernet frame with the next hop's MAC address. The source and destination IP addresses remain unchanged across the entire path. The MAC addresses change at every hop.
MAC Address vs IP Address: Side-by-Side Comparison
| Property | MAC Address | IP Address |
|---|---|---|
| OSI Layer | Layer 2 (Data Link) | Layer 3 (Network) |
| Assignment | Manufacturer (hardware) | DHCP server or manual config |
| Format | 48-bit hex (e.g. 00:1A:2B:3C:4D:5E) | 32-bit decimal (IPv4) or 128-bit hex (IPv6) |
| Scope | Local broadcast domain only | Global — routable across internet |
| Changeability | Permanent (spoofable in software) | Dynamic (DHCP) or static |
| Uniqueness | Globally unique (by IEEE spec) | Unique within a network scope |
| Used by | Switches, ARP | Routers, DNS, firewalls |
| Privacy concern | Can identify device manufacturer | Can reveal geographic location |
Real-World Use Cases
DHCP Reservations: Network administrators configure DHCP servers to always assign the same IP address to a specific MAC address. This is called a DHCP reservation or static DHCP. The printer's MAC AA:BB:CC:DD:EE:FF always gets 192.168.1.200, making it easy to configure firewall rules without using a fully static IP.
MAC Address Filtering: Wi-Fi routers can whitelist specific MAC addresses, rejecting connections from any device not on the list. This provides a small layer of access control, though it is easily bypassed by MAC spoofing and should not be relied upon as a primary security control.
Network Forensics: When investigating a security incident, knowing the MAC address of a compromised device helps trace exactly which physical port on which switch it was connected to — even if the IP address was shared or changed during the attack.
ISP Modem Authentication: Some ISPs authenticate customers by the MAC address of their router or modem. This is why you sometimes need to call your ISP after replacing a home router — they need to register the new MAC address before granting internet access.
Common Misconceptions
Misconception 1: MAC Addresses Are Always Unique
The IEEE system is designed to ensure global uniqueness, but it is not guaranteed in practice. Vendors occasionally reuse OUI blocks or make firmware errors resulting in duplicate MACs. More significantly, modern OS features like Wi-Fi MAC randomization mean your device presents a different, randomly generated MAC to each network it connects to. iOS, Android, and Windows 11 all do this by default. The randomized MAC is not the burned-in hardware address.
Misconception 2: Your IP Address Reveals Your Exact Location
IP geolocation databases map IP addresses to approximate geographic regions based on ISP registration data and routing information. The accuracy varies wildly — sometimes down to city level, sometimes only to country level. They do not know your street address. A VPN or proxy changes the IP your traffic appears to originate from, but the MAC address of your device never leaves your local network segment and is invisible to remote servers.
Misconception 3: Changing Your IP Address Provides Anonymity
Changing your IP address — whether by reconnecting to DHCP, using a VPN, or switching networks — changes one identifier. Websites and trackers use many other signals: browser fingerprint, cookies, canvas fingerprinting, and behavioral patterns. IP address alone is rarely sufficient for definitive identification, nor is changing it sufficient for anonymity.
Misconception 4: MAC Addresses Are Visible on the Internet
They are not. MAC addresses are stripped at every router boundary and are only meaningful within a single Layer 2 broadcast domain. The web server you connect to sees your IP address (or the IP of your NAT gateway), not your MAC address. Your MAC address stays entirely within your local network segment.
Pro Tips for Network Engineers and Admins
- Use DHCP reservations instead of fully static IPs on end devices: Reservations give the predictability of a static address while keeping the device manageable through DHCP infrastructure. Fully static IPs on laptops are a maintenance headache when people change desks or VLANs.
- Audit your ARP table when troubleshooting connectivity: Duplicate IP addresses (ARP conflicts) show up immediately when you see two different MAC addresses mapped to the same IP in your ARP cache. The
arp -acommand is often the fastest diagnostic you can run. - Do not rely on MAC filtering as a security control: It takes under 60 seconds to spoof a MAC address on any major operating system. MAC filtering adds friction, not security. Invest that effort in stronger authentication like WPA3-Enterprise or 802.1X instead.
- Keep an OUI lookup tool bookmarked: When investigating unknown devices on your network, looking up the MAC OUI immediately tells you the manufacturer, which narrows down what the device likely is. The IEEE public registry and tools like
wireshark.org/tools/oui-lookup.htmlare useful references. - Account for MAC randomization in Wi-Fi analytics: If you're tracking device counts or building occupancy analytics from Wi-Fi probe requests, randomized MACs will inflate your counts significantly. Modern solutions use additional signals beyond MAC to deduplicate devices.
- Document static DHCP reservations centrally: In environments with hundreds of reserved MACs, undocumented reservations create conflicts when hardware is replaced. Maintain a central IP address management (IPAM) system even if it's just a spreadsheet.
Understanding the precise relationship between MAC addresses and IP addresses is foundational to everything from basic network troubleshooting to advanced security analysis. When data moves, both layers are in play at every step. Look up what your current IP address reveals about your connection.