Ethernet Frame Format - Learning Module

Loading content...

0/240

Destination and Source MAC Addresses

Hardware Addressing on Shared Media

Once the receiver has synchronized its clock and identified the frame boundary using the Preamble and SFD, the actual frame content begins. The very first fields encountered are the Destination MAC Address (6 bytes) and Source MAC Address (6 bytes)—a total of 12 bytes that specify where this frame is going and where it came from.

These addresses are fundamental to Ethernet's operation. Unlike IP addresses, which are logical and can be reassigned, MAC addresses are hardware addresses bound to physical network interface cards. They enable local area network communication without requiring any higher-layer protocol participation.

What You Will Learn

By the end of this page, you will understand the 48-bit MAC address structure including OUI organization, the distinction between unicast, broadcast, and multicast addresses, how switches use MAC addresses for forwarding decisions, the bit-level encoding including the I/G and U/L bits, and special reserved MAC addresses used by protocols.

The 48-Bit MAC Address Structure

A MAC (Media Access Control) address is a 48-bit (6-byte) identifier assigned to network interface hardware. The address space provides for 2^48 = 281 trillion unique addresses—enough for every network device ever manufactured to have a globally unique identifier.

Address Format and Notation

MAC addresses are typically written in one of several hexadecimal notations:

Colon-separated:     00:1A:2B:3C:4D:5E
Hyphen-separated:    00-1A-2B-3C-4D-5E
Dot-separated:       001A.2B3C.4D5E
No separator:        001A2B3C4D5E

All four notations represent the same 48-bit address. The colon-separated format is most common in Unix/Linux environments, while Windows often uses hyphens. Cisco IOS uses the dot-separated format with pairs of bytes.

MAC Address Byte Structure
Byte Position	Hex Example	Contents	Purpose
Byte 1 (Leftmost)	00	OUI Byte 1 + Flags	Organization identifier, I/G bit, U/L bit
Byte 2	1A	OUI Byte 2	Organization identifier continued
Byte 3	2B	OUI Byte 3	Organization identifier continued
Byte 4	3C	NIC Byte 1	Device-specific identifier
Byte 5	4D	NIC Byte 2	Device-specific identifier
Byte 6 (Rightmost)	5E	NIC Byte 3	Device-specific identifier

OUI: Organizationally Unique Identifier

The first three bytes (24 bits) of a MAC address form the Organizationally Unique Identifier (OUI). This portion is assigned to hardware manufacturers by the IEEE Registration Authority:

Intel Corporation: 00:1B:21, 00:1E:64, 00:1F:3C, etc.
Dell Inc.: 00:14:22, 00:18:8B, 00:1A:A0, etc.
Apple Inc.: 00:03:93, 00:0A:27, 00:0D:93, etc.
Cisco Systems: 00:00:0C, 00:01:42, 00:01:43, etc.

The remaining three bytes (24 bits) are assigned by the manufacturer to individual devices, ensuring that the complete 48-bit address is globally unique.

NIC-Specific Identifier

The last three bytes constitute the Network Interface Controller (NIC) identifier, sometimes called the "extension identifier" or "device identifier." Manufacturers maintain internal databases to ensure no two NICs receive the same extension within an OUI block.

With 24 bits available, each OUI allows for 2^24 = 16.7 million unique device addresses. Manufacturers who exhaust their allocation can purchase additional OUI blocks from IEEE.

OUI Lookup Tools

You can identify the manufacturer of any network device by looking up its OUI. IEEE maintains a public OUI database at standards-oui.ieee.org. Many online tools and command-line utilities (like 'arp -a' combined with OUI databases) can resolve OUIs to vendor names, useful for network inventory and troubleshooting.

Special Address Bits: I/G and U/L

Two bits in the first byte of a MAC address have special significance. These bits, located in the least significant positions of the first transmitted byte, determine fundamental addressing characteristics.

Bit Transmission Order

Ethernet transmits the least significant bit (LSB) first. For the first byte of a MAC address, this means bit 0 is transmitted before bit 7. The two special bits occupy the following positions:

Bit 0: Individual/Group (I/G) bit — transmitted first
Bit 1: Universal/Local (U/L) bit — transmitted second

Special Bits in MAC Address First Byte
Bit Position	Name	Value = 0	Value = 1
Bit 0 (LSB)	I/G (Individual/Group)	Unicast address	Multicast/Broadcast address
Bit 1	U/L (Universal/Local)	Universally administered (OUI-based)	Locally administered

I/G Bit: Unicast vs. Multicast

The I/G bit is the most critical for frame forwarding:

I/G = 0 (Unicast): The frame is destined for a single, specific network interface. Switches forward unicast frames only to the port where the destination MAC address was learned.
I/G = 1 (Multicast/Broadcast): The frame is destined for a group of receivers. Switches typically flood multicast frames to all ports (unless multicast snooping is enabled). The broadcast address (FF:FF:FF:FF:FF:FF) is a special case where all bits are 1, including the I/G bit.

Visual Representation:

Unicast address:   00:1A:2B:3C:4D:5E
First byte (00):   0000 0000
                        │
                        └── Bit 0 = 0 → Unicast

Multicast address: 01:00:5E:00:00:01
First byte (01):   0000 0001
                        │
                        └── Bit 0 = 1 → Multicast

Broadcast address: FF:FF:FF:FF:FF:FF
First byte (FF):   1111 1111
                        │
                        └── Bit 0 = 1 → Multicast (broadcast is a special multicast)

U/L Bit: Universal vs. Local Administration

The U/L bit indicates whether the address was assigned by the IEEE (universal) or by a local administrator:

U/L = 0 (Universal): The address uses an IEEE-assigned OUI and should be globally unique. This is the default for hardware MAC addresses burned into NICs.
U/L = 1 (Local): The address was assigned locally, perhaps by virtualization software, network administrators, or protocol requirements. Locally administered addresses do not follow OUI conventions and uniqueness is only guaranteed within the local network.

Common Uses of Locally Administered Addresses:

Virtual Machines — Hypervisors assign LAA addresses to VMs to avoid OUI exhaustion and conflicts with physical NICs.
MAC Address Spoofing — For privacy, testing, or attack scenarios, software-defined MAC addresses use the LAA bit.
Network Isolation — Data center operators may use LAA addresses for internal segments to simplify management.
DECnet — Historical protocol that calculated MAC addresses from protocol addresses, using locally administered format.

Address Collision Risk

While universally administered addresses are guaranteed unique worldwide, locally administered addresses have no such guarantee. If you deploy locally administered MAC addresses, you must ensure uniqueness within your network to prevent address collisions that cause frame delivery failures and switch MAC table thrashing.

The Destination Address Field

The Destination MAC Address occupies bytes 1-6 of the Ethernet frame (immediately following the SFD). This field specifies the intended recipient(s) of the frame.

Destination Address Location in Frame:

┌─────────┬─────┬─────────────────────────┬───────────────────────┬─────────────┬─────────┬─────┐
│Preamble │ SFD │   Destination MAC       │     Source MAC        │ Type/Length │ Payload │ FCS │
│ 7 bytes │ 1B  │       6 bytes           │       6 bytes         │    2 bytes  │ 46-1500 │ 4B  │
└─────────┴─────┴─────────────────────────┴───────────────────────┴─────────────┴─────────┴─────┘
                  ↑ Position 0-5 in frame

Address Categories

The Destination MAC address can be one of three types:

Destination Address Types

•Unicast Address — A specific 48-bit address identifying a single NIC. I/G bit = 0. The frame should be delivered only to the device with this MAC address. Switches forward unicast frames to the learned port.
•Broadcast Address — The reserved address FF:FF:FF:FF:FF:FF (all 1s). Every device on the local network segment must receive and process broadcast frames. Used for ARP requests, DHCP discovery, and other discovery protocols.
•Multicast Address — An address with I/G bit = 1 (first byte is odd) but not the broadcast address. Represents a group of interested receivers. Examples include 01:00:5E:xx:xx:xx for IPv4 multicast and 33:33:xx:xx:xx:xx for IPv6 multicast.

Destination Address Type Summary
Type	First Byte (LSB)	I/G Bit	Example	Switch Behavior
Unicast	Even (00, 02, 04...)	0	00:1A:2B:3C:4D:5E	Forward to learned port
Multicast	Odd (01, 03, 05...)	1	01:00:5E:7F:00:01	Flood or IGMP snoop
Broadcast	FF	1	FF:FF:FF:FF:FF:FF	Flood to all ports

Processing at the Receiver

Every Ethernet NIC examines the Destination MAC address of each frame on the network segment:

Exact Match — If the destination matches the NIC's own MAC address, the frame is accepted for processing.
Broadcast Match — If the destination is FF:FF:FF:FF:FF:FF, the frame is accepted (unless broadcast filtering is enabled).
Multicast Match — If the destination is a multicast address, the NIC checks its multicast filter table (configured by the operating system) to determine whether to accept the frame.
No Match — If none of the above conditions are met, the frame is silently discarded at the hardware level. This filtering prevents unnecessary CPU interrupts for frames destined for other hosts.

Promiscuous Mode

In promiscuous mode, a NIC accepts ALL frames regardless of destination address. This mode is used by:

Network analyzers (Wireshark, tcpdump)
Bridges and switches (which must process all frames)
Intrusion detection systems
Virtual machine hypervisors bridging NICs

Hardware Filtering Efficiency

Destination address filtering occurs in hardware, before frames reach the operating system. A NIC on a busy network might see millions of frames per second, but hardware filtering ensures only relevant frames consume CPU resources. This is critical for maintaining system performance on shared segments.

The Source Address Field

The Source MAC Address occupies bytes 7-12 of the Ethernet frame (immediately following the Destination MAC). This field identifies the transmitting device.

Source Address Location in Frame:

┌─────────┬─────┬─────────────────────────┬───────────────────────┬─────────────┬─────────┬─────┐
│Preamble │ SFD │   Destination MAC       │     Source MAC        │ Type/Length │ Payload │ FCS │
│ 7 bytes │ 1B  │       6 bytes           │       6 bytes         │    2 bytes  │ 46-1500 │ 4B  │
└─────────┴─────┴─────────────────────────┴───────────────────────┴─────────────┴─────────┴─────┘
                                             ↑ Position 6-11 in frame

Source Address Requirements

Unlike the Destination address, the Source address has specific constraints:

Source Address Rules

•Must be Unicast — The I/G bit must be 0. A frame cannot originate from 'a group of devices.' Frames with multicast or broadcast source addresses are invalid and should be discarded.
•Should be Unique — The source address should uniquely identify the transmitting NIC within the network to enable reply frames and MAC table learning.
•Must Not be All Zeros — The address 00:00:00:00:00:00 is reserved and invalid as a source.
•Must Not be All Ones — The broadcast address FF:FF:FF:FF:FF:FF is invalid as a source.

Why Source Comes After Destination

The ordering of Destination-then-Source may seem arbitrary, but it has practical significance:

Fast Hardware Filtering — The receiving NIC's first task is to determine whether to accept the frame. Placing the destination address first enables immediate address comparison without buffering additional bytes.
Switch Forwarding — Switches can begin their forwarding decision before the entire Source address arrives, reducing latency.
Cut-Through Switching — In cut-through mode, switches begin forwarding as soon as they've read the destination address (6 bytes in). If the source came first, they'd need to buffer 12 bytes before making forwarding decisions.

Source Address Uses

The source MAC address serves several critical functions:

Source MAC Address Functions
Function	Description	Used By
MAC Table Learning	Switches learn which port hosts are connected to by recording source addresses	Switches, bridges
Reply Addressing	Higher-layer protocols use source MAC to compose response frames	ARP, RARP, network stack
Loop Detection	Receiving own source address indicates a network loop	STP, bridges
Access Control	Port security features whitelist allowed source addresses	Switch security
Forensics/Audit	Source addresses identify transmitting devices for security analysis	IDS, SIEM systems

MAC Spoofing Considerations

Unlike hardware-bound destination address filtering, source addresses are easily spoofed in software. Malicious actors can forge source MAC addresses to bypass access controls, poison switch MAC tables, or impersonate legitimate devices. Port security features (sticky MAC, MAC limiting) help mitigate these attacks.

Switch MAC Table Learning and Forwarding

Ethernet switches use the Destination and Source MAC addresses to make intelligent forwarding decisions. This process, called transparent bridging, allows switches to operate without any manual configuration.

The MAC Address Table

Every switch maintains a MAC address table (also called CAM table, forwarding table, or switching table) that maps MAC addresses to ports:

MAC Address        Port    VLAN    Age (seconds)
─────────────────────────────────────────────────
00:1A:2B:3C:4D:5E  Gi0/1   10      45
00:1A:2B:3C:4D:5F  Gi0/1   10      45
00:AA:BB:CC:DD:EE  Gi0/2   10      120
00:11:22:33:44:55  Gi0/3   20      30

Learning Process

When a frame arrives at a switch port:

Extract Source MAC — Read the source address from bytes 7-12
Update Table — Create or refresh entry mapping Source MAC → ingress port
Extract Destination MAC — Read the destination address from bytes 1-6
Lookup Table — Search for destination MAC in the table
Forward/Flood Decision — Forward to specific port if found, flood if not found or if destination is broadcast/multicast

Forwarding Decision Matrix:

Switch Forwarding Decisions
Destination Type	Table Lookup Result	Action
Unicast	Found, different port	Forward to learned port
Unicast	Found, same port	Filter (drop frame)
Unicast	Not found	Flood to all ports except ingress
Broadcast	N/A	Flood to all ports except ingress
Multicast	IGMP snooping disabled	Flood to all ports
Multicast	IGMP snooping enabled	Forward to subscribed ports

Aging and Entry Timeout

MAC table entries have a limited lifetime (typically 300 seconds by default). If a source MAC address is not seen within the aging time, its entry is removed. This handles:

Devices that disconnect or move to different ports
Dynamic network topology changes
Memory management (preventing table exhaustion)

When a device moves to a different port, the switch learns the new port association from the next frame sent by that device. The old entry either ages out or is overwritten.

MAC Table Attack: CAM Table Overflow

A common attack floods the switch with frames from random source MACs, filling the CAM table to capacity. When full, some switches fail-open and begin flooding ALL unicast traffic to all ports—effectively becoming a hub and enabling eavesdropping. Modern switches implement:

Port security limiting MAC addresses per port
Storm control limiting broadcast/multicast/unicast rates
Dynamic ARP Inspection (DAI)
DHCP Snooping

CAM Table Size

Enterprise switches typically support 8K-128K MAC address entries. Data center switches may support 1M+ entries. When designing networks, ensure switch CAM table capacity exceeds the expected number of MAC addresses per VLAN to prevent unexpected flooding behavior.

Reserved MAC Addresses and Special Uses

The IEEE has reserved specific MAC address ranges for protocol use. These addresses have special meaning and handling requirements.

IEEE Reserved Addresses (01-80-C2-00-00-xx)

The range 01:80:C2:00:00:00 through 01:80:C2:00:00:FF is reserved for IEEE 802.1 protocols. These are multicast addresses (I/G bit = 1) with specific protocol assignments:

IEEE Reserved MAC Addresses
MAC Address	Protocol	Description
01:80:C2:00:00:00	STP	Spanning Tree Protocol Bridge Group Address
01:80:C2:00:00:01	IEEE 802.3x	MAC Control (Pause frames)
01:80:C2:00:00:02	LACP	Slow Protocols (LACP, OAM, ESMC)
01:80:C2:00:00:03	IEEE 802.1X	Port-based Network Access Control
01:80:C2:00:00:0E	LLDP	Link Layer Discovery Protocol
01:80:C2:00:00:10	STP	All Bridges Address (provider bridging)
01:80:C2:00:00:21	CFM	Connectivity Fault Management

Multicast Address Ranges

Beyond IEEE reserved addresses, other multicast ranges are assigned to specific protocols:

IPv4 Multicast: 01:00:5E:xx:xx:xx

IPv4 multicast addresses (224.0.0.0/4) are mapped to Ethernet multicast addresses using this scheme:

IPv4 Multicast:  224.1.2.3  →  1110 0000.0000 0001.0000 0010.0000 0011
                                    └───────────────────┴──────────────┘
                                        23 bits mapped to MAC

Ethernet MAC:    01:00:5E:01:02:03
                 │       │ └──────┘
                 │       │ Lower 23 bits of IP
                 │       └─ Fixed: 00:5E
                 └─ OUI: 01:00:5E (I/G=1)

Note: Only 23 bits of the IP multicast address are mapped, so 32 IP multicast addresses share each Ethernet multicast address.

IPv6 Multicast: 33:33:xx:xx:xx:xx

IPv6 multicast addresses are mapped to Ethernet using the last 32 bits:

IPv6 Multicast:  FF02::1    (All nodes)
Ethernet MAC:    33:33:00:00:00:01

IPv6 Multicast:  FF02::1:FF00:0001 (Solicited-node)
Ethernet MAC:    33:33:FF:00:00:01

Other Reserved Address Ranges

•00:00:00:00:00:00 — Reserved/Invalid, used in some protocols as placeholder
•FF:FF:FF:FF:FF:FF — Broadcast address, received by all NICs on segment
•CF:xx:xx:xx:xx:xx — Reserved for private use (locally administered range)
•01:00:0C:CC:CC:CC — Cisco CDP/VTP/DTP
•01:00:0C:CC:CC:CD — Cisco PVST+ (per-VLAN STP)
•09:00:09:09:09:09 — HP Probe (legacy)

Bridge Protocol Data Units (BPDUs)

Frames destined for IEEE reserved addresses (01:80:C2:00:00:00-0F) are NOT forwarded by standard bridges—they are intercepted and processed locally. This ensures that protocol frames like STP BPDUs remain within the local link and are not propagated across the network.

Practical Considerations for Network Design

Understanding MAC addressing has practical implications for network design, troubleshooting, and security.

Design Considerations

Network Design Implications

•CAM Table Sizing — Estimate maximum MAC addresses per VLAN and ensure switch CAM capacity exceeds this with headroom. Factor in virtual machines which multiply MAC addresses per physical host.
•Broadcast Domain Sizing — Larger broadcast domains mean more broadcast traffic and larger CAM tables. Consider VLAN design to limit broadcast domains to ~500-1000 hosts.
•Aging Timer Tuning — Default 300-second aging may be too long for dynamic environments (VMs migrating) or too short for stable environments (causing unnecessary flooding).
•MAC Filtering Policies — Define port security policies: maximum MACs per port, sticky MAC learning, violation actions (protect, restrict, shutdown).
•Multicast Optimization — Enable IGMP snooping to prevent multicast flooding. Consider IGMP querier placement for each VLAN.

Troubleshooting with MAC Addresses

MAC addresses are invaluable for network troubleshooting:

Locate a Device — Use show mac address-table address <mac> to identify which switch port a device is connected to.
Trace a Path — Follow the MAC through multiple switches to trace the physical path from source to destination.
Identify Duplicate IPs — When ARP shows two MACs for one IP, or an IP moves between MACs, investigate for duplicates or spoofing.
Detect Loops — Rapid MAC flapping (address alternating between ports) often indicates a spanning tree loop or misconfiguration.
Vendor Identification — OUI lookup helps identify unknown devices (rogue access points, unauthorized equipment).

Useful Commands:

Cisco IOS:
  show mac address-table
  show mac address-table address 00:1A:2B:3C:4D:5E
  show mac address-table interface GigabitEthernet0/1
  clear mac address-table dynamic

Linux:
  ip neigh show
  bridge fdb show
  arp -a

Windows:
  arp -a
  getmac /v

MAC Flapping Detection

Most managed switches can generate alerts when a MAC address rapidly moves between ports (flapping). This is a key indicator of network loops, redundant links without spanning tree, or duplicate MAC addresses. Configure flapping thresholds and alerting in production networks.

Summary and Key Takeaways

The Destination and Source MAC address fields are the addressing foundation that enables Ethernet's plug-and-play operation. Let's consolidate the key concepts:

Key Takeaways

•MAC addresses are 48-bit (6-byte) identifiers uniquely assigned to network interfaces. The first 3 bytes form the OUI (manufacturer identifier), the last 3 bytes are device-specific.
•The I/G bit (bit 0 of byte 1) distinguishes unicast (0) from multicast/broadcast (1) addresses, determining whether a frame targets one device or many.
•The U/L bit (bit 1 of byte 1) indicates universal (IEEE-assigned) versus locally administered addresses. VMs and software-defined networking often use local addresses.
•Destination MAC (6 bytes) appears first in the frame, enabling rapid hardware filtering and switch forwarding decisions before the source is even received.
•Source MAC (6 bytes) must be unicast and enables switches to learn which port connects to which devices, building the MAC address table.
•Switches use transparent bridging — learning source MACs, looking up destination MACs, forwarding or flooding based on table entries and address type.
•Reserved MAC addresses have special protocol meanings. The IEEE 01:80:C2 range, IP multicast mappings, and broadcast address all trigger specific handling.

What's Next

With addressing established, the Ethernet frame needs to convey information about the payload it carries. The next page examines the Type/Length field—the dual-purpose field that either identifies the higher-layer protocol (Ethernet II) or indicates payload size (IEEE 802.3).

Page Complete

You now understand the structure, significance, and practical implications of Ethernet Destination and Source MAC addresses. These 12 bytes of addressing enable the intelligent, self-configuring frame delivery that makes Ethernet the dominant LAN technology worldwide.