Mac Addressing - Learning Module

Loading content...

0/228

MAC Address Assignment

From Global Registry to Network Interface

Every MAC address has an origin—a point where it was first assigned to a device or interface. Understanding this assignment process is crucial for network administration, security analysis, device identification, and troubleshooting.

The MAC address assignment ecosystem involves multiple parties and mechanisms:

IEEE Registration Authority: Assigns organizational prefixes to vendors
Hardware Manufacturers: Burn addresses into NICs during production
Virtualization Platforms: Generate addresses for virtual machines and containers
Operating Systems: May override or randomize hardware addresses
Network Administrators: Can configure alternative addresses for specific purposes

This page explores each of these mechanisms in depth, revealing how the apparently simple 'hardware address' is actually managed through a sophisticated global system.

What You Will Learn

By the end of this page, you will understand the complete lifecycle of MAC address assignment—from IEEE OUI registration through hardware manufacturing, virtual machine address generation, locally administered addressing for special purposes, and modern MAC randomization for privacy protection.

IEEE Registration Authority and OUI Assignment

The IEEE Registration Authority (IEEE-RA) manages the global MAC address assignment system, ensuring that addresses remain globally unique across all manufacturers and devices worldwide.

The IEEE-RA's responsibilities:

Maintains the authoritative registry of all assigned OUIs
Processes applications from companies seeking OUI assignments
Ensures no duplicate assignments
Publishes the public OUI database
Manages special-purpose address registrations

IEEE MAC Address Block Types
Block Type	Size	OUI Portion	Addresses per Block	Typical Use
MA-L (Large)	24-bit OUI	First 3 bytes fixed	16,777,216 (2^24)	Large manufacturers
MA-M (Medium)	28-bit OUI	First 3.5 bytes fixed	1,048,576 (2^20)	Medium-sized vendors
MA-S (Small)	36-bit OUI	First 4.5 bytes fixed	4,096 (2^12)	Small companies, specialized
IAB (Individual)	36-bit	First 4.5 bytes fixed	4,096 (2^12)	Legacy small blocks (discontinued)

Registration costs and process:

As of current IEEE pricing (subject to change):

Block Type	Approximate Fee (USD)	Annual Maintenance
MA-L	~$3,000	None
MA-M	~$1,800	None
MA-S	~$800	None

Registration steps:

Application: Submit company information and intended use
Payment: Process registration fee
Verification: IEEE verifies applicant is a legitimate organization
Assignment: IEEE assigns unique OUI from available pool
Publication: OUI appears in public registry (unless confidential registration)

Confidential registrations:

Companies can request confidential OUI registrations (at additional cost). These OUIs won't appear in the public database with company identification, useful for:

Competitive secrecy about new product development
Military or government applications
Internal corporate networks

OUI Database Lookup

The IEEE publishes a downloadable OUI database at https://regauth.standards.ieee.org/standards-ra-web/pub/view.html. This database is invaluable for device identification—given a MAC address, you can identify the manufacturer. Many network monitoring tools integrate this database for automatic vendor identification.

Example OUI registrations:

OUI	Assignment	Company
`00:00:0C`	MA-L	Cisco Systems
`00:50:56`	MA-L	VMware (virtual machines)
`DC:A6:32`	MA-L	Raspberry Pi Trading Ltd
`00:1A:11`	MA-L	Google, Inc.
`3C:22:FB`	MA-L	Apple, Inc.
`F8:1D:78`	MA-L	Intel Corporate

Note: Major manufacturers often hold multiple OUIs—Apple, Intel, and Cisco each have dozens assigned due to their production volumes.

Hardware Manufacturing: Burning Addresses into NICs

When a network interface card (NIC) is manufactured, a globally unique MAC address is permanently encoded into the hardware. This 'burned-in address' (BIA) serves as the device's default identity.

Manufacturing process:

OUI allocation: Manufacturer receives OUI from IEEE
Address range management: Factory tracks which addresses have been used
Programming: Each NIC is programmed with a unique address during production
Verification: Automated testing confirms address uniqueness
Documentation: Address may be printed on device label or packaging

Storage locations:

MAC Address Storage on NICs
Storage Type	Description	Characteristics
ROM (Read-Only Memory)	Address burned into chip at manufacture	Permanent, cannot be changed
EEPROM/Flash	Electronically erasable storage	Technically modifiable (may void warranty)
Registers	Address loaded into operational registers at boot	Software can override with different address

The BIA vs operational address distinction:

Modern NICs support separate concepts:

Burned-In Address (BIA): The factory-programmed address stored in EEPROM/ROM. This is the 'permanent' address.
Operational Address (LAA): The address actually used for network communication. By default, this equals the BIA, but can be overridden.

When you view a NIC's properties, you may see both:

Windows: "Network Address" in adapter properties = LAA (configurable)
         "Physical Address" reported = Current operational address

Linux:   /sys/class/net/eth0/address = Current operational address
         ethtool -P eth0 = Permanent (BIA) address

Why separate operational addresses?

Virtual machine mobility: VMs can migrate between physical hosts while keeping the same MAC
NIC replacement: Replace hardware without changing address for licensing/configuration tied to MAC
Testing and debugging: Use specific addresses for controlled testing
Privacy: Randomize to avoid tracking (discussed later)

query_mac_addresses
1
2
3
4
5
6
7
8
9
10
11
12
13
# View current operational MAC address
ip link show eth0 | grep link/ether
# link/ether 00:1a:2b:3c:4d:5e brd ff:ff:ff:ff:ff:ff
 
# View permanent (burned-in) address
ethtool -P eth0
# Permanent address: 00:1a:2b:3c:4d:5e
 
# Note: These may differ if LAA is configured
 
# Check if address has been changed from permanent
cat /sys/class/net/eth0/addr_assign_type
# 0 = Permanent, 1 = Random, 2 = Stolen/Inherited, 3 = Set by user

Duplicate BIAs: Rare but Possible

While extremely rare, duplicate burned-in addresses can occur due to manufacturing defects or database errors. On a single network segment, duplicate MACs cause serious problems—intermittent connectivity, address flapping, and unpredictable behavior. Detecting duplicates requires careful analysis of ARP tables or switch MAC tables.

Locally Administered Addresses (LAA)

Locally Administered Addresses (LAAs) are MAC addresses assigned by local administrators, virtualization platforms, or software—rather than by the hardware manufacturer. They are distinguished by the U/L bit (bit 1 of the first byte) being set to 1.

Characteristics of LAAs:

U/L bit = 1 (first byte second bit set)
First hexadecimal digit typically: 2, 6, A, or E (for unicast LAA)
Not guaranteed globally unique (only locally meaningful)
Must be managed to avoid local conflicts
Commonly used in virtualization and for special purposes

Universally vs Locally Administered Addresses
Characteristic	Universally Administered	Locally Administered
U/L Bit	0	1
First Byte Hex	0x00, 0x04, 0x08, etc.	0x02, 0x06, 0x0A, etc.
Assignment Authority	IEEE via manufacturer	Local administrator/software
Uniqueness Scope	Global	Local network only
Use Case	Physical NICs	VMs, containers, overrides

Common LAA use cases:

LAA Applications

•Virtual machine NICs: Hypervisors (VMware, Hyper-V, KVM) generate LAAs for VM network interfaces, ensuring uniqueness within the virtualization environment
•Container networking: Docker, Kubernetes, and container runtimes assign LAAs to virtual interfaces in containers
•NIC teaming/bonding: The bonded interface may use an LAA distinct from any member NIC
•Hardware replacement: Administrator assigns specific LAA to maintain network identity after NIC swap
•Testing environments: Engineers use consistent LAAs for reproducible testing scenarios
•Licensing circumvention (Note: may violate terms): Some software licenses tie to MAC; changing LAA can reset trials (typically against ToS)
•Privacy protection: MAC randomization uses LAAs to prevent tracking

set_laa
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# Set a locally administered address on Linux
# First byte: 02 (unicast, locally administered)
 
# Temporary change (lost on reboot/interface restart)
sudo ip link set dev eth0 down
sudo ip link set dev eth0 address 02:00:00:00:00:01
sudo ip link set dev eth0 up
 
# Verify change
ip link show eth0
# link/ether 02:00:00:00:00:01 brd ff:ff:ff:ff:ff:ff
 
# Permanent configuration varies by distribution:
# Ubuntu/Debian (Netplan): /etc/netplan/*.yaml
# RHEL/CentOS: /etc/sysconfig/network-scripts/ifcfg-eth0
# systemd-networkd: /etc/systemd/network/*.link
 
# Example Netplan (Ubuntu 20.04+):
# network:
#   ethernets:
#     eth0:
#       macaddress: 02:00:00:00:00:01
 
# Verify address type
cat /sys/class/net/eth0/addr_assign_type
# Should show "3" for manually set

LAA Collision Risk

Unlike universally administered addresses, LAAs are NOT globally coordinated. If two devices on the same network segment are assigned the same LAA (by different administrators or careless scripting), a MAC address collision occurs—causing unpredictable connectivity issues. Always maintain documentation of manually assigned LAAs.

Virtual Machine MAC Address Assignment

Virtual machines require MAC addresses for their virtual network interfaces, but they don't have physical hardware with burned-in addresses. Hypervisors implement various strategies to generate and manage VM MAC addresses.

Hypervisor MAC assignment strategies:

Hypervisor MAC Address Generation
Hypervisor	Default OUI/Prefix	Generation Method	Uniqueness Scope
VMware (ESXi/Workstation)	`00:50:56` (static) or `00:0C:29` (auto)	Derived from UUID + NIC index	Unique within vCenter/host
Microsoft Hyper-V	`00:15:5D`	Algorithm based on GUID + host ID	Unique within host cluster
KVM/QEMU (libvirt)	`52:54:00` (default)	Random or configured	Per-definition; admin managed
VirtualBox	`08:00:27`	Based on VM UUID	Unique per VM instance
Xen	`00:16:3E`	Configuration or random	Configurable
Docker	`02:42:AC:XX:XX:XX`	Derived from container IP	Unique per Docker network

VMware MAC address ranges:

VMware uses several registered OUIs:

OUI	Usage
`00:50:56:00-3F:XX:XX`	Static MACs (manually assigned)
`00:50:56:40-7F:XX:XX`	Generated by VMware vCenter
`00:50:56:80-BF:XX:XX`	Automatically generated (vSphere)
`00:0C:29:XX:XX:XX`	Automatically generated (Workstation/Fusion)
`00:05:69:XX:XX:XX`	Older VMware products

VM MAC address persistence:

VM MAC addresses are typically stored in the VM configuration:

VMware: .vmx file contains ethernet0.addressType and ethernet0.generatedAddress
Hyper-V: VM configuration database and XML export
libvirt/KVM: XML domain definition contains <mac address='...'/>
VirtualBox: .vbox XML configuration

Addresses persist across:

VM power cycles
Host reboots
VM cloning (may be regenerated to avoid duplicates)

Addresses may change with:

VM import/export (some hypervisors regenerate)
NIC removal and re-addition
Cloning without 'new SID/identity' option

vm_mac_examples
1
2
3
4
5
6
7
8
9
10
11
12
13
14
# VMware .vmx file MAC configuration examples
 
# Automatically generated address (default)
ethernet0.addressType = "generated"
ethernet0.generatedAddress = "00:0c:29:ab:cd:ef"
ethernet0.generatedAddressOffset = "0"
 
# Statically assigned address
ethernet0.addressType = "static"
ethernet0.address = "00:50:56:12:34:56"
 
# Manually specify a custom address
ethernet0.addressType = "vpx"
ethernet0.generatedAddress = "00:50:56:ab:cd:ef"

VM Cloning and MAC Addresses

When cloning VMs, hypervisors typically generate new MAC addresses to avoid duplicates. If you're cloning for disaster recovery where the clone should have the same identity, you may need to manually restore the original MAC. If cloning for scaling, ensure new addresses are generated to avoid conflicts.

MAC Address Randomization for Privacy

A significant evolution in MAC addressing is the adoption of MAC address randomization for privacy protection. This technique replaces consistent hardware addresses with random, temporary addresses to prevent tracking.

The privacy problem:

Traditionally, MAC addresses were permanent identifiers. This enabled:

Location tracking: Retail stores tracking customers via WiFi probe requests
Behavioral profiling: Correlating device appearances across locations and times
Device fingerprinting: Identifying returning devices even with different IPs
Targeted advertising: Building profiles based on physical movement patterns

Devices constantly broadcast WiFi 'probe requests' seeking known networks—each containing the device's MAC address, creating tracking opportunities.

MAC Randomization Support by Platform
Platform	When Randomization Occurs	First Supported Version	Default Status
iOS	Probe requests + per-network MACs	iOS 8 (probing), iOS 14 (per-network)	Enabled by default
Android	Probe requests + per-network MACs	Android 8 (probing), 10 (per-network)	Enabled by default (10+)
Windows 10/11	Per-network randomization	Windows 10 1511+	Off by default (opt-in)
macOS	Probe requests (limited)	macOS Catalina+	Probe only; association uses real
Linux	NetworkManager/systemd-networkd	Recent versions	Configurable

Types of MAC randomization:

1. Probe Request Randomization

Device uses random MAC when scanning for available networks
Prevents tracking of disconnected, scanning devices
Implemented in iOS 8+, Android 6+

2. Per-Network Randomization (Persistent)

Device generates unique MAC for each SSID
Same random MAC used consistently for same network
Prevents cross-network correlation
More aggressive privacy protection

3. Time-Based Rotation

Random MAC changes periodically (e.g., every 24 hours)
Even the same network sees different addresses over time
Most aggressive option; can cause captive portal issues

Impact on network operations:

Benefits

•Prevents third-party tracking
•Protects user privacy in public spaces
•Limits corporate surveillance
•Reduces device fingerprinting

Challenges

•Breaks MAC-based access control
•Complicates network troubleshooting
•Issues with MAC-based DHCP reservations
•Captive portal re-authentication

Network Administrator Adaptations

With MAC randomization becoming standard, networks are shifting away from MAC-based authentication. 802.1X certificate-based authentication, user credentials, or device attestation are more robust alternatives that work regardless of MAC address changes.

Practical Guide: Changing MAC Addresses

Changing a device's operational MAC address is a common network administration task with legitimate uses ranging from privacy to testing to hardware replacement. Here's a comprehensive guide for major operating systems.

Important considerations before changing:

Use valid LAA format: Set U/L bit = 1 (first byte: x2, x6, xA, or xE)
Avoid reserved addresses: Don't use broadcast (FF:FF:FF:FF:FF:FF) or multicast
Check for conflicts: Ensure no other device on your network uses the same address
Document changes: Track manual MAC assignments for troubleshooting

linux_mac_change
Shell
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
# === Temporary MAC Change (ip command) ===
# Bring interface down
sudo ip link set eth0 down
 
# Change to new MAC (use 02: prefix for LAA unicast)
sudo ip link set eth0 address 02:DE:AD:BE:EF:01
 
# Bring interface back up
sudo ip link set eth0 up
 
# Verify
ip link show eth0
 
# === Using macchanger tool (recommended) ===
# Install: apt install macchanger (Debian/Ubuntu)
#          dnf install macchanger (Fedora)
 
# View current address
macchanger -s eth0
 
# Set full random address
sudo macchanger -r eth0
 
# Set random vendor (keeps OUI realistic)
sudo macchanger -A eth0
 
# Set specific address
sudo macchanger -m 02:DE:AD:BE:EF:01 eth0
 
# Restore original (burned-in) address
sudo macchanger -p eth0
 
# === Permanent Configuration (systemd-networkd) ===
# Create /etc/systemd/network/10-eth0.link:
cat << 'EOF' | sudo tee /etc/systemd/network/10-eth0.link
[Match]
OriginalName=eth0
 
[Link]
MACAddress=02:DE:AD:BE:EF:01
EOF
 
# Reload and restart
sudo systemctl restart systemd-networkd

Legal and Ethical Considerations

While changing MAC addresses is a legitimate administrative technique, using it to evade network access controls, bypass service agreements, or commit fraud may be illegal. Always ensure you have authorization for the network you're accessing and comply with applicable laws and policies.

Summary: MAC Address Assignment

This page has covered the complete lifecycle of MAC address assignment—from global registration to practical modification. Let's consolidate the key points:

Key Takeaways

•IEEE Registration Authority manages OUI assignments, providing MA-L (large), MA-M (medium), and MA-S (small) address blocks to organizations
•Manufacturers burn unique addresses into NICs during production, combining their assigned OUI with a device-specific identifier
•Locally Administered Addresses (LAAs) have the U/L bit set to 1 (first byte x2/x6/xA/xE); they're assigned locally without global coordination
•Virtualization platforms (VMware, Hyper-V, KVM, Docker) generate MAC addresses for virtual interfaces using registered OUIs or LAA ranges
•MAC randomization is now standard on mobile devices, using temporary addresses to prevent tracking—impacting network operations that relied on stable MACs
•Changing operational MAC is supported on all major platforms but requires valid LAA format and conflict avoidance
•Networks are adapting to randomization by moving toward 802.1X and credential-based authentication over MAC-based access control

Looking ahead:

With address assignment understood, the next page examines OUI (Organizationally Unique Identifier) in depth—exploring its structure, the lookup process, notable OUI assignments, and how network administrators use OUI information for device identification and network management.

Page Complete

You now understand how MAC addresses are assigned throughout their lifecycle—from IEEE registration through hardware manufacturing, virtualization, and administrative modification. This knowledge is essential for network administration, troubleshooting, and understanding modern privacy-focused network behaviors.