MAC Addresses: The Complete IT Engineer's Guide to OUI, Block Types & Network Troubleshooting
- 1. What Is a MAC Address?
- Structure & Anatomy
- Supported Formats
- 2. OUI Explained: The First 24 Bits
- 3. IEEE MAC Address Block Types
- MA-L (Large Block)
- MA-M (Medium Block)
- MA-S (Small Block)
- IAB (Legacy)
- CID (Company ID)
- 4. Block Type Comparison Table
- 5. MAC Address Lookup in IT Troubleshooting
- 6. How to Use the MAC Lookup Tool
- 7. Useful CLI Commands
- 8. FAQ
What Is a MAC Address?
A MAC address (Media Access Control address) is a globally unique 48-bit hardware identifier assigned permanently to every network interface card (NIC) by its manufacturer. Whether it's a Wi-Fi adapter, Ethernet port, Bluetooth chip, or a virtual network interface โ each one carries its own MAC address.
Unlike IP addresses, which can change and are assigned by software (DHCP servers or administrators), MAC addresses are embedded into hardware firmware at the point of manufacture. They operate at Layer 2 (Data Link Layer) of the OSI model and are used for device-to-device communication within the same local network (LAN / broadcast domain).
Key point: MAC addresses are used to deliver frames to the correct device on a local segment. Your router uses MAC addresses for ARP resolution; switches use them to build forwarding tables; access points use them to manage wireless clients.
MAC Address Structure & Anatomy
Every MAC address is exactly 48 bits long โ 6 bytes, represented as 12 hexadecimal characters. The bytes are split into two logical halves:
The six bytes in detail:
Blue = OUI (vendor), Green = Device-specific portion
Two special bits in the first byte carry extra meaning:
- Bit 0 (LSB): I/G bit โ 0 = Unicast address (individual device), 1 = Multicast/Broadcast address
- Bit 1: U/L bit โ 0 = Globally unique (burned-in), 1 = Locally administered (manually configured or randomized)
Modern devices randomize MAC addresses. Android 10+, iOS 14+, and Windows 10 use random MAC addresses for Wi-Fi scanning and connections to protect user privacy. When troubleshooting, check if the device is using a random MAC โ it won't match any OUI vendor in the database.
Supported MAC Address Formats
MAC addresses are written in several different notations depending on the operating system and vendor. The SwitchFirewall MAC Lookup tool accepts all common formats:
OUI Explained: The First 24 Bits
The OUI (Organizationally Unique Identifier) is the vendor's fingerprint. It occupies the first three bytes of every MAC address and is assigned exclusively by the IEEE Registration Authority. When you see 00-00-0C, that's Cisco. When you see F4-DB-E6, that's Apple. No two organizations share the same OUI under the MA-L system.
The IEEE maintains three public CSV registries โ one for each block type (MA-L, MA-M, MA-S) โ updated continuously as new organizations register. SwitchFirewall downloads these registries daily and makes them searchable through its MAC Address Lookup tool.
B8:27:EB? That's a Raspberry Pi. DC:A6:32? Also Raspberry Pi (newer revision). This alone can instantly classify rogue devices on your network.
Large enterprises often own multiple OUIs. Cisco, for example, holds hundreds of MA-L blocks โ each covering a different product line or era of manufacturing. When doing security auditing, knowing this context is invaluable.
IEEE MAC Address Block Types
Not every organization needs 16 million MAC addresses. The IEEE offers different block sizes to match the scale of the vendor. Understanding these block types is critical for accurately interpreting lookup results and understanding network device inventories.
MA-L โ MAC Address Block Large
MA-L
MA-L is the original OUI format that most network engineers are familiar with. It assigns 24-bit prefixes, giving the holder 16,777,216 unique MAC addresses under that prefix. Companies like Cisco, Apple, Intel, and Samsung each hold dozens to hundreds of MA-L blocks. This is the most common result you'll see in a MAC lookup for major commercial devices.
MA-M โ MAC Address Block Medium
MA-M
MA-M blocks use a 28-bit prefix, leaving 20 bits for the vendor to assign โ about 1,048,576 addresses. These are purchased by mid-size manufacturers who don't need millions of addresses but produce more devices than an MA-S holder. When a lookup returns an MA-M result, the OUI shown will be 7 hexadecimal characters (3.5 bytes).
MA-M blocks share the same 24-bit OUI space as MA-L. The IEEE "carves out" MA-M blocks within specific MA-L OUIs it reserves. This means two different organizations can appear to share a 24-bit prefix โ but have distinct 28-bit prefixes. Always check block type when looking up to avoid misidentification.
MA-S โ MAC Address Block Small
MA-S
MA-S is the smallest active block type, providing only 4,096 unique addresses under a 36-bit prefix. This makes it ideal for small manufacturers, startups, and IoT device makers who produce limited quantities of hardware. MA-S replaced the deprecated IAB system in 2014 and is now the standard choice for small-scale vendors.
A key consideration: because MA-S blocks share 24-bit OUI space owned by IEEE itself, the first three bytes of an MA-S address may not uniquely identify the vendor on their own. You need the full 36-bit prefix (9 hex chars). This is another reason to use a comprehensive lookup tool like SwitchFirewall that includes all block types.
IAB โ Individual Address Block (Legacy)
IAB
IAB was the predecessor to MA-S, used from the early 2000s through 2014. Like MA-S, it allocated 4,096 addresses per block. The key difference was that IAB blocks always used IEEE-owned OUIs (specifically 00-50-C2 and later 40-D8-55), so the 24-bit OUI portion wasn't exclusively the vendor's โ only the 36-bit combination was unique to them.
IAB assignments are no longer issued, but thousands of existing devices in the field still carry IAB-based MAC addresses. The SwitchFirewall database includes the full IAB registry so these legacy devices can still be identified.
CID โ Company ID
CID
CID is a 24-bit identifier similar in length to MA-L, but it is not intended for use as a standard MAC address in network interfaces. Instead, CIDs appear in specific IEEE protocol contexts โ such as certain EtherType identifiers and proprietary protocol headers. Very few CID assignments exist. If a MAC lookup returns a CID result, the device may be using a special-purpose identifier rather than a standard IEEE 802 MAC.
MAC Address Block Type Comparison
Here's a quick reference table covering all five block types tracked by the SwitchFirewall database:
| Block Type | Prefix | Addresses | Status | Typical User | Example OUI |
|---|---|---|---|---|---|
| MA-L | 24 bits | ~16.7 million | Active | Large enterprise | 00-00-0C (Cisco) |
| MA-M | 28 bits | ~1 million | Active | Mid-size company | C8-5C-E2-7 |
| MA-S | 36 bits | 4,096 | Active | Small vendor / IoT | 70-B3-D5-9F3 |
| IAB | 36 bits | 4,096 | Legacy | Pre-2014 small vendor | 00-50-C2-xxx |
| CID | 24 bits | N/A | Special | Protocol use only | Rare assignments |
When you use the SwitchFirewall MAC Lookup, the result always shows the block type alongside the vendor name. This lets you immediately understand the context of the assignment โ whether you're dealing with a major OEM, a small IoT startup, or a legacy IAB device.
MAC Address Lookup in IT Troubleshooting
For network engineers and IT administrators, MAC address lookups are one of the most practical and time-saving skills in the toolkit. Here are the most common scenarios where a MAC lookup directly helps resolve issues faster:
Identifying Unknown or Rogue Devices
When a new device appears on your network โ visible in a switch's MAC address table or your DHCP server's lease list โ you may not know what it is. Paste the first 6 characters of the MAC address into a lookup tool. The vendor name instantly narrows down what you're dealing with: an employee's personal smartwatch, a forgotten IP camera, or potentially an unauthorized device.
Security Auditing & Network Inventory
Export your ARP table or DHCP lease log and run each MAC address through the lookup tool. Map every device to a vendor, then cross-reference against your expected inventory. Any vendor you don't recognize โ a Chinese IoT OEM, an unknown consumer brand โ warrants investigation. This is especially important for compliance audits (PCI DSS, HIPAA, ISO 27001) where unmanaged devices on the network must be documented or removed.
Connectivity Troubleshooting with ARP
If a device can't reach the gateway, a common step is checking the ARP table (arp -a on Windows/Linux, show ip arp on Cisco). If the gateway's ARP entry resolves to an unexpected MAC address, you may have an ARP spoofing attack or a duplicate IP issue. Look up the suspicious MAC to see if it matches your gateway hardware vendor โ a mismatch is a red flag.
Wireless Client Identification
When managing wireless networks, the client association table on your access points lists every connected device by MAC address. If you see an unfamiliar device connecting repeatedly to your SSID โ potentially causing interference or consuming bandwidth โ a quick lookup can reveal whether it's a consumer device (Amazon Echo, Google Chromecast), a mobile phone, or something unexpected like an industrial scanner or POS terminal.
DHCP Conflict & Duplicate MAC Resolution
DHCP conflicts can occur when two devices share the same MAC address (hardware fault, cloning, or virtual machine misconfiguration). By looking up both conflicting MAC addresses, you can determine if they are from the same vendor or completely different manufacturers โ helping you pinpoint whether it's a cloning issue or a genuine hardware fault on a specific device type.
Validating Hardware Authenticity
Counterfeit network hardware is a real issue in enterprise environments. If you purchase a "Cisco" switch or "Aruba" access point, the MAC address OUI should match a known Cisco or Aruba block. If a lookup returns a completely different vendor โ or an obscure OEM โ the device may be counterfeit, rebranded, or tampered with. This is a first-pass hardware authenticity check.
Spanning Tree & Switching Issues
When troubleshooting spanning tree problems (STP loops, topology changes), switch MAC address tables can contain stale or unexpected entries. Identifying the vendor of a MAC causing frequent topology change notifications (TCNs) can help you locate the physical device triggering the issue โ particularly useful in large campus networks where manually tracing a MAC through switch logs is time-consuming.
show mac address-table | include [OUI] to filter by vendor prefix and trace the port quickly.How to Use the SwitchFirewall MAC Lookup Tool
The SwitchFirewall MAC Address Lookup is designed to handle every scenario an IT engineer might encounter. Here's how to get the most out of it:
Search by full MAC address โ Paste the complete MAC (any format: colon, hyphen, Cisco dot, or plain). The tool identifies the vendor and shows the block type, prefix, and IEEE registration details.
Search by OUI / partial MAC โ Enter just the first 3 bytes (6 hex chars) to look up the vendor without the full address. Useful when working with logs that truncate MAC addresses.
Search by vendor name โ Type a company name like "Apple", "Cisco", or "Raspberry Pi" to get a list of all registered MAC prefixes for that vendor. Ideal for building vendor-based ACLs or auditing your network inventory.
Check the block type โ The result clearly shows whether the OUI is MA-L, MA-M, MA-S, IAB, or CID. This is critical context when interpreting results, especially for IoT devices that often use MA-S blocks.
Use results for further action โ Cross-reference the vendor name against your asset inventory, firewall rules, or DHCP reservations to take appropriate follow-up action.
The database is refreshed daily from the official IEEE registry, so newly registered vendors and recent OUI assignments are always available. This is especially important for tracking emerging IoT manufacturers who register MA-S blocks frequently.
Useful CLI Commands for MAC Address Lookup
Use these commands to extract MAC addresses from devices and logs for use with the lookup tool:
Windows
# Look for "Physical Address" under each adapter
C:\> arp -a
# Lists ARP cache: IP address โ MAC address mappings
C:\> Get-NetAdapter | Select Name, MacAddress
# PowerShell: List all adapters with MAC addresses
Linux / macOS
# Linux: Shows all interfaces with MAC addresses
$ ifconfig -a
# macOS/Linux: Shows MAC as "ether" field
$ arp -n
# Show ARP table without hostname resolution
$ arp-scan --localnet
# Scan local network and show MAC/vendor (install arp-scan first)
Cisco IOS
# Full MAC address forwarding table
SW# show mac address-table address 001A.2B3C.4D5E
# Find specific MAC: shows VLAN and port
SW# show ip arp
# ARP table with IP-to-MAC mappings
SW# show mac address-table | include 001A
# Filter by OUI prefix (first 4 hex chars in Cisco format)
Network-wide Discovery
# Ping scan: shows IP and MAC for all active hosts
$ nmap -sn 192.168.1.0/24 --vendor
# Nmap resolves OUI from its built-in database
Frequently Asked Questions
Can a MAC address reveal a specific device model?
No โ a MAC lookup reveals the manufacturer only, not the specific model. Cisco might make routers, switches, IP phones, and cameras all under the same OUI. You'd need to combine the vendor information with other context (DHCP fingerprinting, open ports, device behavior) to identify the exact model.
Why does my MAC lookup return "locally administered" or no result?
If the second-least-significant bit of the first byte is set to 1, the MAC is locally administered โ meaning it was manually configured or randomly generated by software. Modern operating systems (iOS 14+, Android 10+, Windows 10+) use randomized MAC addresses for privacy. These addresses won't appear in any IEEE database since they're not globally assigned.
What's the difference between MA-S and IAB? My device shows IAB.
Both MA-S and IAB allocate 4,096 addresses with a 36-bit prefix. The key difference is historical: IAB was the older system (pre-2014) using IEEE-owned OUIs. MA-S replaced it and is the current standard. If your device shows an IAB result, it was manufactured before or shortly after 2014. The device is still fully functional โ IAB blocks can continue to be used indefinitely.
Can two devices have the same MAC address?
In theory, no โ MAC addresses are supposed to be globally unique. In practice, duplicates can occur due to manufacturing errors, deliberate MAC cloning (common in consumer routers), virtual machines reusing MACs, or counterfeit hardware copying legitimate MACs. Within the same network segment, duplicate MACs cause serious connectivity issues including intermittent packet loss and ARP conflicts.
How accurate is the SwitchFirewall MAC lookup database?
The database is sourced directly from the official IEEE Registration Authority public registries (MA-L, MA-M, MA-S, IAB, CID) and is refreshed every 24 hours. Accuracy is as high as the IEEE data itself โ the authoritative source for all MAC address assignments worldwide. For newly registered OUIs, there may be up to a 24-hour delay before the lookup reflects the latest data.
Does looking up a MAC address expose any privacy information?
No. MAC address lookups only reveal the manufacturer of the hardware โ not who owns the device, where it is located, or any personal information. The OUI is a public registry. The device-specific portion (last 3 bytes) is not stored or tracked by IEEE or the lookup database.
Can I look up multiple MAC addresses at once?
The SwitchFirewall tool currently supports single lookups through the web interface, which is optimized for quick one-off queries during troubleshooting. For bulk lookups, consider using the MAC address prefixes directly against the downloaded IEEE CSV files, which are available from the IEEE Registration Authority website.