MAC Address Guide: Format, OUI, Random Generation, and Privacy
Every network interface — physical or virtual — carries a 48-bit identifier baked in at the factory or assigned at runtime. Understanding its structure matters when you configure VMs, debug Layer 2 problems, or work with network access control. Use the MAC Address Generator to follow along and generate addresses as you read.
Anatomy of a MAC Address
A MAC address is 48 bits wide — 6 bytes. It is split into two equal halves:
| Bytes | Name | Assigned by | Example |
|---|---|---|---|
| 0–2 (first 3) | OUI — Organizationally Unique Identifier | IEEE to the vendor | 00:1A:2B |
| 3–5 (last 3) | NIC-specific (device identifier) | Vendor to each device | 3C:4D:5E |
The IEEE maintains the OUI registry. Each registered block costs a few hundred dollars and grants a vendor 16 million unique device identifiers. You can look up any OUI at regauth.ieee.org or through free APIs described later in this article.
Address Formats
The same address is written differently depending on the platform:
| Format | Separator | Platform | Example |
|---|---|---|---|
| Colon-separated | : | Linux, macOS, Unix | 00:1A:2B:3C:4D:5E |
| Hyphen-separated | - | Windows | 00-1A-2B-3C-4D-5E |
| Dot-separated groups | . | Cisco IOS | 001A.2B3C.4D5E |
All three represent the same address. Parsers must accept any separator; storage and comparison should normalize to one canonical form (lowercase colon-separated is common).
The Two Special Bits in the First Byte
The least-significant bits of byte 0 carry two flags that change the interpretation of the entire address:
| Bit | Name | 0 means | 1 means |
|---|---|---|---|
| bit 0 (LSB) | I/G — Individual / Group | Unicast (single destination) | Multicast or broadcast |
| bit 1 | U/L — Universal / Local | Globally unique (IEEE-assigned OUI) | Locally administered |
A valid random unicast MAC must have the I/G bit clear (address is unicast) and the U/L bit set (address is locally administered, not claiming to be vendor-assigned). In hex, this means byte 0 must satisfy: (byte0 & 0x01) === 0 and (byte0 & 0x02) !== 0.
The simplest approach: force byte 0 to 0x02 (binary 0000 0010) or OR any random byte with 0x02 and AND with 0xFE.
Well-Known Prefixes
Certain OUI prefixes are so common in virtualization and networking that recognizing them immediately tells you what you are looking at:
| Prefix | Vendor / Use |
|---|---|
00:00:5E | IANA (VRRP virtual routers, multicast) |
00:50:56 | VMware (ESXi vNICs) |
02:42 | Docker (container interfaces — docker0 bridge and veth pairs) |
52:54:00 | QEMU / KVM virtual machines |
00:15:5D | Microsoft Hyper-V |
08:00:27 | VirtualBox (PCS Systemtechnik) |
Network scanners and IDS rules frequently flag these prefixes. If a device in your fleet shows a 52:54:00 address on a physical switch port, something unexpected is running.
Why VMs and Containers Need Unique MACs
On a shared Layer 2 segment (VLAN, bridge, overlay network) every interface must have a distinct MAC address. Duplicate MACs cause ARP cache poisoning: switches and hosts learn the wrong port-to-address mapping, silently redirecting traffic. The symptoms look like intermittent packet loss or inexplicable TCP resets.
Hypervisors like KVM and VMware generate MACs deterministically from a combination of the host ID and VM UUID to minimize collisions. Docker assigns MACs in the 02:42:xx:xx:xx:xx range with the last four bytes derived from the container IP. If you clone VMs without regenerating their MAC addresses, you will eventually see duplicate address conflicts — especially in automated lab or CI environments spinning up many identical images.
Privacy Randomization in Modern Operating Systems
Since roughly 2014–2017, Android, iOS, and Windows 10/11 have shipped with per-network MAC randomization for Wi-Fi. Instead of broadcasting the hardware-burned address, the OS generates a random locally-administered MAC for each SSID (and often rotates it periodically).
The motivation is tracking prevention: a static MAC in a probe request lets retailers and airports fingerprint a device across visits without any authentication. Randomization breaks that correlation.
The practical consequences for network administrators:
- Captive portals that store MAC addresses to skip re-authentication will force users to log in again after a rotation event.
- DHCP reservations tied to MAC addresses stop working reliably — use username or certificate-based assignment instead.
- 802.1X (EAP) network access control is unaffected if authentication is certificate- or credential-based, but MAC-Authentication Bypass (MAB) deployments will break silently.
- Per-SSID randomization means the same phone appears as a different device on your corporate Wi-Fi versus the guest network — even at the same moment if it can see both.
Generating a Valid Random MAC
The rule is straightforward: generate 6 random bytes, clear bit 0 of byte 0 (unicast), set bit 1 of byte 0 (locally administered). Here is the same logic in three languages:
// Node.js
import { randomBytes } from 'crypto';
function randomMac() {
const bytes = randomBytes(6);
bytes[0] = (bytes[0] & 0xfe) | 0x02; // clear multicast, set local
return Array.from(bytes)
.map(b => b.toString(16).padStart(2, '0'))
.join(':');
}
console.log(randomMac()); // e.g. "02:a3:7f:1c:84:e9"# Python 3
import secrets
def random_mac() -> str:
raw = list(secrets.token_bytes(6))
raw[0] = (raw[0] & 0xFE) | 0x02 # clear multicast, set local
return ':'.join(f'{b:02x}' for b in raw)
print(random_mac()) # e.g. "02:5d:c1:88:3a:f4"// Go
package main
import (
"crypto/rand"
"fmt"
)
func randomMAC() string {
b := make([]byte, 6)
rand.Read(b)
b[0] = (b[0] & 0xfe) | 0x02 // clear multicast, set local
return fmt.Sprintf("%02x:%02x:%02x:%02x:%02x:%02x",
b[0], b[1], b[2], b[3], b[4], b[5])
}
func main() {
fmt.Println(randomMAC())
}OUI Lookup
Given a MAC address, you can identify the vendor from its first three bytes. The IEEE publishes the full registry as a downloadable CSV at regauth.ieee.org/oui/oui.csv. For programmatic lookups without maintaining a local copy, two free APIs are widely used:
https://api.macvendors.com/00:50:56— returns a plain-text vendor name, no key required for low-volume use.https://www.macvendorlookup.com/api/v2/00:50:56— returns JSON with vendor, address, and country.
For offline or high-volume use, download the IEEE CSV (~3 MB) and index it by the 3-byte OUI. The first column is the OUI in AABBCC hex format, the second is the vendor name. A simple hash map lookup runs in constant time and avoids network calls entirely.
Pitfalls
- Broadcast address (
FF:FF:FF:FF:FF:FF) — all bits set. Any frame sent to this address is delivered to every device on the segment. Never use it as a source address. - Locally administered does not mean collision-free — setting the U/L bit signals intent but provides no global uniqueness guarantee. Two hosts independently generating random MACs can still collide. The probability is low (birthday problem across 48 bits) but non-zero; do not skip collision checks in large automated environments.
- MAC spoofing — most operating systems let any privileged process change the MAC of an interface (
ip link set dev eth0 address 02:xx:xx:xx:xx:xxon Linux). This is legitimate for privacy and VM management but also the mechanism behind ARP spoofing attacks. - 802.1X and MAB — enterprise networks using MAC Authentication Bypass whitelist specific addresses. Privacy randomization in client OSes silently breaks these deployments because the client presents a new address on every connection.
- IPv6 SLAAC privacy — historic SLAAC derived the interface identifier from the MAC address (EUI-64), leaking the hardware address into the IPv6 address. RFC 8981 temporary addresses and RFC 7217 stable semantically opaque IIDs both mitigate this. Avoid assuming a MAC is embedded in an IPv6 address on any modern OS.
Generate valid random MAC addresses — with correct bit flags and your choice of format — in the browser using the MAC Address Generator. See also IPv4 and CIDR Subnetting Guide for Layer 3 context, and the Generators Guide for an overview of all generator tools.