A MAC (media access control) address is the unique hardware identifier assigned to a device's network interface, paired with an IP address by ARP so devices can find each other on a local network. Faking one is called MAC spoofing.
A MAC address (media access control address) is the physical, hardware-level ID assigned to a device's network interface card. Think of the IP address as your mailing address (it can change depending on where you connect) and the MAC address as your fingerprint (it's tied to the actual hardware). On a local network, devices don't talk to each other by IP alone. The address resolution protocol (ARP) builds a table that pairs each IP address with its matching MAC address so traffic knows which physical device to reach (EK 3.1.A.1).
That pairing is exactly what makes MAC addresses a target. In an ARP poisoning attack, an adversary floods the default gateway with falsified ARP packets, tricking the table into linking the target's IP to the attacker's MAC. Now traffic meant for the victim quietly flows to the attacker instead. Lying about a MAC address to pull this off is called MAC spoofing, and the whole scheme is a classic on-path (man-in-the-middle) attack (EK 3.1.A.1).
MAC addresses sit at the center of Topic 3.1 (Network Vulnerabilities and Attacks) in Unit 3: Securing Networks. They anchor learning objective AP Cybersecurity 3.1.A, where you identify common network attacks like ARP poisoning and MAC spoofing. They also feed 3.1.B, since spoofing a legitimate device is one of the core ways adversaries inject malicious traffic into a network (EK 3.1.B.1). The bigger theme: any attack that messes with MAC-to-IP trust threatens the CIA triad. An on-path attacker can read your data (confidentiality), alter it in transit (integrity), and disrupt the flow (availability), which is exactly the risk picture EK 3.1.C.1 asks you to assess.
Keep studying AP Cybersecurity Unit 3
Visual cheatsheet
view galleryMAC Spoofing (Unit 3)
MAC spoofing is what an attacker DOES to a MAC address, faking it to impersonate a trusted device. It's the move that makes ARP poisoning work, because the poisoned table now points the victim's IP at the attacker's spoofed MAC.
MAC Flooding (Unit 3)
Same hardware ID, different attack. Instead of faking one MAC, MAC flooding overwhelms a switch with tons of fake MAC addresses until it gives up and broadcasts traffic to everyone, letting the attacker sniff it.
MAC Filtering (Unit 3)
MAC filtering is the defense side of the same coin. It only lets approved MAC addresses onto the network, but because spoofing exists, a determined attacker can copy an allowed MAC and slip right past it.
LAN and Port Security (Unit 3)
MAC-based attacks live on the local area network, where devices share a switch. EK 3.1.B.3 notes that someone plugging into a data port can reach the LAN unless port security is on, which is precisely where MAC controls come in.
Expect MAC addresses in multiple-choice questions that test the ARP chain of logic. One common stem describes an admin mapping IP addresses to MAC addresses on a local network and asks which protocol does it (answer: ARP). Another describes falsified packets sent to the default gateway redirecting a target's traffic, and you name it as ARP poisoning. A third describes a device changing its MAC to match a legitimate one, which is MAC spoofing. You'll also see ARP poisoning offered as the correct example of an on-path (man-in-the-middle) attack. The skill being tested is connecting the dots: MAC plus IP plus ARP equals the table an attacker corrupts. No released FRQ has used this term verbatim, but the concept supports the kind of risk-and-mitigation analysis that 3.1.C rewards.
A MAC address is the fixed hardware ID on a device's network card and is used to deliver traffic on the local network. An IP address is the logical, often-changing address used to route traffic across networks. ARP is the translator that pairs them, and attacks like ARP poisoning work by corrupting that pairing.
A MAC address is a device's unique hardware identifier, while an IP address is its logical, changeable network address.
ARP builds a table pairing IP addresses with MAC addresses so devices can communicate on a local network (EK 3.1.A.1).
ARP poisoning corrupts that table by linking the target's IP to the attacker's MAC, redirecting traffic to the attacker.
MAC spoofing means faking a MAC address to impersonate a legitimate device, and it's a key ingredient in on-path attacks.
An on-path (man-in-the-middle) attack lets an adversary intercept and alter data in transit, threatening confidentiality, integrity, and availability (EK 3.1.C.1).
It's the unique hardware ID assigned to a device's network interface card. On a local network, ARP pairs each MAC address with an IP address so traffic reaches the right physical device (EK 3.1.A.1).
No. The MAC address is the fixed hardware fingerprint of the network card, and the IP address is the logical address that can change as you connect to different networks. ARP is the protocol that translates between them.
MAC spoofing is faking your device's MAC to match a legitimate one. ARP poisoning uses falsified ARP packets to corrupt the gateway's table so a target's IP points to the attacker's MAC. Spoofing is the impersonation; ARP poisoning is the attack that exploits it.
Because MAC-to-IP pairing is how local devices trust each other. By spoofing or poisoning that pairing, an adversary can stage an on-path (man-in-the-middle) attack and intercept or alter traffic meant for someone else (EK 3.1.A.1).
No. MAC filtering only allows approved MAC addresses, but since attackers can spoof an allowed MAC, it's not a complete defense. It's one layer alongside port security and other controls.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.