MAC filtering is a network access control technique that allows or denies a device's connection based on its media access control (MAC) address, so only approved hardware addresses can join the network.
MAC filtering is a way to control who gets onto a network by checking each device's MAC address, the unique hardware identifier burned into a network interface. You build an allow list (or block list) of approved MAC addresses, and the switch or access point only lets matching devices connect. Think of it like a guest list at a door: if your hardware address isn't on the list, you don't get in.
In AP Cybersecurity, MAC filtering shows up under Unit 3: Securing Networks, specifically topic 3.1, as one of the controls that hardens a LAN against the attacks described in the CED. It's closely tied to switch port security, because both try to stop unauthorized devices from physically or logically joining a local area network. But here's the catch the exam wants you to understand: MAC addresses can be faked. An adversary who performs MAC spoofing can copy an approved address and slip right past the filter, which is exactly why MAC filtering is treated as a weak, supplementary control rather than a real security boundary.
MAC filtering lives in Unit 3, topic 3.1 (Network Vulnerabilities and Attacks), and supports [AP Cybersecurity 3.1.B], where you explain how adversaries exploit network vulnerabilities to steal, disrupt, or destroy communication. EK 3.1.B.3 directly calls out that an adversary who physically plugs into a data port can reach the LAN through a switch port unless port security is enabled. MAC filtering is one layer of that port-level defense. It also connects to [AP Cybersecurity 3.1.C] when you assess risk, because knowing that MAC filtering can be bypassed by spoofing is part of documenting residual risk to confidentiality, integrity, and availability.
Keep studying AP Cybersecurity Unit 3
Visual cheatsheet
view galleryMAC Spoofing (Unit 3)
MAC spoofing is the attack that defeats MAC filtering. An adversary copies an approved MAC address so the filter waves them through. If you can explain why filtering fails against spoofing, you understand the control's real limit.
ARP Poisoning and the MAC Address (Unit 3)
ARP maps IP addresses to MAC addresses in a table on the default gateway. MAC filtering relies on those same hardware addresses, so the same thing that makes ARP poisoning possible (faking a MAC) also undermines filtering.
Network Segmentation and VLANs (Unit 3)
Because MAC filtering alone is weak, you layer it with stronger controls. VLANs and network segmentation limit how far a compromised device can move (EK 3.1.B.2's lateral movement), giving you defense in depth instead of one breakable list.
MAC Flooding (Unit 3)
MAC flooding overwhelms a switch's address table to force it to broadcast traffic. It and MAC filtering both center on how switches handle MAC addresses, so studying them together cements how Layer 2 controls and attacks work.
Expect MAC filtering in multiple-choice questions about LAN access control and switch port security, often paired with a stem asking which control stops an unauthorized device from plugging in, or which attack (spoofing) bypasses it. No released FRQ has used this term verbatim, but it fits the kind of risk-assessment response 3.1.C rewards: name the control, then explain its weakness. On an FRQ you might be asked to recommend a defense and justify it, where the strong answer notes that MAC filtering helps but must be combined with port security, segmentation, or VLANs because spoofing defeats it alone.
MAC filtering is the defense (an allow/block list of hardware addresses), while MAC spoofing is the attack that fakes an approved address to slip past that list. One protects the network; the other breaks the protection. They share the word MAC, so don't mix up which is the control and which is the exploit.
MAC filtering allows or blocks devices by their MAC address, acting as a hardware-based guest list for the network.
It supports port security at the switch level (EK 3.1.B.3), helping stop an unauthorized device that plugs into a data port.
MAC filtering is a weak control on its own because MAC spoofing lets an adversary fake an approved address and bypass the filter.
Use it as one layer of defense in depth alongside VLANs and network segmentation, not as your only safeguard.
On the exam, be ready to name MAC filtering as a control and explain its limitation when assessing network risk under 3.1.C.
MAC filtering is a network access control that allows or denies devices based on their MAC address. In Unit 3 it's one layer of switch port security that helps keep unauthorized hardware off a LAN.
No. It's considered weak because MAC addresses can be faked through MAC spoofing, letting an adversary copy an approved address and bypass the filter. Treat it as a supplementary control, not a real boundary.
MAC filtering is the defense (a list of approved hardware addresses), while MAC spoofing is the attack that fakes one of those addresses to get past the list. One protects the network; the other defeats the protection.
Port security, which can include MAC filtering, is meant to stop unauthorized devices that physically plug into a data port (EK 3.1.B.3). Without it, an adversary can reach the LAN through the switch port.
Combine it with VLANs and network segmentation so a compromised device can't move laterally across the network, plus properly configured firewalls. Layering controls gives you defense in depth instead of one breakable list.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.