In theory, every MAC address should be globally unique, but in practice, MAC address duplication can occur—either accidentally due to manufacturing errors or intentionally through MAC address spoofing. If two devices on the same local network have identical MAC addresses, the switch or network infrastructure can become confused about where to forward frames. This results in intermittent or total communication failure for one or both devices. The switch maintains a MAC address table that maps each MAC address to a specific port. When the same MAC address is seen on multiple ports, the switch constantly updates the mapping, leading to flapping—a condition where data packets are inconsistently routed or dropped. Duplicate MAC addresses can disrupt ARP tables, confuse routers and cause denial-of-service-like conditions in the LAN. Network administrators typically use packet sniffers or switch logs to identify and resolve such conflicts quickly. Resolving this often involves changing the MAC address manually or removing the conflicting device.

MAC address randomisation is primarily a privacy feature used during network discovery, not during active communication. When a device scans for available Wi-Fi networks, it may temporarily adopt a randomised MAC address to prevent tracking across different locations. However, once the device connects to a Wi-Fi network, it switches back to its original MAC address. This is because many networks, especially enterprise ones, rely on the permanent MAC address for assigning IP addresses (DHCP leases), implementing access control (like MAC filtering), and ensuring consistent Quality of Service (QoS) policies. Randomising the MAC address during active transmission would disrupt these systems. It would also make network diagnostics, user identification, and traffic routing more difficult. Furthermore, routers and access points often maintain session information based on MAC addresses, so using a random address during communication could lead to dropped packets, failed handshakes, or authentication issues. Therefore, for network stability and reliability, MAC address randomisation is disabled during actual connections.

Network switches operate at the data link layer and use MAC addresses to create a MAC address table (also called a CAM table). When a frame enters a switch, it reads the source MAC address and the incoming port. It records this information to learn which device is reachable through which port. When the switch receives a frame with a destination MAC address, it consults this table to decide where to send the frame, forwarding it only to the relevant port instead of broadcasting it to all connected devices. This targeted forwarding improves network efficiency by reducing unnecessary traffic, decreasing collisions, and minimising congestion on the network. If the switch has no record of the destination MAC address, it performs a flooding operation, sending the frame to all ports except the source. Once it learns the location of the destination device, it updates the table and uses it for all future communications, making the LAN more scalable and efficient.

If a switch's MAC address table becomes full, it cannot store new entries for unknown devices. This condition is known as MAC table overflow, and it can severely impact network performance and security. When a switch receives a frame from an unknown MAC address while the table is full, it cannot learn or store the new MAC-port mapping. As a result, it defaults to flooding the frame to all ports, just like a hub. This creates excessive broadcast traffic, increases collision domains, and can even allow traffic sniffing by malicious devices. Attackers can exploit this behaviour using MAC flooding attacks, where they deliberately send frames with bogus MAC addresses to fill the switch’s table. Once overflowed, the switch fails open and begins broadcasting all traffic, exposing sensitive data to all devices on the network. To prevent this, modern switches implement port security, aging mechanisms, or dynamic ARP inspection to limit the number of allowable MAC addresses and mitigate such risks.

The Address Resolution Protocol (ARP) acts as a bridge between the network layer (IP addresses) and the data link layer (MAC addresses). When a device wants to communicate with another device on the same network, it first checks its ARP cache to see if it already knows the MAC address that corresponds to the destination IP address. If not, it sends out an ARP request—a broadcast message asking, “Who has IP address X?” All devices on the local network receive this request, but only the device with that IP address replies with an ARP reply, providing its MAC address. The sending device then stores this information in its cache and uses it to frame the packet correctly. This allows the device to send the data directly to the correct hardware. ARP interactions occur constantly in real-time and are crucial for efficient local communication. If ARP fails or is spoofed, data may not be delivered correctly or could be intercepted, posing a security risk.