Systems, methods, and related technologies including media access control (MAC) address spoofing detection are described. The MAC address spoofing detection and response may include accessing a first media access control (MAC) address associated with a first communication on a first port of a first network device coupled to a network, accessing a second media access control (MAC) address associated with a second communication on a second port of a second network device coupled to the network, and determining that the second MAC address matches the first MAC address The method further includes identifying a device associated with the first or second communication as being associated with a spoofing event based on the second port differing from the first port and based on the first and second timestamps being within a threshold amount of time from one another and performing an action associated with the first or second port.