Layer 2 Switching vs Layer 3 Routing
A Layer 2 switch makes forwarding decisions using MAC addresses — the hardware addresses that identify network interfaces on the local link. A Layer 3 router makes forwarding decisions using IP addresses, which identify hosts across different networks. When your laptop sends traffic to a website, the switch handles local delivery to the router using MAC addresses, and the router then handles the multi-hop IP journey to the destination. The two devices solve different problems at different layers of the stack.
Some devices are Layer 3 switches, which can route between VLANs internally using switch VLAN interfaces (SVIs). But the core switching function — learning MAC addresses and forwarding frames — always operates at Layer 2.
The Three Basic Behaviors
| Behavior | What the Switch Does | Why |
|---|---|---|
| Learning | Records the source MAC and incoming port | Builds the MAC address table (CAM table) |
| Forwarding | Sends known destinations to one specific port | Avoids unnecessary traffic on other ports |
| Flooding | Sends unknown or broadcast traffic out all other ports | Finds destinations not yet in the table |
MAC Address Learning: Step by Step
- A laptop sends an Ethernet frame into switch port 3.
- The switch reads the source MAC address and records it as reachable through port 3 in the CAM table.
- The switch reads the destination MAC address.
- If the destination MAC is already in the CAM table, the switch forwards the frame only to that port — unicast forwarding.
- If the destination MAC is unknown, the switch floods the frame to all other ports in the same VLAN — the destination device will respond and the switch will learn its port.
- When the destination replies, the switch learns that MAC address too, and future frames are forwarded directly.
The CAM Table: O(1) Hardware Lookup
The MAC address table is stored in Content Addressable Memory (CAM) — specialized hardware that searches by content rather than by address. Instead of iterating through a list to find a MAC address (which would be O(n) and too slow at line rate), CAM returns the matching port in a single parallel hardware operation, effectively O(1) regardless of table size. This is what allows a switch to forward frames at wire speed across all ports simultaneously. CAM tables have a fixed size — typically from 8,000 to over 100,000 entries depending on the switch model. When the table fills up, new MAC entries evict older ones, and flooding increases until the table stabilizes.
What a MAC Table Looks Like
| MAC Address | Port | VLAN | Type |
|---|---|---|---|
34:7a:60:12:ab:9e | 3 | 10 | Dynamic |
a8:5e:45:72:10:01 | 7 | 10 | Dynamic |
f0:9f:c2:44:88:20 | 12 | 20 | Dynamic |
Dynamic entries age out after an inactivity timer (typically 300 seconds) so the table does not accumulate stale records from devices that have moved or disconnected. Static entries can be configured manually and do not age out.
Spanning Tree Protocol (STP)
Ethernet networks cannot have loops — a frame in a loop would circulate forever, consuming all bandwidth and crashing the network. STP (802.1D) prevents loops by placing redundant ports into a blocking state, leaving only one active path between any two points. STP elects a root bridge and calculates port roles based on port cost (derived from link speed). Ports transition through states: blocking, listening, learning, and forwarding. The transition from blocking to forwarding in classic STP takes 30–50 seconds, which is disruptive when a link fails and a blocked port needs to take over.
RSTP (Rapid Spanning Tree Protocol, 802.1w) replaces STP with a faster negotiation mechanism that can converge in under a second by using direct peer-to-peer negotiation between adjacent switches rather than relying on timed state transitions. RSTP is backward compatible with STP and should be the default on all modern managed switches.
VLANs Inside a Switch
A managed switch can divide its ports into separate virtual LANs (VLANs). Each VLAN is a separate broadcast domain — broadcast and unknown-unicast frames only flood within their VLAN, not across all ports on the switch. This has two practical effects: it limits unnecessary broadcast traffic, and it isolates devices so that a device in VLAN 20 cannot directly exchange frames with a device in VLAN 10 without going through a router or Layer 3 switch.
Access ports carry frames for one VLAN without tagging. Trunk ports carry frames for multiple VLANs using 802.1Q tags so the receiving switch or router knows which VLAN each frame belongs to. The switch's CAM table tracks MAC addresses per VLAN, so the same MAC address appearing on two different VLANs is treated as two separate entries.
Switch Buffer Management and Wire-Speed Forwarding
A switch stores incoming frames in buffers while it looks up the destination port and waits for the output port to become available. Store-and-forward switching receives the entire frame, checks it for errors (FCS verification), then forwards it — adding a small latency proportional to frame size. Cut-through switching begins forwarding as soon as it reads the destination MAC, reducing latency but skipping error checking. High-end core switches aim for wire-speed non-blocking forwarding, meaning all ports can transmit at full line rate simultaneously without internal bottlenecks. A non-blocking 24-port gigabit switch has at least 48 Gbps of internal switching fabric capacity (24 ports × 1 Gbps × duplex).
Switch vs Router
A switch forwards frames inside a local network using MAC addresses. A router forwards packets between networks using IP addresses. Your laptop sends a frame to the router's MAC address for local delivery, but the IP packet inside that frame carries the destination IP of the website. The switch handles only the local hop. The router handles everything beyond the LAN boundary.
Frequently Asked Questions
How does a switch know where to send traffic?
A switch learns source MAC addresses from incoming frames and records which port each MAC address was seen on. It uses that CAM table to forward later frames directly to the correct port.
Does a switch use IP addresses?
A basic Layer 2 switch forwards Ethernet frames by MAC address, not IP address. Routers make forwarding decisions using IP addresses.
Why does a switch flood some traffic?
A switch floods broadcasts and unknown-destination frames because it does not yet know the exact port where the destination lives.