Switch

When a switch receives a frame, it reads the source MAC address and records which port it arrived on — building a MAC address table (CAM table). When a frame arrives destined for a known MAC address, the switch sends it only to the associated port. If the destination is unknown, it floods the frame to all ports. This targeted forwarding means multiple simultaneous conversations can occur across different ports without collision — each port gets full bandwidth. A 24-port Gigabit switch supports 24 simultaneous 1 Gbps conversations rather than sharing one collision domain like a hub.

How a switch learns MAC addresses

A switch builds its MAC address table through four processes. Flooding: when a frame arrives with an unknown destination MAC, the switch sends it out every port except the one it arrived on — ensuring it reaches the destination regardless of where it is. Learning: simultaneously, the switch records the source MAC address and the port it arrived on in the CAM table. After a few frames, the switch has learned which device is reachable via which port. Forwarding: once a destination MAC is in the table, subsequent frames to that address are forwarded only to the correct port. Filtering: if the destination MAC is on the same port as the source (two devices on the same hub attached to one switch port), the switch discards the frame — no forwarding needed. Aging: CAM table entries expire after an inactivity period (typically 300 seconds) to handle devices that have moved or disconnected. When an entry ages out, the switch reverts to flooding for that MAC until it relearns the location.

The CAM table and its limits

The CAM (Content Addressable Memory) table is stored in dedicated high-speed hardware memory that allows the switch to look up a MAC address in a single clock cycle regardless of table size. CAM tables have a fixed maximum size — a small unmanaged switch might hold 1,000 entries; enterprise switches hold 64,000 or more. A MAC flooding attack deliberately sends frames with thousands of spoofed source MAC addresses, filling the CAM table. Once full, the switch cannot learn new entries and reverts to flooding all unknown traffic — effectively behaving like a hub and exposing all traffic to all ports. Port security features on managed switches mitigate this by limiting the number of MAC addresses allowed per port.

Cut-through vs store-and-forward switching

Switches use one of two forwarding methods. Store-and-forward receives the entire frame, checks the FCS (Frame Check Sequence) for errors, then forwards it. This catches and discards corrupt frames but adds latency equal to the full frame reception time — at 1 Gbps, a 1500-byte frame takes about 12 microseconds to receive. Cut-through begins forwarding the frame after reading only the first 14 bytes (the destination MAC address), before the full frame has arrived. This reduces latency to under 1 microsecond but forwards corrupt frames. A third mode, fragment-free, waits for the first 64 bytes (the minimum Ethernet frame size, within which most collisions occur) before forwarding — a compromise. Most modern enterprise switches use store-and-forward because error checking is valuable and latency differences are negligible at gigabit speeds.

Switch vs hub vs router

Spanning Tree Protocol

Physical loops in a switched network cause broadcast storms — a broadcast frame is forwarded endlessly around the loop, consuming all available bandwidth within seconds and crashing the network. STP (Spanning Tree Protocol, IEEE 802.1D) prevents this by electing a root bridge and blocking redundant ports, creating a loop-free logical topology. RSTP (Rapid STP, 802.1w) converges in seconds rather than the 30–50 seconds of original STP. MSTP (Multiple STP, 802.1s) runs separate spanning tree instances per VLAN group. While STP prevents loops, its port blocking means redundant physical links are idle — LACP (link aggregation) is often used instead to combine parallel links into one active logical link without blocking.

Managed switch features

Managed switches add configuration capabilities essential for structured networks. VLANs logically segment the switch into isolated broadcast domains — ports 1–8 on VLAN 10 (staff), ports 9–16 on VLAN 20 (IoT). Link aggregation (LACP) bonds multiple ports into one logical high-speed uplink. STP/RSTP prevents loops when redundant links exist. Port mirroring (SPAN) copies traffic from one port to another for packet capture and analysis. QoS/CoS prioritises latency-sensitive traffic like VoIP. IGMP snooping prevents multicast flooding. These features are absent on unmanaged switches.

Layer 3 switch vs router

A Layer 3 switch performs IP routing in addition to Layer 2 switching, using dedicated ASICs that route packets at wire speed — far faster than a general-purpose router CPU. This makes Layer 3 switches ideal for inter-VLAN routing within a data centre or campus where routing must occur at gigabit or multi-gigabit speeds between many VLANs. A traditional router provides more advanced features: NAT, dynamic routing protocols, WAN interface support, firewall capabilities, QoS shaping, and VPN termination. In modern networks, the line between the two has blurred — many enterprise routers have switching ASICs and many Layer 3 switches support basic routing protocols like OSPF and BGP.

Frequently Asked Questions

What is the difference between a switch and a router?

A switch forwards Ethernet frames within a LAN using MAC addresses (Layer 2). A router forwards IP packets between different networks (Layer 3). Home routers combine both in one box — built-in switch for LAN ports, router for WAN. A standalone switch just expands port count on your LAN.

What is the difference between a managed and unmanaged switch?

Unmanaged: plug-and-play, no configuration, no VLANs. Managed: web/CLI interface enabling VLANs, QoS, LACP, STP, port mirroring, and traffic statistics. Essential when you need network segmentation or traffic control.

What is a PoE switch?

A switch that delivers DC power alongside data to connected devices — powering access points, cameras, and VoIP phones without separate power supplies. PoE (15.4W/port), PoE+ (30W), PoE++ (60–100W). Total power budget limits how many devices can be powered simultaneously.