101
0/228
Loading content...
The network switch is the most common infrastructure device in modern LANs. From small office setups to massive data centers, switches form the backbone of local connectivity, enabling devices to communicate at wire speed with minimal latency.
Unlike their predecessor—the hub—which blindly repeated traffic to all ports, switches make intelligent forwarding decisions based on MAC addresses. This selective forwarding dramatically improves both performance and security, making switches the foundation of all serious network deployments.
To truly understand when and why to use a switch versus a router, we must first understand exactly how switches operate at a deep technical level. This understanding reveals switches' strengths, limitations, and the scenarios where they excel.
By completing this page, you will understand the complete lifecycle of frame processing in a switch: how MAC tables are built and maintained, how forwarding decisions are made, how broadcasts are handled, how VLANs segment traffic, and how modern switch architectures achieve line-rate performance.
A switch is a Layer 2 networking device that forwards frames based on MAC addresses. Unlike routers that examine IP headers, switches operate entirely at the Data Link Layer, making decisions based purely on the Ethernet frame's source and destination MAC addresses.
Key Characteristics of Switches:
Switch Internal Architecture:
Understanding how switches are built internally helps explain their performance characteristics:
┌─────────────────────────────────────────────────────────────────────────────┐
│ SWITCH INTERNAL ARCHITECTURE │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │ Port 1 │ │ Port 2 │ │ Port 3 │ │ Port N │ │
│ │ PHY/MAC │ │ PHY/MAC │ │ PHY/MAC │ │ PHY/MAC │ │
│ └────┬─────┘ └────┬─────┘ └────┬─────┘ └────┬─────┘ │
│ │ │ │ │ │
│ └──────────────┼──────────────┼──────────────┘ │
│ │ │ │
│ ┌─────┴──────────────┴─────┐ │
│ │ SWITCHING FABRIC │ │
│ │ (Crossbar/Shared Bus) │ │
│ └─────────────┬─────────────┘ │
│ │ │
│ ┌─────────────┴─────────────┐ │
│ │ FORWARDING ENGINE │ │
│ │ ┌───────────────────────┐ │ │
│ │ │ MAC Address Table │ │ │
│ │ │ (CAM/TCAM Memory) │ │ │
│ │ └───────────────────────┘ │ │
│ └─────────────┬─────────────┘ │
│ │ │
│ ┌─────────────┴─────────────┐ │
│ │ CONTROL PLANE CPU │ │
│ │ (Management, STP, SNMP) │ │
│ └───────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Key Components:
CAM (Content-Addressable Memory) enables O(1) MAC address lookups—give it a MAC, it returns the port instantly. TCAM (Ternary CAM) extends this with wildcards, enabling pattern matching for ACLs and QoS. This specialized memory is expensive but essential for line-rate switching.
The MAC address table (also called CAM table, bridge table, or forwarding database) is the heart of switch operation. It maps MAC addresses to switch ports, enabling intelligent forwarding. Switches build this table automatically through a process called MAC learning.
The Learning Process:
When a frame arrives at a switch port, the switch examines the source MAC address and records a mapping:
┌─────────────────────────────────────────────────────────────────────────────┐
│ MAC LEARNING PROCESS │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ Frame arrives: Src MAC = AA:BB:CC:DD:EE:FF, ingress port = 5 │
│ │
│ 1. Extract source MAC from frame header │
│ 2. Look up source MAC in table │
│ a. If NOT found: Add new entry {AA:BB:CC:DD:EE:FF → Port 5, age=0} │
│ b. If found on same port: Refresh aging timer │
│ c. If found on DIFFERENT port: Update entry (MAC moved) │
│ 3. Proceed to forwarding decision (use destination MAC) │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
This means the switch learns by observing traffic, not by being configured.
| MAC Address | Port | VLAN | Type | Age (seconds) |
|---|---|---|---|---|
| 00:1A:2B:3C:4D:5E | Gi0/1 | 10 | Dynamic | 45 |
| 00:1A:2B:3C:4D:5F | Gi0/1 | 10 | Dynamic | 120 |
| AA:BB:CC:DD:EE:01 | Gi0/5 | 20 | Dynamic | 5 |
| AA:BB:CC:DD:EE:02 | Gi0/8 | 20 | Dynamic | 300 |
| FF:FF:FF:FF:FF:FF | All | — | Static | — |
| 01:00:5E:00:00:FB | Gi0/1,3,7 | 10 | Static (IGMP) | — |
Entry Types:
The Aging Process:
To prevent stale entries from consuming table space, switches implement aging:
┌─────────────────────────────────────────────────────────────────────────────┐
│ AGING MECHANISM │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ Default aging time: 300 seconds (5 minutes) — configurable │
│ │
│ Each entry has an age counter: │
│ - Incremented periodically (e.g., every second) │
│ - Reset to 0 when frame with that source MAC arrives │
│ - Entry DELETED when age exceeds aging-time threshold │
│ │
│ Purpose: │
│ - Remove entries for devices that have been disconnected │
│ - Handle device mobility (MAC appears on new port) │
│ - Prevent table exhaustion from transient traffic │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
MAC Table Size Limits:
Every switch has a finite MAC table capacity:
When the table fills, switches typically cannot learn new MACs. Traffic to unknown destinations is flooded (sent to all ports), degrading performance and security.
Attackers can deliberately exhaust a switch's MAC table by sending thousands of frames with random source MACs. Once the table is full, the switch floods all traffic—allowing the attacker to sniff traffic not meant for them. Port security and dynamic ARP inspection help mitigate this attack.
After learning the source MAC, the switch must decide what to do with the frame. This forwarding decision is based on the destination MAC address.
Three Possible Actions:
The Complete Forwarding Algorithm:
┌─────────────────────────────────────────────────────────────────────────────┐
│ SWITCH FORWARDING ALGORITHM │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ FRAME ARRIVES ON PORT X: │
│ │
│ 1. LEARNING PHASE: │
│ └→ Record/update: source_MAC → Port X in MAC table │
│ │
│ 2. FORWARDING DECISION: │
│ IF destination_MAC == broadcast (FF:FF:FF:FF:FF:FF): │
│ └→ FLOOD to all ports in VLAN (except Port X) │
│ ELSE IF destination_MAC is multicast (01:xx:xx...): │
│ └→ FLOOD (or use IGMP snooping if enabled) │
│ ELSE: // Unicast address │
│ LOOKUP destination_MAC in table │
│ IF found: │
│ IF destination_port == X: │
│ └→ FILTER (drop frame—already local) │
│ ELSE: │
│ └→ FORWARD to destination_port only │
│ ELSE: // Unknown unicast │
│ └→ FLOOD to all ports in VLAN (except Port X) │
│ │
│ 3. FCS CHECK (at ingress): │
│ └→ If CRC fails, drop frame silently (never forwarded) │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Why Unknown Unicast Happens:
Several scenarios cause unknown unicast (necessitating flooding):
Performance Implications:
A well-designed network minimizes flooding by:
Filtering occurs when both source and destination MACs are on the same port. This typically happens when multiple devices share a port via a hub or unmanaged switch downstream. The switch correctly deduces that the destination device already received the frame locally—no forwarding needed.
Switches use different methods to receive and forward frames, trading off latency against error detection. Understanding these methods helps you choose switches for latency-sensitive applications.
Store-and-Forward Switching:
The traditional method. Switch receives the entire frame before making a forwarding decision.
┌─────────────────────────────────────────────────────────────────────────────┐
│ STORE-AND-FORWARD SWITCHING │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ 1. Receive complete frame into buffer │
│ 2. Calculate FCS (CRC) and compare to frame's FCS │
│ 3. If FCS mismatch → DROP frame (corrupted) │
│ 4. If FCS matches → Look up destination MAC │
│ 5. Forward frame to appropriate port(s) │
│ │
│ LATENCY: Variable, depends on frame size │
│ - Minimum frame (64 bytes @ 1Gbps): ~0.5 μs │
│ - Maximum frame (1518 bytes @ 1Gbps): ~12 μs │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Advantages:
Disadvantages:
Cut-Through Switching:
Low-latency method. Switch starts forwarding as soon as destination MAC is received (first 6 bytes after preamble).
┌─────────────────────────────────────────────────────────────────────────────┐
│ CUT-THROUGH SWITCHING │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ 1. Receive destination MAC (first 6 bytes of frame) │
│ 2. Look up destination MAC → determine output port │
│ 3. START FORWARDING immediately (frame still arriving!) │
│ 4. Continue receiving and forwarding simultaneously │
│ 5. FCS check happens AFTER forwarding (or not at all) │
│ │
│ LATENCY: Fixed, independent of frame size │
│ - Approximately 2-10 μs (port-to-port) │
│ - Much lower than store-and-forward for large frames │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Advantages:
Disadvantages:
| Characteristic | Store-and-Forward | Cut-Through |
|---|---|---|
| Latency | Variable (frame-size dependent) | Fixed (very low) |
| Error Handling | Drops corrupted frames | Forwards corrupted frames |
| Speed Adaptation | Yes (buffers enable different speeds) | No (requires same speed) |
| Buffer Requirements | Larger buffers needed | Minimal buffers |
| QoS Support | Full frame analysis possible | Limited (headers only) |
| Use Case | General enterprise networks | Low-latency trading, HPC |
Fragment-Free Switching:
A hybrid approach. Switch reads the first 64 bytes before forwarding (minimum Ethernet frame size). This catches most collision-induced errors (runts) while maintaining relatively low latency.
Adaptive Switching:
Some switches automatically switch between methods. They use cut-through by default but fall back to store-and-forward if error rates exceed a threshold—getting the best of both worlds.
For most enterprise applications, store-and-forward's latency (microseconds) is invisible. But in high-frequency trading, every nanosecond counts—cut-through switches dominate. Data centers often use adaptive switching to balance latency and reliability.
One of the most important characteristics of switches is how they handle broadcast and multicast traffic. This behavior defines the broadcast domain and has significant performance implications.
Broadcast Handling:
When a frame destined for FF:FF:FF:FF:FF:FF (broadcast) arrives, the switch floods it to all ports in the same VLAN except the ingress port.
┌─────────────────────────────────────────────────────────────────────────────┐
│ BROADCAST FRAME HANDLING │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ Broadcast frame arrives on Port 1 │
│ │
│ Port 1 Port 2 Port 3 Port 4 Port 5 │
│ (ingress) │
│ │ │ │ │ │ │
│ ▼ │ │ │ │ │
│ ┌──────┐ │ │ │ │ │
│ │SWITCH│───────┼───────────┼───────────┼───────────┤ │
│ └──────┘ │ │ │ │ │
│ ▼ ▼ ▼ ▼ │
│ COPY COPY COPY COPY │
│ │
│ Result: Frame copied to ports 2, 3, 4, 5 (all ports except ingress) │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Switches CANNOT prevent broadcast flooding—this is fundamental to their Layer 2 operation. Only Layer 3 devices (routers) terminate broadcast domains.
Common Broadcast Traffic Types:
| Protocol | Purpose | MAC Address | Impact |
|---|---|---|---|
| ARP | Address resolution | FF:FF:FF:FF:FF:FF | Frequent in active networks |
| DHCP | IP configuration | FF:FF:FF:FF:FF:FF | Periodic lease renewals |
| NetBIOS | Windows networking | FF:FF:FF:FF:FF:FF | Can be very chatty |
| Various discovery | Device/service discovery | FF:FF:FF:FF:FF:FF | Varies by application |
Broadcast Storms:
When broadcast traffic spirals out of control, it's called a broadcast storm. This can occur due to:
A broadcast storm can:
Industry best practices recommend limiting broadcast domains to 250–500 devices. Larger domains increase broadcast traffic linearly and storm risk non-linearly. Use VLANs and routed boundaries to keep domains appropriately sized.
Multicast Handling:
Multicast frames (destination MAC starting with 01:) are also flooded by default. However, advanced switches implement IGMP snooping to optimize multicast:
┌─────────────────────────────────────────────────────────────────────────────┐
│ IGMP SNOOPING │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ WITHOUT IGMP Snooping: │
│ - All multicast treated like broadcast │
│ - Flooded to every port in VLAN │
│ - Wastes bandwidth on ports with no interested receivers │
│ │
│ WITH IGMP Snooping: │
│ - Switch inspects IGMP join/leave messages │
│ - Builds table of which ports have multicast receivers │
│ - Forwards multicast only to ports with interested hosts │
│ - Significantly reduces multicast traffic volume │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
IGMP snooping is essential for networks with video streaming, IP telephony, or other multicast-heavy applications.
VLANs (Virtual LANs) extend switch capabilities by logically segmenting a physical switch into multiple broadcast domains. VLANs are a critical switch feature that provides Layer 2 segmentation without requiring separate physical infrastructure.
VLAN Fundamentals:
Port Types (Access vs Trunk):
┌─────────────────────────────────────────────────────────────────────────────┐
│ ACCESS PORTS │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ - Assigned to ONE VLAN only │
│ - Connect to end devices (PCs, printers, phones) │
│ - Frames are UNTAGGED (no VLAN header) │
│ - Device is unaware of VLANs │
│ │
│ Example: Port Gi0/1 → Access VLAN 10 │
│ All traffic from this port belongs to VLAN 10 │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────────────────┐
│ TRUNK PORTS │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ - Carry traffic for MULTIPLE VLANs │
│ - Connect switches to switches (or to routers) │
│ - Frames are TAGGED with 802.1Q VLAN header │
│ - Both ends must agree on allowed VLANs │
│ │
│ 802.1Q Tag (inserted after source MAC): │
│ ┌──────────┬──────┬────────────────────┐ │
│ │ TPID │ PRI │ VLAN ID │ │
│ │ 0x8100 │ 3bit │ 12 bits (1-4094) │ │
│ └──────────┴──────┴────────────────────┘ │
│ │
│ Example: Trunk carrying VLANs 10, 20, 30 │
│ Each frame has VLAN ID so receiving switch knows destination │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Native VLAN (Trunk Configuration):
Trunk ports have a native VLAN—the VLAN for untagged frames. Frames in the native VLAN cross the trunk without a VLAN tag.
Switch Port Behavior Summary:
| Port Type | Connected To | VLAN Handling | Frame Format |
|---|---|---|---|
| Access | End devices | Single VLAN only | Untagged |
| Trunk | Switches/Routers | Multiple VLANs | Tagged (802.1Q) |
| Hybrid/General | Both | Configurable | Configurable |
Proper VLAN configuration is essential for switch networks. Misconfigured trunks can either break inter-switch communication or inadvertently merge VLANs that should be isolated.
Remember: VLANs only segment at Layer 2. For devices in different VLANs to communicate, traffic MUST pass through a Layer 3 device (router or multilayer switch). The router can then apply policies, ACLs, or firewall rules—making VLANs a powerful security tool.
Understanding switch performance metrics helps you select appropriate hardware for your network requirements.
Key Performance Metrics:
| Metric | Description | Typical Values |
|---|---|---|
| Switching Capacity | Total bandwidth switch can handle (all ports, full duplex) | 48-port 1G: 96 Gbps, 48-port 10G: 960 Gbps |
| Forwarding Rate | Packets per second (pps) at minimum frame size | 48-port 1G: 72 Mpps, 48-port 10G: 720 Mpps |
| Latency | Time from frame ingress to egress start | Store-forward: 2-20μs, Cut-through: <1μs |
| MAC Table Size | Maximum MAC address entries | 8K (basic) to 128K+ (datacenter) |
| VLAN Support | Maximum simultaneous VLANs | 256 (basic) to 4094 (enterprise) |
| Buffer Memory | Packet buffer capacity | 1-16 MB typical, 32+ MB for high-end |
Non-Blocking vs Blocking Architectures:
A non-blocking switch has sufficient internal bandwidth to handle all ports at line rate simultaneously. The switching capacity should be at least:
Required capacity = Number of ports × Port speed × 2 (full duplex)
Example: 48 × 1 Gbps × 2 = 96 Gbps (non-blocking)
A switch with 48 Gbps capacity would be 2:1 "blocking" (oversubscribed)
Oversubscription is common and acceptable for access-layer switches where all devices rarely transmit at line rate simultaneously. But core/distribution switches should be non-blocking.
Forwarding Rate Verification:
The forwarding rate should match the theoretical maximum for the port configuration:
Theoretical PPS = Switching capacity / (Minimum frame size + IFG + preamble)
= Switching capacity / (64 + 12 + 8) bytes × 8 bits/byte
= Switching capacity / 672 bits
Example: 96 Gbps / 672 = 142.86 Mpps (theoretical max for 48 1G ports)
If switch specs show 72 Mpps, check if that's per-port or total.
Always verify that switching capacity and forwarding rate are consistent with claimed line-rate forwarding. Some vendors quote theoretical maximums that can't be achieved simultaneously. Look for "non-blocking" or "wire-speed" claims with matching specifications.
Buffer Management:
Buffers prevent frame loss during congestion (multiple inputs to one output). Buffer architectures include:
Insufficient buffering causes frame drops during microbursts—short traffic spikes that exceed link capacity temporarily. This is especially problematic at speed transitions (10G to 1G).
This page has provided a comprehensive examination of how network switches operate. Understanding these mechanisms is essential for comparing switches with routers and making informed device selection decisions.
You now understand how switches make forwarding decisions, build MAC tables, handle broadcasts, and implement VLANs. This foundation prepares you to contrast switch behavior with router operation in the next page.
Next: We'll examine Router Operation—how routers make forwarding decisions based on IP addresses, build routing tables, handle packets crossing network boundaries, and implement the Layer 3 functions that switches cannot provide.