The OSI Layer Connection
The easiest way to remember the difference is by OSI layer. Each device operates at a specific layer and can only understand information up to that layer. A hub operates at Layer 1 (Physical) — it only understands electrical signals. It has no awareness of MAC addresses or IP addresses, so when a frame arrives on any port, it blindly repeats that signal out every other port. A switch operates at Layer 2 (Data Link) — it reads the destination MAC address in each Ethernet frame and forwards it only to the port where that MAC address is located. A router operates at Layer 3 (Network) — it reads the destination IP address in each packet and makes forwarding decisions based on its routing table.
This layer distinction determines what each device can and cannot do. A hub cannot filter traffic because it cannot read addresses. A switch cannot route between subnets because it cannot read IP addresses. A router can do everything a switch can do, plus inter-network routing — but dedicated switches handle Layer 2 forwarding faster and cheaper at scale.
Hub vs Switch vs Router — Full Comparison
| Feature | Hub | Switch | Router |
|---|---|---|---|
| OSI Layer | Layer 1 — Physical | Layer 2 — Data Link | Layer 3 — Network |
| Forwarding basis | None — floods all ports | MAC address table | IP routing table |
| Collision domains | One shared domain | One per port | One per port/interface |
| Broadcast domains | One shared domain | One per VLAN | One per interface |
| Connects | Devices on same segment | Devices on same network | Different networks/subnets |
| Intelligence | None — dumb repeater | Learns MAC-to-port mappings | Dynamic routing protocols |
| Status today | Obsolete — never used in new installs | Ubiquitous — every LAN | Every network edge and WAN |
How a Hub Works — and Why It Was Replaced
A hub is a multiport repeater. Every frame that arrives on any port is immediately retransmitted out every other port simultaneously. The hub has no memory, no address table, and no filtering capability whatsoever. All devices connected to a hub share a single collision domain — if two devices transmit simultaneously, their signals collide and both transmissions must be retried. This is why 10BASE-T Ethernet (which used hubs) required CSMA/CD (Carrier Sense Multiple Access with Collision Detection) to manage collisions. As more devices joined a hub-based network, collisions increased exponentially, degrading performance for everyone.
Hubs also create significant security concerns. Because every frame is flooded to every port, any device connected to the hub can capture all traffic by putting its NIC into promiscuous mode — a trivial network sniffing attack. Switches eliminated this vulnerability by only forwarding frames to the intended destination port. Hubs were completely replaced by switches in professional installations by the early 2000s. They appear on CompTIA exams exclusively as a historical reference and as the wrong answer in scenarios that require intelligent traffic forwarding.
How a Switch Works — MAC Address Tables
A switch learns which device is connected to which port by examining the source MAC address of every incoming frame. When a frame arrives, the switch records the source MAC address and the port it came in on in its MAC address table (also called the CAM table — Content Addressable Memory). The next time a frame arrives destined for that MAC address, the switch looks it up in the table and forwards the frame only to the specific port where that device lives — never to other ports.
When a switch receives a frame for a MAC address it hasn't seen yet, it floods the frame to all ports except the one it came in on — exactly like a hub. Once the destination device responds, the switch learns its MAC-to-port mapping and subsequent frames are forwarded intelligently. A switch also floods frames addressed to the broadcast address (FF:FF:FF:FF:FF:FF) to all ports in the same VLAN, which is why switches do not break up broadcast domains — only routers do.
VLANs extend the switch's capabilities by creating logical segments within a single physical switch. Each VLAN is its own broadcast domain — a broadcast sent in VLAN 10 never reaches devices in VLAN 20. Traffic between VLANs requires a router (or a Layer 3 switch), because crossing from one VLAN to another is crossing from one broadcast domain to another — a Layer 3 operation.
How a Router Works — Routing Tables and IP Forwarding
A router maintains a routing table — a database of known networks and the next hop or interface to use to reach each one. When a packet arrives, the router extracts the destination IP address, looks it up in the routing table using longest prefix match, and forwards the packet out the appropriate interface. Unlike a switch's MAC table which is learned automatically, routing tables are populated through a combination of directly connected networks (automatic), static routes (manually configured), and dynamic routing protocols (OSPF, BGP, EIGRP) that exchange route information between routers.
Routers perform Network Address Translation (NAT), translating private IP addresses to public IP addresses for internet-bound traffic. Every home router and most enterprise edge routers use NAT. Routers also implement access control lists (ACLs) to filter traffic between networks based on source/destination IP, port, and protocol — a basic form of firewall functionality. Routers connect networks that may use different technologies — a router might have one Ethernet interface connected to a LAN and one fiber interface connected to a WAN provider.
Layer 3 Switches — The Hybrid
Modern enterprise networks use Layer 3 switches (also called multilayer switches) at the distribution and core layers. A Layer 3 switch combines high-speed Layer 2 switching with hardware-accelerated Layer 3 routing. It can forward packets between VLANs at wire speed without the latency of sending traffic to a dedicated router. Layer 3 switches handle inter-VLAN routing inside the building, while dedicated routers handle WAN connectivity and complex routing policies at the perimeter. On the exam, a question asking "which device allows communication between two VLANs?" accepts both "router" and "Layer 3 switch" as correct answers.
Collision Domains vs Broadcast Domains — The Exam Distinction
Two terms that constantly trip up exam candidates: collision domains and broadcast domains. A collision domain is the set of devices that could cause a collision if they transmit simultaneously. In a hub, all connected devices share one collision domain — if two devices transmit at once, their signals collide. Each port on a switch is its own collision domain — a device on port 1 and a device on port 2 can transmit simultaneously without collision. A router interface is also its own collision domain. The rule: hubs don't break collision domains; switches and routers do.
A broadcast domain is the set of devices that receive a Layer 2 broadcast (destination MAC FF:FF:FF:FF:FF:FF). Every device connected to a switch (in the same VLAN) receives broadcasts sent to that VLAN. A switch does not break broadcast domains — all devices in the same VLAN share one broadcast domain. A router does break broadcast domains — broadcasts cannot cross a router (unless explicitly relayed, as DHCP relay does). VLANs on a switch also create separate broadcast domains. The rule: only routers and VLANs break broadcast domains; switches and hubs do not.
Quick test: a network has 1 hub with 4 devices and 1 switch with 4 devices, connected together through a router. How many collision domains and broadcast domains? Answer: the hub's 4 devices share 1 collision domain, each of the switch's 4 ports is its own collision domain = 5 total collision domains. The hub side is 1 broadcast domain, the switch side is 1 broadcast domain, the router separates them = 2 broadcast domains.
When Would You Still See a Hub?
Hubs are obsolete for network access, but they appear in one specific legitimate use case: network monitoring via a tap. A passive network tap or a hub can be used to connect a packet analyser (Wireshark) to monitor all traffic on a segment without being in the traffic path. More commonly, a switch's SPAN port (port mirroring) accomplishes this without the collision domain problem. The exam question "a technician needs to capture all traffic between two devices — which device allows this?" accepts both hub and SPAN port as correct answers depending on context. In modern environments, SPAN is always preferred.