⚡ What is a switch?
A network switch is a Layer 2 device that connects multiple devices within the same network and forwards traffic between them using MAC addresses. Unlike a hub — which blindly sends every packet to every port — a switch learns which device is on which port and sends traffic only to its intended destination. This makes switches far more efficient and is why hubs are obsolete.

How a switch works — the MAC address table

Every switch maintains a MAC address table (also called a CAM table — Content Addressable Memory). This table maps MAC addresses to the physical ports they were learned from. When a frame arrives, the switch checks this table to decide where to send it.

Switches learn MAC addresses automatically by inspecting the source address of every frame that arrives. If a device sends traffic from port 3, the switch records that MAC address against port 3. Over time the table fills up with all the devices on the network.

How a switch processes a frame — step by step
1. Frame arrives        → Switch receives frame on a port
2. Learn source MAC    → Records source MAC address → port in the MAC table
3. Look up dest MAC    → Checks MAC table for destination address
   If found:            → Forwards frame out the specific port only (unicast)
   If not found:        → Floods frame to ALL ports except the one it arrived on
   If broadcast:        → Floods frame to ALL ports in the VLAN (FF:FF:FF:FF:FF:FF)
⚡ Switch vs hub — know this for A+

Hub (Layer 1): Repeats every signal to every port. All devices share bandwidth. Any transmission creates a collision domain. Obsolete.

Switch (Layer 2): Sends frames only to the destination port. Each port is its own collision domain. Devices get dedicated bandwidth. Standard in all modern networks.

The exam loves asking which device creates a single collision domain (hub) vs which device creates separate collision domains per port (switch).

Switch vs router — the key difference

This is one of the most tested distinctions across both A+ and Network+. The difference comes down to what address each device uses and which layer it operates at.

FeatureSwitchRouter
OSI LayerLayer 2 (Data Link)Layer 3 (Network)
Address usedMAC addressIP address
ConnectsDevices within the same networkDifferent networks together
Traffic scopeWithin a subnet / VLANBetween subnets / networks
Broadcast domainAll ports share one (unless VLANs used)Separates broadcast domains
Table usedMAC address table (CAM)Routing table

Managed vs unmanaged switches

🔌
Plug and play
Unmanaged Switch
No configuration required — plug in and it works. No VLANs, no port security, no monitoring. Used in home networks and small offices where simplicity matters more than control.
⚙️
Full configuration
Managed Switch
Configurable via CLI or web interface. Supports VLANs, port security, STP, SNMP monitoring, QoS, link aggregation, and more. Required in any enterprise or business environment.
🏢
Core infrastructure
Core Switch
High-speed switch at the centre of a network — connects distribution layer switches together. High bandwidth, high port density, minimal latency. Usually a Layer 3 switch.
📦
Routing + switching
Layer 3 Switch
A switch that can also perform routing between VLANs. Faster than a router for inter-VLAN traffic because it routes in hardware. Common in enterprise core and distribution layers.

VLANs — virtual LANs

A VLAN (Virtual Local Area Network) logically segments a physical switch into multiple separate networks. Devices on different VLANs cannot communicate with each other directly — they need a router or Layer 3 switch to route between them. VLANs are one of the most tested switch topics on Network+.

The main reasons to use VLANs are security (isolating sensitive systems), performance (reducing broadcast traffic), and flexibility (grouping devices by function rather than physical location).

VLAN key concepts
Access port     → Carries traffic for ONE VLAN — connects to end devices (PCs, printers)
Trunk port      → Carries traffic for MULTIPLE VLANs — connects switches to each other or to routers
802.1Q          → VLAN tagging standard — inserts a 4-byte tag into the Ethernet frame
Native VLAN     → VLAN that carries untagged traffic on a trunk port (default VLAN 1)
Inter-VLAN routing → Traffic between VLANs requires a router or Layer 3 switch
⚡ Trunk vs access port — a classic exam question

An access port belongs to one VLAN and connects to an end device. The device doesn't know or care about VLANs — the switch handles the tagging.

A trunk port carries multiple VLANs and connects switches together (or a switch to a router). Frames on a trunk are tagged with 802.1Q to identify which VLAN they belong to.

If the exam describes a port connecting two switches — it's a trunk. If it describes a port connecting a PC — it's an access port.

Spanning Tree Protocol (STP)

When you connect multiple switches together for redundancy, you create loops — and Layer 2 loops are catastrophic. A broadcast frame in a loop circulates forever, consuming all bandwidth in seconds (called a broadcast storm). STP prevents this by automatically blocking redundant paths while keeping them available as backup.

STP VersionStandardKey improvement
STP802.1DOriginal — slow convergence (30–50 seconds)
RSTP802.1wRapid STP — much faster convergence (seconds)
MSTP802.1sMultiple STP — separate spanning tree per VLAN group
PVST+CiscoPer-VLAN Spanning Tree — one STP instance per VLAN

Port security

Port security is a managed switch feature that restricts which MAC addresses are allowed on a given port. It's used to prevent unauthorised devices from connecting to the network — plugging an unknown laptop into a network port can be blocked by port security.

🔒 Port security violation actions

Protect: Drops frames from unauthorised MACs silently — no alert, no shutdown.

Restrict: Drops frames and increments a violation counter — generates a log but port stays up.

Shutdown (default): Disables the port completely — requires manual re-enabling by an administrator. Most secure option.

Exam scenarios

💬 "Which device operates at Layer 2 and forwards frames based on MAC addresses?" → Switch
💬 "A network is experiencing a broadcast storm. What device and feature would prevent this?" → Switch with Spanning Tree Protocol (STP)
💬 "An administrator wants to isolate the HR department's traffic from the rest of the network without buying new hardware. What should they configure?" → VLANs on a managed switch
💬 "Which port type on a switch carries traffic for multiple VLANs between switches?" → Trunk port (802.1Q)
💬 "A switch receives a frame destined for a MAC address not in its table. What does it do?" → Floods the frame to all ports except the one it arrived on (unknown unicast flooding)
💬 "Which switch feature prevents unauthorised devices from connecting by limiting which MAC addresses can use a port?" → Port security
💬 "What is the difference between a Layer 2 switch and a Layer 3 switch?" → A Layer 3 switch can route traffic between VLANs/subnets in addition to switching — it performs both Layer 2 switching and Layer 3 routing
💬 "Two switches are connected together. What type of port should be configured on each switch for that connection?" → Trunk port — to carry multiple VLANs between the switches

Studying for A+ or Network+?

The study guides, practice exams, and free resources worth your time for both exams.

See Study Resources →

Related Articles

What is a Router? Router vs Switch OSI Model Explained What is a MAC Address? Network+ Cheat Sheet VLANs Explained How to Pass Network+ Best Network+ Resources