Articles

Network Switches: How Layer 2 Forwarding Works (2026)

March 12, 2026 10 min read

A network switch learns network addresses by inspecting incoming packets, not by pre-configuration.

Imagine you have a bunch of devices – computers, printers, servers – all plugged into a switch. When your computer sends a packet to, say, the printer, it doesn’t just broadcast it to everyone. Instead, the switch is actively learning which device is connected to which of its ports.

Here’s a quick peek at a switch’s internal table, often called a MAC address table or CAM table. This isn’t some theoretical diagram; this is what you’d see if you could poke around inside a real switch:

VLAN ID | MAC Address       | Type    | Port
-------------------------------------------------
1       | 00:1A:2B:3C:4D:5E | Dynamic | GigabitEthernet1/0/1
1       | 00:22:33:44:55:66 | Dynamic | GigabitEthernet1/0/3
1       | AA:BB:CC:DD:EE:FF | Static  | GigabitEthernet1/0/2

When a packet arrives at GigabitEthernet1/0/1 destined for 00:22:33:44:55:66, the switch looks up that MAC address in its table. It sees that 00:22:33:44:55:66 is associated with GigabitEthernet1/0/3. So, it forwards the packet only out of GigabitEthernet1/0/3. No other ports receive it. This is the magic of "learning" and "forwarding" at Layer 2.

The Problem Solved: Efficient Local Communication

Before switches, we had hubs. Hubs were dumb repeaters. Any packet arriving on one port was simply blasted out to all other ports. This created a lot of unnecessary traffic, slowed down the network (collisions!), and was a security risk. Switches solve this by creating dedicated, point-to-point connections between devices as needed, dramatically increasing local network efficiency and speed.

How it Works: The MAC Address Table (CAM Table)

The core of Layer 2 forwarding is the MAC address table. This table maps a device’s unique Media Access Control (MAC) address (that 00:1A:2B:3C:4D:5E thing) to the specific physical port on the switch it’s connected to.

  1. Learning: When a frame (Layer 2 packet) arrives on a port, the switch looks at the source MAC address of that frame. It then records this source MAC address and the port it arrived on in its MAC address table. This is how the switch learns where devices are.
  2. Forwarding: When a frame arrives destined for a specific MAC address, the switch checks its table.
    • If the destination MAC address is found in the table, the switch forwards the frame only out of the port associated with that destination MAC.
    • If the destination MAC address is not found (a "MAC address unknown" scenario), the switch acts like a hub for that specific frame: it floods the frame out to all ports except the one it arrived on. The hope is that the destination device will receive it and send a reply, allowing the switch to learn its location.
  3. Filtering: If a frame arrives on a port and the destination MAC address is associated with that same port in the table, the switch drops the frame. There’s no need to send it back out the way it came.
  4. Aging: MAC addresses learned dynamically are typically given an "aging timer." If no traffic is seen from a particular MAC address for a set period (e.g., 300 seconds), the switch removes that entry from its table. This is crucial for handling devices that move ports or are powered off.

The Levers You Control

While the basic learning and forwarding is automatic, you have control over several aspects:

  • VLANs (Virtual Local Area Networks): You can segment a single physical switch into multiple logical broadcast domains. Devices in different VLANs cannot communicate directly at Layer 2; they’d need a router. This is done by configuring ports to belong to specific VLANs.
    • Example: switch(config)# interface GigabitEthernet1/0/5
    • switch(config-if)# switchport mode access
    • switch(config-if)# switchport access vlan 10
  • Port Security: You can limit which MAC addresses are allowed on a specific port, or even bind a specific MAC address to a port. This prevents unauthorized devices from connecting.
    • Example: switch(config-if)# switchport port-security mac-address AABBCC112233
    • switch(config-if)# switchport port-security maximum 1
    • switch(config-if)# switchport port-security violation shutdown
  • Static MAC Addresses: You can manually add entries to the MAC address table. These won’t age out and are useful for critical devices like servers or network infrastructure.
    • Example: switch(config)# mac address-table static AA:BB:CC:DD:EE:FF vlan 1 interface GigabitEthernet1/0/2
  • Spanning Tree Protocol (STP): While not directly forwarding, STP is a critical companion protocol that prevents loops in switched networks by disabling redundant paths. You configure STP parameters, but the switch uses them to manage its forwarding decisions.

The one thing most people don’t realize is that when a switch floods a frame because the destination MAC is unknown, that flood is contained within the broadcast domain (typically a VLAN). It doesn’t go to other VLANs or out of trunk ports unless specifically configured to do so. This containment is what makes VLANs effective segmentation tools.

The next step in understanding network traffic flow involves understanding how routers connect these separate broadcast domains.

Want structured learning?

Take the full Computer Networking course →