Use Sophia to knock out your gen-ed requirements quickly and affordably. Learn more
Become a Member Try for Free
×

Switching Fundamentals

Author: Sophia
PDF Version

what's covered
In this lesson, you will dive deep into how network switches operate and make intelligent decisions about data flow. You’ll learn how switches learn about connected devices, make forwarding decisions, and improve network performance more than older hub technology. Specifically, this lesson will cover the following:

Table of Contents

1. How Switches Use MAC Addresses

recall
Switches forward frames using MAC addresses within a local network, while routers forward packets using IP addresses between networks. Keep this in mind as you explore how a switch learns device locations, forwards frames, and filters traffic within a VLAN.

Switches keep track of which devices are connected to each port using a database called the MAC address table, also known as the Content Addressable Memory (CAM) table.

When a frame enters a switch, the switch reads the source MAC address and records it in this table along with the port where it arrived.

This process lets the switch deliver future frames directly to the correct destination instead of sending them to every device on the network.

Shown here is a sample MAC address table. A switch records each MAC address and the port where it arrived. This table allows it to forward frames directly instead of flooding them.

MAC Address Port VLAN
00:1A:2B:3C:4D:5A Gi1/0/1 10
00:1A:2B:3C:4D:5B Gi1/0/2 10
00:1A:2B:3C:4D:5C Gi1/0/3 20
00:1A:2B:3C:4D:5D Gi1/0/4 20

When a switch first powers on, its MAC address table is empty. As it receives frames, it begins to learn where each device is located:

  1. Frame Reception: The switch examines the source MAC address in the frame header.
  2. Learning: It adds that MAC address and the incoming port to its MAC address table.
  3. Aging: Each entry remains for a set time (about 300 s). If no frames arrive before the timer expires, the entry is removed.
  4. Updating: If the same MAC address later appears on a different port, the switch updates the table with the new location.
Once the switch knows where the devices are, it can forward frames more intelligently.

  • If the destination MAC address is found in the table, the switch forwards the frame only to that port.
  • If the destination MAC address is unknown, the switch floods the frame out of all other ports except for the one it arrived on.
  • Flooding allows the switch to discover new devices when they respond.
try it
A switch has learned the following MAC address entries:

MAC Address Port
00:1A:2B:3C:4D:5A Gi1/0/1
00:1A:2B:3C:4D:5B Gi1/0/2

Now, imagine that the device with MAC 00:1A:2B:3C:4D:5B is moved to port Gi1/0/4 and sends a new frame.
What will the switch do with its MAC address table?
The switch updates the entry for that MAC address to show the new port (Gi1/0/4). It always records the most recent port from which a device sends a frame, so that future frames reach the correct destination.

key concept
The MAC address table (CAM table) is the memory of a switch. It maps each device’s MAC address to a physical switch port, allowing the switch to quickly forward frames to the correct destination and reduce unnecessary traffic.

2. Filtering Traffic

Now that you know how switches learn and forward frames, you can look at how they manage traffic that should not be forwarded.

Filtering means deciding whether a frame should be sent, ignored, or flooded. A switch performs filtering on every frame to reduce congestion, conserve bandwidth, and prevent unnecessary traffic from moving through the network.

When a switch receives a frame, it checks both the source and destination MAC addresses to decide what to do next. If the destination MAC address is known, the frame is sent only to that specific port. If the destination MAC address is unknown, the switch uses a process called flooding, which means temporarily sending the frame out of all ports in the same VLAN, except the one it came from. If the source and destination are on the same port, the switch filters the frame and does not forward it. There is no need to send data back to the same device. This intelligent decision-making ensures that each frame is handled efficiently, even in large or busy networks.

Switches also apply specific filtering techniques for different types of traffic.

When a frame arrives with a destination MAC address that is not in the MAC address table, the switch treats it as an unknown unicast frame. The switch does not yet know which port leads to the destination. Flooding is the default behavior for unknown unicast traffic. By flooding, the switch can discover the location of the new device when it replies. In some environments, administrators configure switches to drop unknown unicast frames instead of flooding them. This limits unrecognized or suspicious traffic and adds a layer of security.

A broadcast frame is a frame sent to the special MAC address FF:FF:FF:FF:FF:FF, which means that all devices in the local network should receive it. Broadcasts are used for essential network messages, such as ARP requests that help devices learn one another’s IP and MAC addresses. However, too many broadcasts can slow performance. Dividing a network into multiple VLANs limits the broadcast area, creating smaller and more efficient broadcast domains.

A multicast frame is designed for one sender to reach many recipients at once. For example, a server that streams video to several users sends multicast traffic. Modern switches use multicast filtering to forward multicast frames only to ports that have joined the multicast group. This prevents the switch from sending unnecessary traffic to every port in the VLAN.

Finally, every switch applies this same rule to prevent loops. By never forwarding a frame back out the port it arrived on, the switch avoids circulating traffic and sets the groundwork for more advanced loop-prevention protocols you will study later in the course.

try it
A switch receives a frame on Port 3 with an unknown destination MAC address. At the same time, it receives a broadcast ARP request on Port 1.
How will the switch handle these two frames differently?
The switch floods the unknown unicast frame to all ports in the same VLAN, hoping to discover the destination when it gets a reply. The broadcast ARP request is also flooded to all ports in the VLAN; however, it is recognized as a broadcast frame, so every device receives it. The difference is that the unknown unicast flooding stops once the switch learns the destination MAC address.

reflect
Why do you think switches use different filtering rules for unknown, broadcast, and multicast frames? What would happen if every type of frame were treated the same way?

terms to know
Filtering
The process a switch uses to control which frames are forwarded, flooded, or dropped in order to reduce unnecessary traffic and improve network efficiency.
Flooding
A Layer 2 process in which a switch sends a frame out of all ports within a VLAN, except the incoming port, when the destination MAC address is unknown.
Unknown Unicast
A frame whose destination MAC address is not yet listed in the switch’s MAC address table. The switch temporarily floods the frame until it learns the correct destination.
Broadcast Frame
A frame sent to the special MAC address FF:FF:FF:FF:FF:FF, meaning it is delivered to all devices within the same VLAN or broadcast domain.
Multicast Frame
A frame sent to multiple devices that belong to a specific multicast group, allowing one sender to reach many recipients efficiently.
Multicast Filtering
A switch process that forwards multicast frames only to ports that have requested to join the multicast group, reducing unnecessary network traffic and improving efficiency.

3. Access Ports Versus Trunk Ports

So far, you’ve seen how switches forward and filter frames within a local network. In a small home network, that might be enough—every device shares the same space and can communicate freely. However, in a business or campus network, hundreds of devices might connect to multiple switches. Without a plan, all that traffic would mix together, making the network less secure and harder to manage.

To solve this, switches use two main port types that organize how traffic moves between devices and between switches: access ports and trunk ports.

An access port connects directly to an end device such as a computer, printer, or phone. It handles traffic for one local network. Frames that enter or leave an access port are untagged, meaning that the end device never sees any special information added by the switch. Inside the switch, each access port is assigned to a specific local network, so traffic from different groups stays separate. This helps isolate departments, control broadcast traffic, and reduce accidental access to other groups’ data.

A trunk port connects switches to one another or links a switch to a router. Trunk ports carry traffic for multiple local networks at the same time. Instead of using a separate physical cable for each network, a trunk allows all of them to share one link efficiently. To keep the traffic organized, the switch adds a small identifier to each frame, showing which local network it belongs to. This identifier is called a tag, and it follows the IEEE 802.1Q standard. The 802.1Q standard defines a universal tagging format in which any switch or router, no matter the manufacturer, can recognize and separate tagged traffic correctly. When a tagged frame leaves a trunk and reaches an access port, the switch removes the tag, allowing the end device to receive only its own local traffic.

Using access and trunk ports together allows networks to scale easily while keeping traffic organized and secure. Access ports connect individual devices to their correct local networks, while trunk ports connect switches so that each local network can extend across the larger system without its traffic getting mixed with that of others.

try it
Imagine a school with three departments: Administration, Faculty, and Students. Each group’s computers connect to that group’s own local network. The network administrator wants all three networks to reach servers in another building without running three separate cables between switches.
How could trunk ports help solve this problem?
A trunk port can carry traffic for all three local networks over one physical link. The 802.1Q tags identify which local network each frame belongs to, allowing the switch in the other building to separate the traffic correctly and keep each group’s data isolated.

key concept
Access ports carry untagged frames for a single local network and keep each device’s traffic isolated. Trunk ports carry tagged frames for multiple local networks using the IEEE 802.1Q standard, allowing networks to extend across multiple switches without compromising separation or security.

terms to know
Access Port
A switch port that connects to a single end device and carries untagged frames for one local network.
Trunk Port
A switch port that connects switches or routers and carries tagged frames for multiple local networks on the same physical link.
IEEE 802.1Q
An Ethernet standard that defines how network devices add and remove tags from frames, allowing multiple local networks to share one link while keeping traffic separate.

summary
In this lesson, you learned how switches use MAC addresses to record device locations and forward frames efficiently within a network. In addition, you explored how switches filter traffic by deciding whether to forward, flood, or drop frames to reduce congestion and improve performance. You also discovered how access and trunk ports separate and organize traffic, allowing multiple local networks to share connections securely. Together, these concepts show how switches manage frame movement to keep modern wired networks organized, efficient, and scalable.

Source: THIS TUTORIAL WAS AUTHORED BY SOPHIA LEARNING. PLEASE SEE OUR TERMS OF USE.

Terms to Know
Access Port

A switch port that connects to a single end device and carries untagged frames for one local network.

Broadcast Frame

A frame sent to the special MAC address FF:FF:FF:FF:FF:FF, meaning it is delivered to all devices within the same VLAN or broadcast domain.

Filtering

The process a switch uses to control which frames are forwarded, flooded, or dropped in order to reduce unnecessary traffic and improve network efficiency.

Flooding

A Layer 2 process in which a switch sends a frame out of all ports within a VLAN, except the incoming port, when the destination MAC address is unknown.

IEEE 802.1Q

An Ethernet standard that defines how network devices add and remove tags from frames, allowing multiple local networks to share one link while keeping traffic separate.

Multicast Filtering

A switch process that forwards multicast frames only to ports that have requested to join the multicast group, reducing unnecessary network traffic and improving efficiency.

Multicast Frame

A frame sent to multiple devices that belong to a specific multicast group, allowing one sender to reach many recipients efficiently.

Trunk Port

A switch port that connects switches or routers and carries tagged frames for multiple local networks on the same physical link.

Unknown Unicast

A frame whose destination MAC address is not yet listed in the switch’s MAC address table. The switch temporarily floods the frame until it learns the correct destination.

© 2026 SOPHIA Learning, LLC. SOPHIA is a registered trademark of SOPHIA Learning, LLC.