InfrastructureBeginner40 min read

What Does Switch Mean?

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security

This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.

On This Page

Quick Definition

A switch is a device that links computers, printers, and other devices together in a network. It looks at the address on each incoming message and sends it directly to the correct device. This makes communication faster and more secure than older hubs that send everything to all devices.

Common Commands & Configuration

switchport port-security maximum 2

Limits the number of MAC addresses allowed on a switch port to two.

CCNA and Security+ exams ask about violation modes and the effect of exceeding the limit.

switchport port-security violation shutdown

Sets the violation mode to shutdown, which forces the port into error-disabled state.

Tests understanding of port security violation actions and recovery commands like 'errdisable recovery cause psecure-violation'.

ip dhcp snooping trust

Designates a switch interface as trusted for DHCP snooping, allowing DHCP server messages.

CCNA and Security+ exams test which ports should be trusted (only uplinks to known DHCP servers).

ip arp inspection vlan 10

Enables Dynamic ARP Inspection on VLAN 10 to validate ARP packets.

Security+ exam asks which feature prevents ARP poisoning; this command is the answer.

spanning-tree bpduguard enable

Enables BPDU guard on an interface to protect against STP manipulation attacks.

CCNA and Security+ exams test BPDU guard as a defense against Layer 2 attacks.

switchport mode trunk

Forces a switch interface to operate as an 802.1Q trunk carrying multiple VLANs.

CCNA exam requires knowing the difference between access and trunk ports, and the use of 'switchport nonegotiate'.

show mac address-table

Displays the MAC address table (CAM table) with learned MACs, VLANs, and ports.

Network+ and CCNA exams test troubleshooting of unknown unicast flooding using this command.

interface vlan 1

Creates or configures a switched virtual interface for management on VLAN 1.

CCNA exam tests the concept of management VLAN and why using VLAN 1 is a security risk.

Switch appears directly in 1,841exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on Cisco CCNA. Practise them →

Must Know for Exams

Switches appear prominently across multiple certification exams, each with a slightly different focus. For the CCNA exam (200-301), switching is a core domain. You must understand MAC address table learning, VLAN configuration, trunking with 802.1Q, Spanning Tree Protocol operations, port security, and EtherChannel. Expect multiple-choice questions that ask you to interpret the output of 'show mac-address-table' or 'show spanning-tree'. You may also encounter simulation questions where you must configure VLANs and trunk ports on a switch. Knowing the difference between access and trunk ports, and the native VLAN, is critical.

For the Network+ exam (N10-008), switching is covered under network infrastructure and network operations. You need to know the difference between a hub, a switch, and a router. You should understand MAC address tables, the purpose of a switch, and basic VLAN concepts. You will see questions about collision and broadcast domains. For example, how many broadcast domains does a switch with 10 ports create? The answer is one broadcast domain by default, but each port is its own collision domain. You may also be asked about PoE and switch form factors.

The Security+ exam (SY0-601) focuses on switch security. You need to know about port security, MAC filtering, DHCP snooping, Dynamic ARP Inspection (DAI), and the risks of STP manipulation (like STP root guard). You might see a question describing a scenario where an attacker plugs a rogue switch into a network to perform a man-in-the-middle attack. The correct mitigation would be to enable port security and BPDU guard on access ports. Understanding how switching operates at Layer 2 is essential to grasping these threats.

Cloud exams like AWS SAA, Google ACE, and Azure AZ-104 do not test physical switch configuration, but they expect you to understand virtual networking constructs that behave like switches. In AWS, a VPC subnet implicitly functions as a virtual switch. You need to understand how network ACLs and security groups control traffic at different layers. In Azure, virtual networks and subnets are similar. The Google ACE exam covers VPC networks, subnets, and firewall rules. While the terminology differs, the underlying concept of traffic isolation and forwarding between devices in the same subnet mirrors physical switching. For these exams, questions often test your ability to design network segmentation and troubleshoot connectivity between resources in the same subnet or across subnets.

Simple Meaning

Imagine you are in a large office building with many rooms. Each room has a mailbox, and there is a central mail room that sorts all incoming letters. In the old days, the mail room would make a copy of every letter and slide it under every door in the building.

That was loud, wasteful, and everyone could read everyone else's mail. A switch is like a smart mail sorter. When a letter arrives, the sorter reads the recipient's room number written on the envelope.

The sorter then walks directly to that one room and delivers the letter only there. No copies, no noise, no one else sees the letter. In a computer network, a switch does exactly this.

It reads the destination address on every data packet and forwards it only to the device that needs it. This is much more efficient than a hub, which broadcasts every packet to every port. Switches also remember which devices are connected to which ports.

This memory, called the MAC address table, allows the switch to learn the network over time and make faster, more accurate delivery decisions. When a device sends its first message, the switch does not yet know where the destination lives. So it sends the message out to all ports, a process called flooding.

But once the destination replies, the switch learns which port that device is on and records it. From then on, traffic to that device goes only to that one port. This learning process is automatic and continuous.

Switches also help prevent collisions, which happen when two devices try to talk at the same time on the same wire. Because each switch port creates its own separate collision domain, devices connected to a switch can send and receive simultaneously without interfering with each other. This is a huge improvement over older Ethernet hubs.

In a home network, your typical router includes a small built-in switch for the four LAN ports. But in offices and data centers, standalone switches with 24, 48, or even more ports are common. They are the backbone of almost every wired network.

Without switches, large networks would be chaotic, slow, and insecure. With switches, data moves efficiently and privately from point to point.

Full Technical Definition

A network switch is a Layer 2 (data link layer) device that forwards Ethernet frames based on the destination MAC address. It operates using a MAC address table, also called a Content Addressable Memory (CAM) table, which maps each MAC address to the switch port where that device is connected. When a frame arrives on a port, the switch examines the destination MAC address and looks it up in the CAM table. If a match is found, the switch forwards the frame only to the port associated with that MAC address. If no match is found, the switch floods the frame out of all ports except the receiving port. This process is called unknown unicast flooding. Switches also handle broadcast frames (destination MAC address FF:FF:FF:FF:FF:FF) by flooding them out of all ports, which is essential for protocols like ARP (Address Resolution Protocol).

Switches build their MAC address tables dynamically by learning the source MAC address of every frame they receive. When a frame arrives, the switch records the source MAC and the port it came from, then updates an aging timer. If the switch does not see a frame from that MAC address for a certain period (typically 300 seconds, configurable), it removes the entry. This allows the switch to adapt to devices being moved or disconnected. The maximum size of the MAC address table varies by switch model, ranging from a few thousand entries in small switches to hundreds of thousands in enterprise models.

Switches use a switching fabric, which is the internal architecture that moves frames from input ports to output ports. The fabric can be implemented as a shared memory bus, a crossbar switch, or a combination. The switching capacity, measured in Gbps or Tbps, determines how much data the switch can process simultaneously without dropping frames. Non-blocking switches have enough internal bandwidth to handle full wire-speed traffic on all ports simultaneously. This is critical in high-performance environments.

Modern switches support many advanced features. VLANs (IEEE 802.1Q) allow a single physical switch to act as multiple logical switches, isolating traffic for different departments or security zones. Spanning Tree Protocol (STP, IEEE 802.1D) prevents loops in networks with redundant links by blocking certain ports. Rapid Spanning Tree Protocol (RSTP, 802.1w) and Multiple Spanning Tree Protocol (MSTP) improve convergence time. Link Aggregation (802.3ad) combines multiple physical links into one logical link for increased bandwidth and redundancy. Port security limits which MAC addresses can connect to a given port, preventing unauthorized devices from accessing the network. Quality of Service (QoS) prioritizes certain types of traffic, like voice or video, to ensure low latency. Switches can also support Power over Ethernet (PoE, 802.3af/at/bt), which delivers power along with data to devices like IP cameras, wireless access points, and VoIP phones.

In larger networks, switches are often used hierarchically. Access switches connect end devices. Distribution switches aggregate traffic from multiple access switches and enforce policies. Core switches provide high-speed connectivity between distribution switches and often route between VLANs. Multilayer switches, which can perform routing at Layer 3, blur the line between switching and routing. They use hardware ASICs to forward IP packets at wire speed, making them much faster than traditional routers.

For exam purposes, understanding how switches learn MAC addresses, forward frames, and handle broadcast traffic is essential. The CCNA exam covers switching fundamentals, VLAN configuration, STP, trunking, and EtherChannel. The Network+ exam expects knowledge of switch functions, MAC address tables, and the difference between switches and hubs. The AWS Solutions Architect exam focuses on Virtual Private Cloud (VPC) networking, where a virtual switch is implicit in how subnets and network ACLs work. The Google ACE and Azure AZ-104 exams also test virtual networking concepts that parallel physical switching. The Security+ exam touches on switch security features like port security, DHCP snooping, and dynamic ARP inspection.

Real-Life Example

Think about a large hospital. There are many departments: the emergency room, surgery, radiology, the pharmacy, and patient wards. In the old way of communicating, every time a doctor wanted to send a patient record to the pharmacy, a copy of that record would be delivered to every single department in the hospital. The surgery team would see records meant for the pharmacy, and the radiology department would get copies of everything. That is how a hub works, it broadcasts everything to everyone. It wastes time, creates clutter, and breaks patient privacy.

Now imagine a modern hospital with a smart internal mail system. Each department has a unique code. When the emergency room sends a medication order to the pharmacy, a mail robot reads the code on the order and delivers it directly to the pharmacy door. It does not stop at radiology or surgery. It goes straight to the pharmacy and nowhere else. The robot also remembers which code belongs to which department, so the next time it sees that code, it goes directly without hesitation. That is a switch. It uses the address on each message to deliver it precisely to the right recipient. If a new department is added, the robot learns it the first time a message comes from that department.

The hospital also uses colored wristbands to separate different types of patients, red for allergies, yellow for fall risk, blue for isolation. The mail robot uses these color codes to make sure certain messages are only sent within the correct group. That is like a VLAN on a switch, which separates traffic for different groups even though they share the same physical network. The robot also has a rule that if two mail robots try to use the same hallway at the same time, one waits for the other. That is like Spanning Tree Protocol preventing loops.

In a real IT network, the switch handles thousands of messages per second, each one addressed with a MAC address. The switch learns where each device lives and sends data only where it needs to go. This makes the network fast, efficient, and secure. The hospital analogy helps because everyone understands the chaos of broadcasting everything versus the efficiency of direct delivery. A switch is that smart mail robot for your network.

Why This Term Matters

Switches are the fundamental building blocks of modern local area networks. Without switches, you would have to use hubs, which broadcast every frame to every port. That creates massive inefficiency because each device must process all traffic, even traffic not meant for it. This wastes bandwidth and reduces overall network performance. In a business environment with hundreds or thousands of devices, a hub-based network would collapse under its own traffic load. Switches solve this by creating dedicated, collision-free paths between communicating devices. Each switch port is a separate collision domain, meaning two devices on different ports can transmit simultaneously without conflict. This dramatically increases the usable bandwidth of the network.

Switches also improve security. Because a switch forwards frames only to the intended recipient, it is much harder for an attacker to eavesdrop on network traffic. In a hub-based network, any device can listen to all traffic simply by putting its network interface into promiscuous mode. With a switch, an attacker would need to perform ARP spoofing or port mirroring to intercept traffic, which is more complex and detectable. Many switches also offer built-in security features like port security, DHCP snooping, and dynamic ARP inspection to further protect the network.

In the context of IT certifications, understanding switches is non-negotiable. The CCNA exam dedicates a large portion of its content to switching concepts, configuration, and troubleshooting. Network+ and Security+ also cover switches in depth because they are so central to networking. Even cloud certifications like AWS SAA, Google ACE, and Azure AZ-104 require an understanding of virtual switches within VPCs and virtual networks. A solid grasp of how switches work helps you configure VLANs, troubleshoot connectivity issues, and design scalable networks. For IT professionals, switches are not just exam topics, they are the devices you will configure daily.

How It Appears in Exam Questions

Switches appear in a variety of exam question formats, including multiple-choice, drag-and-drop, and simulation. One common type is the 'show mac-address-table' analysis question. You might be given a partial output of the MAC address table and asked which port a frame with a specific destination MAC will be forwarded to. Another variant shows a scenario where a PC connected to a switch cannot communicate with another PC, and you must identify whether the MAC address table is missing an entry, the port is in an error-disabled state, or the VLAN configuration is incorrect.

Configuration questions are frequent in the CCNA exam. You may be asked to configure an access port for a specific VLAN or to set up a trunk port between two switches. You might need to enable port security and set a maximum MAC address count. These questions test your command syntax and your understanding of the effects of each command. For example, if you configure 'switchport port-security maximum 1' and 'switchport port-security violation shutdown', what happens when a device with an unknown MAC address tries to connect? The port goes into error-disabled state and must be manually or automatically recovered.

Troubleshooting questions often involve Spanning Tree Protocol. You might be shown a topology with redundant links and asked which port will be in blocking state. Understanding the STP port roles (root port, designated port, alternate port) and states (blocking, listening, learning, forwarding) is essential. You might also see questions about the convergence time when a link fails. RSTP reduces convergence time to a few seconds compared to STP's 30-50 seconds.

In Security+ exams, questions often present an attack scenario. For example: 'An attacker connects a rogue switch to an open wall jack and successfully intercepts traffic from other devices. Which switch feature should be enabled to prevent this?' The answer is port security combined with BPDU guard. Another common question: 'A network administrator notices that the MAC address table on the switch is full of unknown addresses. What attack is likely occurring?' The answer is a MAC flood attack, which forces the switch to fall back to hub-like flooding behavior.

Cloud exam questions about virtual switches are more conceptual. For the AWS SAA, you might be asked: 'You have two EC2 instances in the same VPC subnet. One instance can ping the other, but traffic from a third instance in a different subnet fails. What is the most likely reason?' The answer involves subnet routing and the implicit router that connects subnets. You need to understand that instances in the same subnet can communicate directly through the virtual switch, while cross-subnet traffic must go through the VPC router, which requires proper route tables and security group rules.

Practise Switch Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

You work as a junior network technician for a mid-sized company with three departments: Sales, Engineering, and HR. The company has a single 24-port switch that connects all employee workstations. Currently, all ports are in the default VLAN 1, and every department can see each other's broadcast traffic. The HR manager complains that HR printers sometimes receive print jobs from Sales, causing confusion and wasting paper. Your task is to isolate the HR department's traffic without buying new hardware.

You decide to configure VLANs on the switch. You create VLAN 10 for Sales, VLAN 20 for Engineering, and VLAN 30 for HR. You assign each switch port to the appropriate VLAN based on which department uses it. You also change the native VLAN on the trunk port that connects to the router to an unused VLAN for security. After the configuration, HR's devices can no longer see Sales broadcasts, and print jobs from Sales no longer reach HR printers. However, users in HR cannot access the internet because the router is not configured to route between VLANs. You then configure a router-on-a-stick setup with subinterfaces, one for each VLAN, and assign IP addresses in separate subnets. Now each department can access the internet and communicate with each other through the router while still being isolated at Layer 2.

This scenario demonstrates the power of VLANs on a switch. It shows how a single physical switch can logically separate traffic, improving security and efficiency. For the CCNA exam, you would need to know the exact commands to create VLANs, assign ports to VLANs, and configure inter-VLAN routing. For the Network+ exam, you would need to explain the benefits of VLAN segmentation. This scenario also touches on the need for a router or Layer 3 switch to enable communication between VLANs.

Common Mistakes

Thinking a switch creates separate broadcast domains for each port by default.

By default, all ports on a switch belong to the same broadcast domain (VLAN 1). Broadcast frames are flooded to all ports. Separate broadcast domains are created only when VLANs are configured.

Remember: a switch creates separate collision domains but only one broadcast domain unless VLANs are used.

Believing a switch uses IP addresses to make forwarding decisions.

A standard Layer 2 switch forwards frames based on MAC addresses, not IP addresses. IP addresses are used by routers and Layer 3 switches for routing.

Think of MAC addresses as physical serial numbers and IP addresses as postal addresses. Switches look at the serial number; routers look at the postal address.

Assuming that adding a switch always increases network speed.

While switches reduce collisions, they do not add bandwidth beyond the uplink speed. If the uplink is saturated, adding more switches will not help. You need to upgrade the uplink or use link aggregation.

Check the uplink utilization before expanding the switched network. A switch is only as fast as its connection to the rest of the network.

Confusing a switch with a router and thinking switches can connect different networks.

A standard Layer 2 switch cannot route between different IP subnets. It only forwards frames within the same broadcast domain. To connect different networks, you need a router or a Layer 3 switch with routing enabled.

Use a router to connect VLANs or separate networks. The switch's job is local delivery within the same network segment.

Forgetting that switches learn MAC addresses from the source address, not the destination.

The switch reads the source MAC address of every incoming frame to update its MAC address table. The destination MAC is used only for the lookup. If you look for where the destination MAC was learned, you will not find an entry if that device has never sent traffic.

To populate the MAC address table for a device, that device must first transmit a frame. The switch learns from what it hears, not from what it is asked to deliver.

Exam Trap — Don't Get Fooled

{"trap":"When a switch receives a frame with a destination MAC address not in its MAC address table, it drops the frame.","why_learners_choose_it":"Learners often assume that if the switch does not know the destination, it should discard the frame to avoid errors. This seems logical from a security standpoint."

,"how_to_avoid_it":"The correct behavior is that the switch floods the frame out of all ports except the receiving port. This is called unknown unicast flooding. It ensures the frame reaches the destination even if the switch has not learned its location yet.

The switch only drops frames in specific cases like when the destination MAC address is invalid or when the frame is an error frame."

Commonly Confused With

SwitchvsHub

A hub is a Layer 1 device that repeats electrical signals out of all ports, creating one collision domain for all devices. A switch is a Layer 2 device that uses MAC addresses to forward frames only to the correct port, creating separate collision domains for each port. Hubs are largely obsolete because they are inefficient and insecure.

With a hub, if PC A sends data to PC B, PC C also receives it. With a switch, PC C does not see that traffic unless the switch broadcasts it.

SwitchvsRouter

A router operates at Layer 3 and uses IP addresses to forward packets between different networks. It can connect multiple subnets and is the default gateway for devices. A standard switch operates at Layer 2 and cannot route between subnets. A multilayer switch can do both, but often routing is still handled by a dedicated router.

Your home router has a built-in switch for the LAN ports, but the routing function connects your home network to the internet. The switching function moves data between your PC and printer.

SwitchvsBridge

A bridge is an older device that connects two network segments and makes forwarding decisions based on MAC addresses, similar to a switch. A switch is essentially a multiport bridge. Bridges typically have only two ports, while switches have many. The term 'bridge' is still used in virtual networking contexts, like a virtual bridge in a hypervisor.

A bridge connects two separate Ethernet segments, reducing collision domains. A switch does the same but with more ports and higher performance.

SwitchvsFirewall

A firewall is a security device that filters traffic based on rules, often inspecting packets at Layers 3 and 4 (or even application layer). A switch does not inspect packet content; it only forwards frames based on MAC addresses. Firewalls are used to block unauthorized access, while switches are used to connect devices.

A firewall sits between your internal network and the internet, blocking malicious traffic. The switch connects your computers internally, without inspecting the data inside the frames.

SwitchvsAccess Point

An access point (AP) provides wireless connectivity to devices, bridging them onto the wired network. A switch is a wired device that does not transmit radio signals. Some switches have built-in wireless controllers or PoE to power APs, but the functions are distinct.

Your laptop connects via Wi-Fi to the access point, which is then plugged into a switch. The switch forwards traffic from the laptop to the internet or other wired devices.

Step-by-Step Breakdown

1

Frame Arrival

An Ethernet frame arrives at one of the switch's ports. The switch examines the frame's source and destination MAC addresses. This is the first interaction the switch has with the data.

2

Source MAC Learning

The switch reads the source MAC address from the frame. It records this MAC address in its MAC address table (CAM table) along with the port number it arrived on. If the entry already exists, the switch resets the aging timer. This is how the switch builds its knowledge of the network.

3

Destination MAC Lookup

The switch looks up the destination MAC address in its MAC address table. This determines where to send the frame. The outcome depends on whether the address is known, unknown, or a broadcast/multicast address.

4

Decision: Forward or Flood

If the destination MAC is found in the table and the corresponding port is different from the receiving port, the switch forwards the frame only to that port. If the destination MAC is not found, the switch floods the frame out of all ports except the one it came from. If the destination is a broadcast address (FF:FF:FF:FF:FF:FF), the frame is always flooded.

5

Forwarding the Frame

The switch sends the frame out of the appropriate port(s). At this point, the frame leaves the switch and travels over the cable to the destination device or devices. The switch may also use internal buffering to handle temporary traffic bursts.

6

Aging and Removal

The switch continually ages out MAC address entries that have not been seen within the configured aging time (default 300 seconds). If no frames from that source are received on that port within the aging period, the entry is deleted. This keeps the table accurate as devices move or disconnect.

7

Collision Avoidance

Because each switch port is its own collision domain, the switch does not need to worry about collisions between devices on different ports. However, if the switch's output buffer is full (e.g., due to congestion), it may drop frames. The switch uses a backpressure mechanism or IEEE 802.3x flow control to manage congestion.

8

Loop Prevention (Optional)

If the network has redundant links, Spanning Tree Protocol (STP) or its variants (RSTP, MSTP) dynamically block certain ports to prevent loops. Without loop prevention, broadcast storms can crash the network. The switch participates in BPDU exchange and uses a root bridge election to determine which ports to block.

Practical Mini-Lesson

In a real-world IT environment, switches are the workhorses that keep local networks running. As a network administrator, you will frequently configure, monitor, and troubleshoot switches. The first thing to understand is the difference between access and trunk ports. An access port belongs to a single VLAN and carries untagged traffic. It is used for end devices like PCs and printers. A trunk port carries traffic for multiple VLANs and uses 802.1Q tagging to identify which frame belongs to which VLAN. Trunks are used to connect switches to each other or to routers. When configuring a trunk, you must define the allowed VLAN list and set the native VLAN, which carries untagged traffic on the trunk. Security best practice is to change the native VLAN from VLAN 1 to an unused VLAN to prevent VLAN hopping attacks.

Another critical skill is deploying port security. This feature limits how many MAC addresses can be learned on a port and specifies the action if the limit is exceeded (shutdown, restrict, or protect). Port security helps prevent unauthorized devices from connecting. You can also configure sticky MAC addresses, which dynamically learn and save MAC addresses to the running configuration. In exam scenarios, you might be asked to configure a port so that only the first device that connects is allowed, and any other device causes the port to disable.

VLAN configuration is foundational. You must know how to create VLANs, assign them to ports, and verify with commands like 'show vlan brief'. A common mistake is forgetting that the VLAN must exist in the switch's VLAN database before you can assign it to a port. If you assign a port to VLAN 100 without creating VLAN 100 first, the port will remain inactive until the VLAN is created. Also, remember that VLAN 1 is the default VLAN and cannot be deleted. It is recommended to change the native VLAN on trunks to an unused VLAN and prune unused VLANs from the trunk to avoid unnecessary broadcast traffic.

For Spanning Tree Protocol, understand that it is enabled by default on most switches. The root bridge is the switch with the lowest bridge priority (default 32768 + VLAN number). You can manually set the priority to influence which switch becomes the root. PortFast is a feature that should be enabled on all access ports to bypass the STP listening and learning states, making the port transition to forwarding immediately upon link up. However, never enable PortFast on trunk ports because that can introduce loops. BPDU guard should be enabled on PortFast ports to prevent loops if a rogue switch is connected.

When troubleshooting, start with physical connectivity. Check link lights and cable integrity. Use 'show interface status' to see if ports are up, down, or error-disabled. A port in error-disabled state is usually due to a security violation or an STP BPDU guard violation. Use 'show mac-address-table' to see which MAC addresses the switch has learned. If a device is not communicating, verify that its MAC address appears in the table on the correct port. If it does not, the device may not be transmitting, or the VLAN assignment may be wrong.

In virtualized environments like AWS or Azure, you will not physically cable switches, but the principles of segmentation and traffic isolation still apply. In AWS, a subnet is analogous to a VLAN. Security groups act like stateful firewalls at the instance level, while network ACLs are stateless firewalls at the subnet level. Understanding how switches isolate traffic helps you architect secure and efficient VPCs.

Switch Forwarding Methods and Frame Processing

Switches operate at Layer 2 of the OSI model, making forwarding decisions based on MAC addresses. Understanding how a switch processes frames is fundamental for exam success in the AWS SAA, CCNA, Network+, and Security+ exams. The primary forwarding methods are store-and-forward, cut-through, and fragment-free.

Store-and-forward is the most common method in enterprise switches, including those from Cisco and HPE. In this method, the switch receives the entire frame before forwarding it. This allows the switch to check the frame check sequence (FCS) and detect errors before transmission.

The downside is increased latency because the switch must buffer the entire frame. For time-sensitive applications such as voice over IP, this latency can be problematic. Cut-through forwarding begins forwarding the frame as soon as the switch reads the destination MAC address in the header.

This reduces latency significantly but does not perform error checking. If a frame is corrupted, the error will be propagated to the destination. Fragment-free is a compromise that reads the first 64 bytes of the frame before forwarding.

Since most errors occur in the first 64 bytes, this method reduces the chance of forwarding bad frames while keeping latency low. In the A+ and Network+ exams, you may be asked to differentiate these methods based on latency and error checking. The CCNA exam frequently tests the command "show interfaces" to verify the switching mode on a specific interface.

The Security+ exam emphasizes the security implications of each method. For instance, cut-through switches may expose data sooner, increasing the risk of eavesdropping. In AWS, virtual switches like the Amazon VPC switch use store-and-forward by default, but understanding these methods helps in designing hybrid architectures that blend on-premises switches with cloud networking.

A switch's CAM table, also known as the MAC address table, is crucial for forwarding decisions. When a frame arrives, the switch looks up the destination MAC in its CAM table. If found, the frame is forwarded to the corresponding port.

If not found, the switch floods the frame to all ports except the incoming port. This behavior is tested in the Network+ and CCNA exams. The command "show mac address-table" displays the MAC address table on a Cisco switch.

Understanding aging timers and dynamic vs. static entries is also essential. Static entries are used for security or for devices that do not generate traffic frequently. In the exam, questions often ask why a switch floods frames when the MAC address is unknown.

The answer relates to the lack of a CAM entry. Another key concept is the switch's inability to forward frames between VLANs without a router or a Layer 3 switch. This is a common exam trick: a switch can have multiple VLANs, but inter-VLAN routing requires a Layer 3 device.

In the Google ACE and AZ-104 exams, understanding virtual switches in cloud environments is similar. For example, Azure virtual switches support both store-and-forward and cut-through depending on the accelerator used. Overall, mastering forwarding methods and CAM table operations is a high-yield topic for certification exams.

VLAN Configuration and Trunking on Switches

Virtual LANs (VLANs) are a core concept in switching, appearing in the CCNA, Network+, Security+, and even the AWS SAA exam when discussing network segmentation. A VLAN logically separates a switch into multiple broadcast domains, improving security and performance. To configure VLANs on a Cisco switch, you must first create the VLAN in the switch's database using the global command "vlan <vlan-id>".

Then, assign ports to the VLAN with the interface command "switchport access vlan <vlan-id>". For ports that carry traffic for multiple VLANs, you configure trunking using the IEEE 802.1Q protocol.

The command "switchport mode trunk" enables trunking on an interface. By default, all VLANs are allowed on a trunk, but you can restrict them with "switchport trunk allowed vlan <vlan-list>". This is a common exam topic for the CCNA.

Understanding the concept of native VLAN is critical. On a trunk, frames in the native VLAN are not tagged. If the native VLAN mismatches between two switches, it can cause VLAN hopping or connectivity issues.

In the Security+ exam, VLAN hopping attacks are a known threat. An attacker can exploit trunk negotiation by sending DTP frames to become part of the trunk, gaining access to multiple VLANs. To prevent this, you should disable DTP with "switchport nonegotiate" and set the native VLAN to an unused VLAN.

In the AZ-104 exam, Azure virtual networks support VLAN-like isolation but through different mechanisms. However, the principle of segmentation remains similar. The command "show vlan brief" displays all VLANs and their assigned ports on a Cisco switch.

This command is heavily tested in the CCNA and Network+ exams. Another key aspect is the management VLAN. By default, VLAN 1 is the management VLAN, but it is a security best practice to use a dedicated, non-default VLAN for management traffic.

The command "interface vlan <vlan-id>" creates a switched virtual interface for management. When configuring VLANs in a real environment, you must ensure that all switches in the same VLAN have consistent configurations. The concept of VLAN pruning via VTP or manual configuration is also tested.

VTP (VLAN Trunking Protocol) can propagate VLAN information across the network, but its misuse can cause errors. In the CCNA exam, you may be asked to troubleshoot a scenario where VLANs are missing after a new switch is added, likely due to VTP configuration mismatch. In the Google ACE exam, understanding VLANs helps when designing hybrid networks that connect on-premises switches to Google Cloud via VPN or Interconnect.

Overall, VLAN configuration and trunking are essential skills for any network professional and appear in multiple certification exams.

Spanning Tree Protocol and Loop Prevention

Spanning Tree Protocol (STP) is a foundational technology in switched networks, preventing Layer 2 loops that can cause broadcast storms, MAC table instability, and network saturation. Every exam from A+ to AWS SAA expects a working knowledge of STP and its variants, including Rapid Spanning Tree Protocol (RSTP) and Multiple Spanning Tree Protocol (MSTP). STP operates by having switches exchange Bridge Protocol Data Units (BPDUs) to elect a root bridge.

The root bridge is the switch with the lowest bridge priority. If priorities are equal, the lowest MAC address determines the root. The command "spanning-tree vlan <vlan-id> root primary" is a Cisco command that sets the priority low enough to force the switch to become root.

In the CCNA and Network+ exams, you are likely to see questions asking about the states of an STP port: blocking, listening, learning, forwarding, and disabled. Understanding these states is critical. A port in blocking mode does not forward traffic but listens for BPDUs.

Listening and learning are transitional states. Forwarding is the normal state. The delay from blocking to forwarding takes about 30-50 seconds, depending on timers. This convergence time can cause issues in modern networks, which is why RSTP was developed.

RSTP improves convergence to a few seconds by using alternative and backup ports explicitly. The command "spanning-tree mode rapid-pvst" enables RSTP on Cisco switches. In the Security+ exam, STP attacks are a concern.

An attacker can send inferior BPDUs to become the root bridge, then redirect traffic. This is known as an STP manipulation attack or a Layer 2 man-in-the-middle attack. Defenses include BPDU guard, which disables a port if a BPDU is received on an access port.

The command to enable BPDU guard is "spanning-tree bpduguard enable" on the interface or globally. Another feature is Root Guard, which ensures that a switch does not become the root bridge if a superior BPDU is received. The command is "spanning-tree guard root".

In the AZ-104 exam, while Azure does not run STP directly, the concept of loop prevention in virtual networks is analogous. For example, Azure uses loop prevention mechanisms in its software-defined networking. In the AWS SAA exam, understanding STP helps when designing hybrid networks with Direct Connect, where loop prevention must be considered.

The Google ACE exam also tests knowledge of STP when configuring interconnectivity solutions. The command "show spanning-tree" displays the current STP topology, including the root bridge status and port roles. This command is frequently used in troubleshooting scenarios.

A common exam question asks what happens when a switch receives a BPDU with a lower bridge ID than its own. The answer is that the switch updates its root bridge information and recalculates its port roles. Another question might involve identifying which port becomes the root port or designated port.

To answer, you must understand the STP election process: the root bridge is elected first, then each non-root switch selects one root port (the port with the lowest cost to root), and then designated ports are chosen for each segment. Port costs are determined by speed: 100 Mbps has cost 19, 1 Gbps has cost 4, and 10 Gbps has cost 2. These cost values appear in exam questions.

STP is a high-yield topic for multiple certifications, and hands-on practice with Cisco CLI is highly recommended.

Switch Security Features: Port Security, DHCP Snooping, and Dynamic ARP Inspection

Switches are often the first line of defense in a network, and their security features are a major focus in the Security+, CCNA, and Network+ exams. The three key security mechanisms that every exam candidate must master are port security, DHCP snooping, and Dynamic ARP Inspection (DAI). Port security limits the number of MAC addresses on a switch port and can specify allowed MAC addresses.

The command "switchport port-security maximum <number>" sets the maximum number of MAC addresses. If a violation occurs, the switch can be configured to shut down the port (shutdown mode), restrict traffic (restrict mode), or protect by dropping frames (protect mode). The default violation action is shutdown.

In the Security+ exam, this is a classic example of a Layer 2 security control. An exam question might ask: "What happens when a new device connects to a port configured with port security and the maximum MAC count is exceeded?" The answer is that the port enters the error-disabled state and must be manually re-enabled or automatically recovered via the command "errdisable recovery cause psecure-violation".

DHCP snooping prevents rogue DHCP servers from distributing false IP addresses. The switch is configured with trusted ports (uplink to legitimate DHCP server) and untrusted ports (user-facing). The command "ip dhcp snooping" enables the feature globally, and "ip dhcp snooping trust" sets an interface as trusted.

Untrusted ports drop DHCP server messages. In the CCNA exam, you might be asked to identify which ports should be trusted. The answer is always the ports connected to known DHCP servers.

DAI validates ARP packets by checking them against the DHCP snooping binding table. It drops ARP responses that do not match known IP-to-MAC mappings. The command "ip arp inspection vlan <vlan-id>" enables DAI on a VLAN.

DAI prevents ARP poisoning attacks, a common exam topic for Security+. A question might ask: "Which feature prevents a man-in-the-middle attack by validating ARP packets?" The answer is Dynamic ARP Inspection.

In the AZ-104 exam, while Azure does not use these commands, the principles of DHCP snooping and DAI are reflected in Azure Firewall policies and network security groups. The AWS SAA exam also tests similar security controls in the context of VPC security, like using network ACLs and security groups to achieve similar outcomes. The Google ACE exam emphasizes the importance of these features in hybrid scenarios.

The command "show port-security" displays the port security settings and violations. The command "show ip dhcp snooping binding" shows the binding table that DAI uses. Understanding these commands is not just for exams but is also critical for real-world network administration.

Another important security feature is 802.1X, which authenticates devices before granting network access. The command "dot1x port-control auto" enables 802.1X on an interface. This is often tested in relation to NAC (Network Access Control).

Switch security features are a dense but rewarding area of study, and they appear in multiple certification exams with consistent patterns.

Troubleshooting Clues

Port in Error-Disabled State

Symptom: Interface shows up/down with status err-disabled; no traffic passes.

Port security violation, such as exceeding the MAC address limit or receiving a BPDU on a port with BPDU guard, triggers the error-disabled state.

Exam clue: Exam questions ask for the cause (e.g., port security violation) and recovery command ('shutdown' then 'no shutdown' or 'errdisable recovery').

VLAN Missing from Trunk

Symptom: Devices in a VLAN cannot communicate across a trunk; ping fails.

The VLAN is not allowed on the trunk; the trunk's allowed VLAN list is restrictive by design.

Exam clue: CCNA exam tests the command 'switchport trunk allowed vlan add <vlan>' to fix this.

STP Loop Causing Broadcast Storm

Symptom: Network becomes extremely slow; high CPU usage on switches; broadcast frames multiply.

A redundant link without proper STP configuration causes a Layer 2 loop.

Exam clue: Network+ and CCNA exams ask which protocol prevents loops: STP.

Duplicate IP Address on Network

Symptom: Devices receive conflicting IP addresses; connectivity issues.

A rogue DHCP server on an untrusted port is distributing invalid IP addresses.

Exam clue: Security+ exam tests DHCP snooping as a mitigation; the symptom is classic for a rogue DHCP server.

ARP Cache Poisoning Attack

Symptom: Traffic is redirected to an attacker; failed pings; man-in-the-middle symptoms.

Attacker sends forged ARP replies to associate their MAC with the default gateway's IP.

Exam clue: Security+ exam asks about Dynamic ARP Inspection as the defense; common exam scenario.

Native VLAN Mismatch on Trunk

Symptom: Spanning tree errors; unexpected behavior; traffic in native VLAN fails.

Two switches have different native VLANs configured on the trunk; BPDUs are received on the wrong VLAN.

Exam clue: CCNA exam tests the use of 'show interfaces trunk' to diagnose native VLAN mismatch.

Port Security Violation After New Device Connected

Symptom: Port goes down after connecting a new host; link stays up/down.

The port has a maximum MAC limit, and the new device's MAC exceeds it, triggering a violation.

Exam clue: A+ and Network+ exams include scenarios where port security causes connectivity loss after adding a new device.

Trunk Not Forming Between Two Switches

Symptom: No VLAN traffic passes between switches; trunk status shows down or not trunking.

One switch is set to trunk mode, but the other is set to access mode; or DTP negotiation fails.

Exam clue: CCNA exam tests the use of 'switchport mode dynamic desirable' or 'switchport nonegotiate' in troubleshooting.

Memory Tip

Switches send frames straight to the MAC address. Switches are smart, hubs are not.

Learn This Topic Fully

This glossary page explains what Switch means. For a complete lesson with labs and practice, see the topic guide.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Legacy Exam Context

Older materials may mention these exam versions, but learners should use the current objectives for their target exam.

N10-008N10-009(current version)
SY0-601SY0-701(current version)

Related Glossary Terms

Quick Knowledge Check

1.A network administrator connects a new switch to the network and notices that the port on the existing switch goes into error-disabled state. What is the most likely cause?

2.Which command enables Rapid PVST+ on a Cisco switch?

3.What is the primary purpose of DHCP snooping in a switch environment?

4.A user reports that they cannot reach any device outside their own VLAN. Which of the following is most likely needed?

5.Which switch security feature validates ARP packets against the DHCP snooping binding table?

Frequently Asked Questions

What is the difference between a managed and unmanaged switch?

An unmanaged switch is plug-and-play with no configuration options. A managed switch allows you to configure VLANs, STP, port security, and other advanced features. For exams like CCNA, you work with managed switches.

Can a switch be used as a router?

A standard Layer 2 switch cannot route. A multilayer switch (Layer 3 switch) can route between VLANs using hardware-based switching, but it still differs from a dedicated router in features like NAT and advanced routing protocols.

What is a MAC address table and why is it important?

The MAC address table (CAM table) maps MAC addresses to switch ports. It allows the switch to forward frames only to the correct port, improving efficiency and security. Without it, the switch would flood all frames like a hub.

Why do switches have an aging timer for MAC addresses?

The aging timer removes stale entries when devices are disconnected or moved. This keeps the table accurate and prevents the switch from using outdated information. The default is typically 300 seconds.

What is a collision domain and how does a switch improve it?

A collision domain is a network segment where two devices transmitting simultaneously cause a collision. Each switch port is its own collision domain, so devices on different ports can transmit without colliding. Hubs have a single collision domain for all ports.

What is the purpose of the Spanning Tree Protocol on a switch?

STP prevents loops in networks with redundant links by blocking some ports. Without STP, broadcast frames would loop endlessly, causing a broadcast storm that can crash the network. STP dynamically chooses which ports to block.

Do cloud exams like AWS SAA test physical switches?

No, but they test virtual networking concepts that behave like switches. In AWS, a VPC subnet acts like a virtual switch. Understanding how VLANs isolate traffic helps you design secure VPCs.

What is port security and how does it work?

Port security limits the number of MAC addresses allowed on a switch port. If the limit is exceeded, the port can be shut down, restrict further traffic, or send a log. It prevents unauthorized devices from connecting.

Summary

A network switch is a fundamental Layer 2 device that connects devices within a local area network and forwards Ethernet frames based on MAC addresses. Unlike a hub, which broadcasts all data to every port, a switch sends data only to the specific device that needs it, reducing network congestion and improving security. Switches learn the location of devices by inspecting the source MAC address of incoming frames and building a MAC address table. This learning process is dynamic and adapts to network changes. Switches create separate collision domains for each port, allowing multiple devices to communicate simultaneously without interference.

For IT certification exams, switches are a core topic for CCNA, Network+, and Security+. CCNA focuses on configuration, VLANs, trunking, STP, and port security. Network+ emphasizes the functional differences between hubs, switches, and routers, as well as basic VLAN concepts. Security+ highlights switch security features and attack mitigation. Even cloud exams require an understanding of virtual switching concepts within VPCs and virtual networks. A solid grasp of how switches operate will help you not only pass exams but also build and maintain efficient, secure networks in your career. Remember: switches forward frames based on MAC addresses, create separate collision domains, and can be configured to isolate traffic with VLANs. That is the core takeaway.