Skip to content

Networking

Switching and VLANs

A switch is the box that ties a local network together, moving traffic between the devices plugged into it. This page explains how a switch forwards traffic at Layer 2 using MAC addresses, how ARP links IP addresses to those MACs, and how VLANs let you carve one physical switch into several isolated logical networks.

Applies to

Switching and VLANs are hardware/protocol concepts, so they are OS-agnostic. The behaviour is the same whether the connected hosts run Linux, Windows, or anything else. Commands for viewing the local MAC/ARP state are shown for both Linux and Windows.

This builds on What is a network and the layer model in OSI and TCP/IP. Switches operate at Layer 2 (Data Link); routers, covered in Routing and NAT, operate at Layer 3.

What a switch does

A switch connects multiple devices on the same local network and forwards frames between them. It works at Layer 2 (the Data Link layer), so it makes its decisions based on the MAC address - the unique hardware address burned into every network interface - not the IP address.

A MAC address looks like 00:1A:2B:3C:4D:5E: 48 bits, usually written as six hex pairs.

The key difference from a simple hub: a hub repeats every signal out of every port (everyone hears everything), while a switch learns where each device is and sends each frame only out the port that leads to its destination. That makes the network faster, quieter, and more private.

The MAC address table

A switch learns by watching the source MAC address of every frame that arrives and noting which port it came in on. It stores these in its MAC address table (also called a CAM table):

Port   MAC address          
-----  -------------------
  1    00:1A:2B:3C:4D:5E   (PC-A)
  2    00:1A:2B:3C:4D:6F   (PC-B)
  3    00:1A:2B:3C:4D:70   (Printer)

Forwarding logic:

  • Destination MAC is in the table -> send the frame only out that one port (unicast forwarding).
  • Destination MAC is unknown -> flood it out every port except the one it arrived on, and learn the reply.
  • Destination is the broadcast address (FF:FF:FF:FF:FF:FF) -> flood to all ports.

Entries age out after a timeout, so the table stays current as devices move.

Broadcast domains vs collision domains

Two terms that are easy to confuse:

Collision domain Broadcast domain
What it is A segment where two frames can collide The set of devices a broadcast reaches
On a switch Each port is its own collision domain All ports share one broadcast domain (by default)
Bounded by A switch port A router (or a VLAN boundary)

A switch eliminates collisions by giving every port its own collision domain. But a single switch is, by default, one broadcast domain: a broadcast frame sent by any device reaches every other device on the switch. Large flat networks therefore suffer from broadcast traffic hitting everyone - one of the main reasons to introduce VLANs.

ARP: resolving IP to MAC

Hosts think in IP addresses, but a switch forwards by MAC. Something has to bridge the two, and that is ARP (Address Resolution Protocol).

When a host wants to send to an IP on its local network but does not know that IP's MAC address, it broadcasts an ARP request:

PC-A broadcasts:  "Who has 192.168.1.20? Tell 192.168.1.10"
PC-B replies:     "192.168.1.20 is at 00:1A:2B:3C:4D:6F"

PC-A caches the answer in its ARP table and uses that MAC to build the frame. The switch, meanwhile, learns both MACs from the frames it sees.

# Linux - view the ARP / neighbour cache
ip neighbour show       # modern
arp -n                  # classic

:: Windows
arp -a

ARP is local only

ARP only resolves addresses on the same subnet. To reach an IP on another subnet, the host instead ARPs for its default gateway and sends the frame there - the router takes over from that point. See Routing and NAT.

VLANs: one switch, many networks

A VLAN (Virtual LAN) lets you split a single physical switch into multiple logical networks. Ports assigned to VLAN 10 behave as if they were on a completely separate switch from ports in VLAN 20 - even though they share the same hardware. Each VLAN is its own broadcast domain.

Why segment with VLANs:

  • Security - devices in different VLANs cannot reach each other without passing through a router/firewall, so you can isolate guests, servers, IoT, and staff.
  • Performance - smaller broadcast domains mean less broadcast noise hitting each device.
  • Organisation - group devices by function or department regardless of where they are physically plugged in.
                 +---------------------------------------+
                 |              One switch               |
                 |                                       |
   VLAN 10  -----| P1   P2          P5   P6   ---- VLAN 20
   (Staff)       |  \   /            \   /              (Servers)
                 |   Staff            Servers           |
                 |   broadcast        broadcast         |
                 |   domain           domain            |
                 +---------------------------------------+
   Two isolated networks on the same physical switch.

Access ports vs trunk ports

A switch port carries VLAN traffic in one of two modes:

Access port Trunk port
Carries A single VLAN Many VLANs at once
Connects to An end device (PC, printer, phone) Another switch or a router
Tagging Frames are untagged Frames are tagged so the far end knows which VLAN they belong to

The tagging standard is 802.1Q: a trunk inserts a small VLAN tag (containing the VLAN ID) into each frame so the receiving switch can sort traffic back into the right VLAN. An access port strips any tag and just delivers plain frames to the end device.

PC ---- [access port: VLAN 10, untagged]  Switch-A
Switch-A ==== [trunk: VLANs 10,20 tagged with 802.1Q] ==== Switch-B

Inter-VLAN routing

Because each VLAN is a separate broadcast domain - effectively a separate network - devices in different VLANs cannot talk to each other through the switch alone. Crossing from one VLAN to another is moving between networks, which is a Layer 3 job.

To let VLANs communicate you need a router or a Layer 3 switch performing inter-VLAN routing. Each VLAN gets a gateway IP on that router; a host sends cross-VLAN traffic to its gateway, the router moves it to the destination VLAN, and back again.

VLAN 10 (192.168.10.0/24) --\
                              >-- [ Router / L3 switch ] -- routes between VLANs
VLAN 20 (192.168.20.0/24) --/        gateway for each VLAN

This is the same routing principle covered in Routing and NAT - just applied between VLANs on the same site.

Verify your work

# Linux - confirm what the host knows about Layer 2
ip link show                 # interface MAC addresses
ip neighbour show            # ARP cache: IP -> MAC mappings learned
ping -c1 192.168.1.20 && ip neighbour show   # ARP entry appears after a ping

:: Windows
ipconfig /all      :: shows the physical (MAC) address
arp -a             :: cached IP -> MAC mappings

On the switch itself you would run something like show mac address-table to see learned MACs and show vlan to confirm port assignments (exact syntax is vendor-specific). You are done when same-VLAN hosts can reach each other directly, the ARP cache shows their MACs, and cross-VLAN traffic only succeeds through the router/L3 switch.

Summary

  • A switch is a Layer 2 device that forwards frames by MAC address, learning which MAC lives on which port in its MAC address table.
  • Each switch port is its own collision domain; by default the whole switch is one broadcast domain.
  • ARP resolves an IP to a MAC on the local subnet; for remote subnets a host ARPs for its default gateway instead.
  • VLANs split one physical switch into isolated logical networks for security, performance, and organisation - each VLAN is its own broadcast domain.
  • Access ports carry one untagged VLAN to an end device; trunk ports carry many VLANs tagged with 802.1Q between switches/routers.
  • VLANs are separate networks, so inter-VLAN routing via a router or Layer 3 switch is required for them to communicate.

Test yourself