Routers create broadcast domain boundaries by simply not forwarding broadcast frames from one interface to another. Every port on a router belongs to a separate broadcast domain, so a broadcast sent on one network segment stays on that segment. This is a default behavior baked into how routers process traffic, not something that needs to be configured.
What Happens When a Broadcast Hits a Router
To understand why routers act as boundaries, it helps to see what happens at each layer of the network. When a device sends a broadcast, it addresses the frame to the special MAC address FF:FF:FF:FF:FF:FF. Every device on that local network segment receives it. A switch, operating at Layer 2, sees that broadcast and floods it out every port in the same VLAN. The switch never opens the packet far enough to look at Layer 3 information like IP addresses. It just forwards.
A router works differently. When a broadcast frame arrives at one of its interfaces, the router reads the frame and passes it up its protocol stack to examine the content. But here’s the key distinction: the router treats each of its interfaces as a completely independent network. It does not take that broadcast and repeat it out its other interfaces. The broadcast is processed locally on the interface where it arrived, and it dies there. IP broadcast messages do not pass from one router interface (or subinterface) to another.
This is the fundamental mechanism. A switch extends a broadcast domain across all its ports. A router terminates it at each interface.
Layer 2 Boundaries vs. Layer 3 Boundaries
There are actually two ways to create broadcast domain boundaries in modern networks, and they work at different layers. VLANs separate broadcast domains at Layer 2, while routers separate them at Layer 3.
A VLAN is essentially a broadcast domain defined within a set of switches. Traffic from one VLAN is never flooded to another VLAN, even if both VLANs exist on the same physical switch. Broadcast, multicast, and unicast frames all stay contained within their VLAN. But for devices in different VLANs to communicate with each other, the traffic must hit a routed interface. And routed interfaces do not forward broadcast packets. So even when you use VLANs, a router or Layer 3 switch is still the device that enables communication between those separate broadcast domains while keeping their broadcasts isolated.
How Subnets and ARP Fit In
Each router interface typically connects to a different IP subnet, and this is where the broadcast boundary becomes practical. Consider ARP, the protocol devices use to discover the MAC address associated with an IP address. When a device needs to reach another device on its local subnet, it sends an ARP request as a MAC broadcast. That broadcast reaches every device on the local segment, but because it’s a MAC broadcast, it goes only to devices directly attached to that network. It is not routed to other networks.
If a device needs to reach an IP address on a different subnet, it doesn’t broadcast an ARP request for that remote address at all. Instead, it sends the traffic to its default gateway, which is the router’s local interface. The router then handles forwarding the packet to the correct destination network using its own routing table. The remote subnet never sees the original device’s ARP broadcast.
This is why each router interface effectively contains broadcasts within its own subnet’s scope. The router acts as the termination point for local broadcast traffic and the forwarding point for routed unicast traffic.
The DHCP Exception: Relay Agents
There is one notable exception to the rule that routers block all broadcasts. DHCP, the protocol that automatically assigns IP addresses to devices, relies on broadcast messages. When a device first connects to a network, it has no IP address yet, so it broadcasts a DHCP discovery message looking for a server. Normally, that broadcast would be trapped within its local broadcast domain, which means the DHCP server would need to be on every single subnet.
To solve this, routers can be configured as DHCP relay agents. The relay agent intercepts the DHCP broadcast on the local interface and converts it into a unicast message directed at a specific DHCP server on another network. It also stamps the message with the IP address of the interface where the request arrived, so the server knows which subnet the request came from and can assign an appropriate address. This is a deliberate, configured exception to the default behavior. The router isn’t forwarding the broadcast itself. It’s intercepting it and creating a new unicast packet.
Router-on-a-Stick and Subinterfaces
In smaller networks, a single physical router interface can serve multiple broadcast domains using a configuration called router-on-a-stick. The router’s physical interface is divided into logical subinterfaces, each assigned to a different VLAN. A trunk link from a switch carries tagged traffic for all VLANs to the router, and each subinterface handles one VLAN’s traffic using 802.1Q frame tagging to identify which VLAN a frame belongs to.
Even though all this traffic flows over a single physical cable, each subinterface maintains a separate broadcast domain. A broadcast arriving on the subinterface for VLAN 10 is not forwarded to the subinterface for VLAN 20. The router provides broadcast filtering, security, and traffic flow management between these virtual segments, just as it would if each VLAN were connected to a physically separate router port.
Why This Matters for Network Performance
Every broadcast on a network consumes bandwidth and processing power. Every device that receives a broadcast frame has to read the entire frame and process it up through its protocol stack to determine whether the content is relevant. In a flat network with no broadcast boundaries, a single chatty device can generate broadcasts that interrupt thousands of other devices.
By breaking a network into smaller broadcast domains, routers limit the blast radius of broadcast traffic. A broadcast storm in one segment stays contained to that segment. Devices on other segments never see it. This is why network design places routers (or Layer 3 switches performing the same function) at strategic points: not just to route traffic between networks, but to keep broadcast traffic from scaling out of control as the network grows.