A standard network switch operates at Layer 2 of the OSI model, known as the data link layer. It uses MAC addresses to forward traffic between devices on the same network. Some advanced switches also operate at Layer 3 and above, but the classic switch you’ll find in most networks is a Layer 2 device.
What Layer 2 Actually Means
The OSI model breaks network communication into seven layers, each handling a different job. Layer 2, the data link layer, sits just above the physical layer (the cables and signals). Its job is transferring data between devices on the same local network segment using physical addresses, better known as MAC addresses. Every network device has a unique MAC address burned into its hardware, and Layer 2 is where those addresses matter.
At this layer, data travels in units called frames. A frame wraps around the data coming down from higher layers and adds a header containing the source and destination MAC addresses, plus a trailer with error-checking information. Think of a frame as an envelope: the MAC addresses are the “to” and “from” on the outside, and the actual data (including any IP packet from Layer 3) rides inside. A switch reads that envelope and decides where to send it.
How a Switch Learns and Forwards
A switch builds a MAC address table dynamically by watching the traffic that passes through it. Every time a frame arrives on a port, the switch reads the source MAC address and records it alongside the port number. If that MAC address isn’t in the table yet, it gets added. If it already exists but on a different port (meaning a device moved or was reconnected elsewhere), the switch updates the entry. These entries expire after about five minutes of inactivity by default, keeping the table current.
When it comes time to forward a frame, the switch checks the destination MAC address against its table. If it finds a match, it sends the frame out only the specific port where that device is connected. This is far more efficient than a hub, which blindly copies traffic to every port. If the destination MAC address isn’t in the table yet, the switch floods the frame out all ports except the one it arrived on, a process called unknown unicast flooding. Broadcast frames (like ARP requests, which devices use to discover each other’s MAC addresses) are also flooded to all ports.
What Makes Switches So Fast
Switches use specialized chips called ASICs (application-specific integrated circuits) designed to do one thing extremely well: forward frames at wire speed, meaning as fast as data arrives on the cable. The MAC address table is stored in a dedicated memory structure called a CAM table, which the ASIC can look up almost instantly. This hardware-based approach is why switches add almost no delay to your network traffic.
Switches also use different forwarding methods that affect speed and reliability. Store-and-forward switching receives the entire frame, checks it for errors using a mathematical formula called CRC, and only then forwards it. Corrupted, undersized, or oversized frames get dropped before they reach their destination. Cut-through switching reads just the first few bytes of the frame to grab the destination MAC address, then immediately starts forwarding without waiting for the rest. This shaves off a small amount of latency but skips error checking entirely. In most enterprise networks, the latency difference between the two methods is measured in tens of microseconds and is negligible in practice.
Layer 3 Switches: When Switching Meets Routing
A Layer 3 switch, sometimes called a multilayer switch, combines standard Layer 2 switching with routing capabilities normally found in a router. It still forwards traffic using MAC addresses for devices on the same network segment, but it can also read IP addresses and route packets between different subnets. This makes it useful in larger networks where you need to move traffic between departments or VLANs without sending everything through a separate router.
The key advantage of a Layer 3 switch over a traditional router is speed. Because it still uses ASICs for packet forwarding, a Layer 3 switch handles routing decisions in hardware rather than software. Traditional routers process packets in software, which can be slower under heavy loads. On the other hand, routers offer features that Layer 3 switches typically lack: support for VPN connections, network address translation (NAT), built-in firewall services, and a wider variety of interface types like serial and fiber connections. Layer 3 switches are largely limited to Ethernet ports.
In practice, Layer 3 switches handle routing within a local network while traditional routers sit at the network edge, connecting your organization to the internet or to remote offices.
Switches at Layer 4 and Above
Some specialized switches operate at even higher layers. Layer 4 through Layer 7 switches can inspect transport and application layer data to make forwarding decisions. In data centers, these devices direct traffic to firewalls, load balancers, intrusion prevention systems, and application delivery controllers based on policies that match specific types of traffic. For example, a policy might route all web traffic through a firewall and a performance optimizer while excluding certain internal traffic flows from those services entirely.
These higher-layer switches are niche equipment found in enterprise data centers and service provider networks. For the vast majority of networking scenarios, “switch” means a Layer 2 device that forwards frames based on MAC addresses, with Layer 3 switches covering the next most common use case.