Skip to main content
Your first session is free. Claim mine
PacketMentor logo
Open menu
Home
Training
Cisco Mentorship
CCNACCNP
Short Courses
Python for Network EngineersAI for Network OperationsDevNet Associate PrepInterview Sprint
Custom Training
Corporate Training
All training →
CCNA Library (74)
Browse all CCNA topics →
Network (13)
OSI Model & TCP/IPIPv4 AddressingTCP vs UDPSubnettingIPv6 BasicsARP — Address Resolution ProtocolICMP — Internet Control Message ProtocolTCP 3-Way HandshakeCabling & Media StandardsMTU & FragmentationWAN Connection TypesHierarchical Network DesignNetwork Virtualization & Containers
Device Operations (5)
Cisco IOS Device ManagementPower over Ethernet (PoE)Cisco IOS File SystemPassword Recovery & Configuration RegisterNetwork Troubleshooting Methodology
Network Access (12)
MAC Address TableVLANsTrunks & 802.1Q TaggingSpanning Tree Protocol (STP)EtherChannel (Link Aggregation)Switching OperationCDP & LLDP — Neighbor DiscoveryBPDU Guard & Root GuardCatalyst Boot ProcessVTP — VLAN Trunking ProtocolRapid STP & MSTPPrivate VLANs (PVLAN)
Wireless (6)
Wireless LAN BasicsWLAN Architectures — Autonomous, Centralized (WLC), Cloud, EmbeddedWi-Fi Security — WEP, WPA, WPA2, WPA3Wi-Fi 6, 6E, and 7 FeaturesWireless RF FundamentalsAccess Point Operating Modes
IP Connectivity (10)
Inter-VLAN RoutingStatic RoutingDefault RoutingRouting Decision ProcessFHRP — HSRP, VRRP & GLBPLayer-3 Switch & SVI RoutingOSPF Single-AreaRoute SummarizationIPv6 SLAAC & DHCPv6IPv6 Transition Mechanisms
IP Services (11)
HSRP vs VRRP vs GLBP — FHRP ComparedDHCP — Dynamic Host Configuration ProtocolNAT & PATDNS — Domain Name SystemNTP — Network Time ProtocolSyslogQoS BasicsSNMP — Simple Network Management ProtocolIGMP & IGMP SnoopingNTP Authentication & SecurityDHCP Relay & IP Helper
Security (10)
Access Control Lists (ACLs)Port SecurityDHCP SnoopingAAA · RADIUS & TACACS+802.1X — Port-Based Network Access ControlVPN Basics — IPsec & SSLDynamic ARP Inspection (DAI)IP Source Guard (IPSG)Encryption FundamentalsCybersecurity Threats & Mitigation
Automation (7)
REST APIs for Network EngineersAnsible for Network EngineersJSON, YAML & XML for Network EngineersNETCONF & YANGPython for Network EngineersSDN & Controller-Based NetworkingAI & ML in Network Operations
CCNP Library (15)
Browse all CCNP topics → SPAN, RSPAN & ERSPAN — Port MirroringGRE TunnelsEIGRPOSPF Multi-AreaIPv6 Routing — Static & OSPFv3BGP BasicsTCP Connection StatesCisco AnyConnect / Remote Access VPNCisco ISE BasicsNetFlow & Flow-Based MonitoringgRPC & gNMI — Streaming TelemetrySD-WAN ConceptsMPLS BasicsCisco DNA Center / Catalyst CenterVRF Basics — Virtual Routing and Forwarding
LabsPricing
Contact 📞 +1 (860) 556-3010 Book a Call
← All topics
Network Access Foundational

Switching Operation

How a switch actually decides where to forward each frame. Covers source-MAC learning, destination-MAC lookup, the three outcomes (forward / flood / drop), and store-and-forward vs cut-through.

TL;DR
  • A switch's job per-frame: learn the source MAC on the inbound port, look up the destination MAC, then forward, flood, or drop.
  • Forward = known destination → out one port. Flood = unknown destination → out all other ports in the VLAN. Drop = destination is on the same port the frame arrived on.
  • Store-and-forward (default) buffers the whole frame and validates the FCS before forwarding. Cut-through forwards as soon as the destination MAC is read — faster but no error checking.

Mental model

A switch does one thing per frame: decide which port (if any) to send it out. The decision is mechanical:

  1. Receive a frame on a port.
  2. Learn — record the source MAC of this frame against the port it came in on (in the MAC address table).
  3. Look up the destination MAC in the same table.
  4. Forward, Flood, or Drop based on the lookup result.

This happens billions of times a second in a busy LAN. Hardware does it at wire-speed.

The three outcomes

Forward (the common case)

Destination MAC is in the table, mapped to a specific port. Send the frame out only that one port. No one else sees it.

Frame arrives on Gi0/1 destined for dd:dd:dd
CAM table says dd:dd:dd is on Gi0/5
→ forward out Gi0/5 only

This is what makes switches different from hubs — and dramatically more efficient. Traffic between PC-A and PC-B doesn’t disturb PC-C.

Flood (unknown destination)

Destination MAC isn’t in the table. The switch sends the frame out every other port in the same VLAN — every port except the one the frame came in on. The hope: somewhere out there, the destination exists and will reply, which lets the switch learn its port.

Frame arrives on Gi0/1 destined for ee:ee:ee (unknown)
→ flood out Gi0/2, Gi0/3, Gi0/4, ..., everywhere except Gi0/1

Three triggers cause flooding:

  • Unknown unicast — destination not in MAC table
  • Broadcast — destination FF:FF:FF:FF:FF:FF (always flooded)
  • Multicast — flooded unless IGMP snooping is configured

Drop

If the destination MAC is on the same port the frame arrived on, the switch drops the frame. Two hosts on the same physical port (impossible normally, but possible through a hub) would already have heard the frame — no point forwarding it back.

Less common: drops happen for security policy (port security violation, ACL on an SVI, STP-blocked port).

Store-and-forward vs cut-through

Two switching modes:

ModeBehaviorTrade-off
Store-and-forwardBuffer the entire frame, check FCS (frame check sequence), then forwardSlightly higher latency but no corrupt frames forwarded
Cut-throughForward as soon as the first 14 bytes (destination MAC) are readLowest latency but corrupt frames propagate
Fragment-freeCut-through, but wait for the first 64 bytes (catches collision fragments)Compromise between the two

Modern Cisco Catalyst switches default to store-and-forward. Cut-through exists on data-center switches (Nexus, some merchant silicon) where every microsecond of latency matters. For CCNA, know all three terms; in real life, store-and-forward is what you have.

Why the switch never reads the IP header

Switches are Layer 2 devices. They see frames and MACs, full stop. The IP header inside the frame is irrelevant to switching decisions.

That’s why:

  • Switching doesn’t need a router involved (Layer 3) when destination is in the same VLAN
  • Different VLANs can’t talk without a router because the switch refuses to forward frames between VLANs — even though they share the same physical hardware
  • ACLs on regular switches operate on MAC / port; for IP-based filtering on a switch, you need a Layer-3 switch with SVIs

Per-VLAN switching

The MAC table is per-VLAN. A switch maintains separate tables for VLAN 10 and VLAN 20.

SW1# show mac address-table vlan 10
   10    aaaa.aaaa.aaaa    DYNAMIC     Gi0/1
   10    bbbb.bbbb.bbbb    DYNAMIC     Gi0/2

SW1# show mac address-table vlan 20
   20    cccc.cccc.cccc    DYNAMIC     Gi0/5

When a frame arrives, the switch looks up the destination MAC only within the VLAN tagged on the frame. Same MAC in two different VLANs? Two separate entries, treated independently.

Switching modes you can set

SW1(config)# switching-mode store-and-forward       ! default on most platforms
SW1(config)# switching-mode cut-through             ! some platforms only

Most Catalyst switches don’t expose this — they’re hardwired to one mode. Nexus and Data Center platforms expose it.

Common mistakes

  1. Expecting switches to look at IP addresses. They don’t. Layer 2 only. If you need IP-based filtering, you need a Layer-3 switch (SVIs) or a router.

  2. Forgetting flooding happens on unknown unicast. A quiet server whose MAC ages out causes its next inbound frame to flood every port. Mitigation: longer aging time or static MAC entries for critical servers.

  3. Confusing “flooding” with “broadcasting.” Broadcast = destination MAC FF:FF:FF:FF:FF:FF, by definition reaches everyone. Flooding = forwarding behavior, can happen for unicast / broadcast / multicast.

  4. Thinking VLANs use Layer-3 separation. They use Layer-2 separation. Same physical switch, separate broadcast domains. Inter-VLAN traffic needs a router.

  5. Setting cut-through and being surprised by corrupted frames. Cut-through propagates errored frames before the FCS is checked. Bad cabling or marginal optics → cascading errors. Use store-and-forward unless you have a specific reason.

  6. Misunderstanding switch fabric capacity. A switch’s “switching capacity” (sometimes called backplane) is what it can move in aggregate, not per port. A 24-port 1 Gbps switch might have 48 Gbps full-duplex switching capacity (24 × 1 × 2). Anything less and the switch is oversubscribed.

Lab to try tonight

  1. One switch, three PCs in the same VLAN.
  2. Run show mac address-table — empty (no traffic yet).
  3. Ping PC-A from PC-B. Re-run — both MACs appear.
  4. Open Wireshark on PC-C. Ping PC-A from PC-B again. Confirm PC-C does NOT see the ping (forward, not flood).
  5. clear mac address-table dynamic. Repeat the ping. PC-C briefly sees the first frame in Wireshark (flooded), then the table re-populates and subsequent frames don’t flood.
  6. Add static MAC entry pinning PC-A. Confirm it survives clear mac address-table dynamic.
  7. Bonus: add VLAN 20, put PC-C in it. Try to ping from PC-A (VLAN 10) to PC-C (VLAN 20). Fails — different VLANs, no router.

Cheat strip

ConceptPlain English
LearnRecord source MAC against inbound port
Look upSearch CAM table for destination MAC
ForwardKnown destination → send to that one port
FloodUnknown destination / broadcast → send everywhere else in VLAN
DropDestination is on the same port frame arrived on
Store-and-forwardDefault. Buffer full frame, check FCS.
Cut-throughForward after 14 bytes. Fast, error-prone.
Fragment-freeForward after 64 bytes. Catches collision fragments.
Per-VLAN tableDifferent MACs tracked separately per VLAN
← Previous topic

Wi-Fi Security — WEP, WPA, WPA2, WPA3

Twenty-five years of wireless security in one page. Why WEP is broken, why WPA is a stop-gap, why WPA2 ruled for two decades, and what WPA3 actually fixes.
Next topic →

CDP & LLDP — Neighbor Discovery

How devices learn about their directly-connected neighbors. CDP is Cisco-proprietary; LLDP is the vendor-neutral standard. Both shout the same info: who I am, what model, what IOS, what port — invaluable for troubleshooting.
Master this on a real network

Want this drilled into reflex?

1:1 weekly sessions, live feedback on your labs, and US interview prep — built around the CCNA® exam blueprint. Free first session. No card on file until you decide.

Claim my free session →

Related topics

Network Access

MAC Address Table

How a switch learns where every device is and decides where to forward each frame. Covers source-MAC learning, destination-MAC lookup, unknown-unicast flooding, and the CAM table on Cisco switches.

 Network Access

Spanning Tree Protocol (STP)

Definitive CCNA-level STP guide — why loops are catastrophic, bridge ID + priority election, three port roles, five port states, BPDU anatomy, PortFast + BPDU Guard + Root Guard + Loop Guard, RSTP convergence, MSTP overview, and 8 worked scenarios.

 Network Access

VLANs

Definitive CCNA-level VLAN guide — broadcast domains, access vs trunk ports, 802.1Q tagging, native VLAN, voice VLANs, VTP, VLAN design, the 6-step trunk debug, security pitfalls, and 7 worked exam scenarios.

One topic per email, every fortnight

VLANs, OSPF, ACLs, subnetting, automation — written like this. Unsubscribe in one click.

We respect your inbox. One email per week, max. Unsubscribe any time.

Start typing — or browse popular topics below.

↑↓ navigate open Searches topics · labs · programs · pages