How Ethernet Switches Actually Forward Frames

2nd. gen black Amazon Echo speaker on white panel

5 min read

Ethernet switches build forwarding databases by observing source MAC addresses on arriving frames, with aging timers automatically purging stale entries.

Unknown destination addresses trigger flooding to all ports in the VLAN, making CAM table stability critical for network efficiency.

802.1Q VLAN tagging creates isolated broadcast domains, with access ports handling untagged traffic and trunk ports preserving tags between switches.

Native VLAN misconfigurations on trunk ports can enable VLAN hopping attacks where traffic crosses intended security boundaries.

ASIC-based forwarding pipelines parse headers, perform parallel table lookups, and apply queue scheduling entirely in hardware for consistent wire-speed performance.

Every time you send an email, stream a video, or load a webpage, Ethernet switches silently perform millions of forwarding decisions per second. These devices don't just blindly broadcast traffic everywhere—they make intelligent, microsecond-scale decisions about exactly which port should receive each frame.

Understanding switch forwarding behavior matters because misconfigured switches cause some of the most frustrating network problems: broadcast storms, asymmetric routing, and mysterious packet loss. Yet many network engineers treat switches as magical black boxes rather than deterministic systems following precise algorithms.

The reality is elegant: switches learn, remember, and decide using hardware pipelines specifically designed for wire-speed processing. From MAC address learning through VLAN segmentation to the actual forwarding pipeline, each component follows engineering principles that enable switches to handle billions of frames without becoming bottlenecks. Let's examine how these systems actually work.

MAC Learning Tables: Building the Forwarding Brain

When a frame arrives at a switch port, the switch immediately examines the source MAC address and records which port it came from. This simple observation—"I saw MAC address AA:BB:CC:DD:EE:FF on port 3"—builds the Content Addressable Memory (CAM) table that drives all forwarding decisions. The switch doesn't need configuration for this; it learns automatically by watching traffic patterns.

Each CAM entry includes a timestamp that gets refreshed whenever the switch sees that MAC address again. If no traffic arrives from a particular address within the aging timer (typically 300 seconds), the entry gets purged. This prevents stale entries from consuming table space and allows the network to adapt when devices move between ports or get disconnected.

When the switch receives a frame destined for an unknown MAC address—one not in the CAM table—it has no choice but to flood the frame out every port in that VLAN except the ingress port. Flooding ensures the frame reaches its destination even without learned state, but excessive flooding wastes bandwidth and can cause security issues. A well-functioning network minimizes unknown unicast flooding through stable MAC tables.

CAM table overflow attacks exploit this mechanism by sending frames with thousands of spoofed source addresses, forcing the switch to flood all traffic when legitimate entries get evicted. Modern switches implement port security features that limit how many MAC addresses can be learned per port, preventing this attack vector while maintaining normal learning behavior.

Takeaway
Switches build forwarding intelligence purely by observing source addresses on arriving frames—the aging timer and table size limits determine how quickly your network adapts to topology changes and how vulnerable it is to overflow attacks.

VLAN Mechanics: Creating Logical Boundaries

VLANs transform a single physical switch into multiple isolated broadcast domains, each with its own MAC learning table and flooding scope. The IEEE 802.1Q standard defines how switches tag frames with a 12-bit VLAN identifier, allowing 4,094 distinct VLANs per switch. Without VLANs, every broadcast frame would reach every port on every interconnected switch—a scalability nightmare.

Access ports connect end devices and handle untagged traffic: frames arriving without VLAN tags get assigned the port's configured access VLAN, and frames leaving have their tags stripped. Trunk ports carry traffic for multiple VLANs between switches, preserving 802.1Q tags so the receiving switch knows which VLAN each frame belongs to.

The native VLAN on trunk ports handles untagged frames—a necessary compatibility feature that creates subtle security risks. If trunk ports on connected switches have mismatched native VLAN configurations, traffic leaks between VLANs. Attackers exploit this through VLAN hopping: sending double-tagged frames where the outer tag matches the native VLAN gets stripped, exposing the inner tag that routes the frame to a different VLAN.

Properly segmented VLANs contain broadcast storms, limit the scope of spanning tree reconvergence, and enforce security boundaries. But VLANs only provide Layer 2 isolation—devices in different VLANs need a router or Layer 3 switch to communicate, creating natural points for applying access control policies.

Takeaway
VLANs create isolated broadcast domains through frame tagging, but native VLAN misconfigurations between trunk ports can silently allow traffic to cross boundaries you intended to be secure.

Forwarding Pipeline: From Ingress to Egress

Modern switches implement forwarding in dedicated ASICs (Application-Specific Integrated Circuits) that process frames through deterministic pipeline stages. This hardware approach achieves wire-speed forwarding—the switch can process frames as fast as they arrive on any port combination without introducing additional latency beyond the physical propagation delay.

The ingress stage parses frame headers, extracting the destination MAC, source MAC, VLAN tag, and any QoS markings. Classification logic then determines how to handle the frame: which queues to use, whether to mirror for monitoring, and whether access control lists permit or deny the traffic. All these decisions happen in parallel hardware lookups, not sequential software processing.

The switching fabric connects the parsed frame to the correct egress port based on the CAM table lookup. If the destination MAC exists in the table, the frame goes directly to that port. Unknown destinations trigger flooding to all ports in the VLAN. Multicast and broadcast frames always flood, though IGMP snooping can optimize multicast by learning which ports have interested receivers.

Egress processing applies queue scheduling to manage congestion when multiple frames compete for the same output port. Strict priority queuing ensures latency-sensitive traffic like voice gets transmitted first, while weighted fair queuing prevents any single flow from starving others. Frame rewrites happen here too—modifying VLAN tags for trunk ports or applying QoS remarking before transmission.

Takeaway
Switch forwarding happens entirely in purpose-built hardware that parses, looks up, and queues frames in parallel—understanding this pipeline explains why switches achieve consistent microsecond latency regardless of traffic load.

Ethernet switch forwarding combines elegant simplicity with sophisticated hardware engineering. MAC learning provides automatic topology discovery, VLANs create logical segmentation without physical rewiring, and ASIC-based pipelines ensure wire-speed processing regardless of traffic complexity.

These mechanisms interact in predictable ways that explain most switching problems you'll encounter. Broadcast storms result from spanning tree failures. Intermittent connectivity often traces to CAM table issues. Unexpected traffic patterns frequently involve VLAN misconfigurations.

Treating switches as deterministic systems rather than mysterious appliances transforms troubleshooting from guesswork into systematic analysis. Every forwarding decision follows rules you can observe, verify, and optimize.