One of the cleanest dividing lines in networking is between switches and routers. The reason it confuses people early on is that “the box on the wall” in a home or small office is usually a router and a switch crammed into the same plastic shell, so the two jobs feel like one. They aren’t. They run on different layers, look at different fields in the packet, keep different tables, and answer different questions.
This is lesson 5 of Networking from Scratch. The previous articles got you to: I have an IP address (DHCP/ARP), I know what it means (IPv4 addressing, subnetting), and I can find my neighbour’s MAC. This article puts the next box in your mental map: who carries my packet once it has to leave the LAN.
The one-paragraph mental model
A switch moves frames between devices on the same network. It looks at the destination MAC address and consults a MAC address table to decide which port to forward out of. A router moves packets between different networks. It looks at the destination IP address and consults a routing table to decide which interface (and possibly which next-hop router) to forward out of. Both make the same kind of decision — given a destination, which way do I send this? — but they look at different fields, against different tables, and operate at different scopes.
If that paragraph clicks, the rest of the article is just filling in the details. If it doesn’t yet, keep reading; we’ll build it up piece by piece.
What a switch actually does
A switch is a Layer-2 device. Layer 2 means Ethernet (or Wi-Fi, conceptually) — the part of the stack where things are addressed by MAC. The switch’s job is to deliver frames among devices on the same physical network segment.
It does this with one table: the MAC address table (sometimes called the CAM table on Cisco gear). The table maps MAC addresses to switch ports:
MAC Port
aa:bb:01:02:03:04 1
aa:bb:01:02:03:05 2
e8:cc:18:11:22:33 3
e8:cc:18:11:22:34 4
f0:de:f1:00:11:22 Trunk
When a frame arrives, the switch reads the destination MAC, looks it up, and forwards out the matching port. Three special cases:
- Unknown destination MAC — the switch floods the frame out every port except the one it came in on. The right device sees its own MAC and replies; the others ignore it. The switch learns the responder’s MAC from the reply.
- Broadcast MAC (
ff:ff:ff:ff:ff:ff) — flood out all ports except the source. ARP requests, DHCP DISCOVERs, and a few other protocols rely on this. - Multicast MAC — forwarded to the ports that have asked to receive that group (via IGMP snooping or just flooded if the switch isn’t listening to IGMP).
The switch learns by watching the source MAC of every frame that crosses it. If a frame from aa:bb:01:02:03:04 arrives on Port 1, the switch records “aa:bb:01:02:03:04 is on Port 1” and uses that going forward. Entries time out after a few minutes of inactivity (typical default: 5 minutes).
That’s the entire mechanism. A switch doesn’t care about IP addresses, subnets, or where the destination lives in the wider network. As far as a switch is concerned, every device on every port is on the same flat broadcast domain.
What a router actually does
A router is a Layer-3 device. Layer 3 is IP. Routers exist because broadcast domains have to end somewhere — you can’t flood ARP across the entire internet. A router is a wall that frames don’t cross. It strips off the incoming frame, reads the IP packet inside, decides where to send the packet next, and wraps it in a fresh frame addressed to the next-hop device.
It does this with one table: the routing table. The routing table maps destination prefixes (subnets) to outgoing interfaces and next hops:
Destination Next hop / interface
10.10.1.0/24 via eth0 (directly connected)
10.10.2.0/24 via eth1 (directly connected)
192.168.0.0/16 via eth2
203.0.113.0/24 via wan0
0.0.0.0/0 via 198.51.100.1 (default route)
For every packet that arrives, the router does longest-prefix match against the destination IP. It picks the entry with the most specific prefix that contains the destination, and forwards out that interface. If nothing matches, it uses the default route (0.0.0.0/0) — the “send it to my upstream and hope” entry.
You can inspect a host’s routing table the same way a router does its own:
# Linux
ip route
# Windows
route print
# macOS
netstat -rnMost home laptops have just two interesting entries: their own subnet (directly connected, e.g. 192.168.1.0/24 via wlan0) and the default route via the home router’s IP. That’s enough — everything not on the local subnet leaves through the gateway, and the gateway has its own routing table to figure out what comes next.
Side by side
| Switch | Router | |
|---|---|---|
| Layer | 2 (Ethernet / Wi-Fi) | 3 (IP) |
| Lookup field | Destination MAC address | Destination IP address |
| Table | MAC address table | Routing table |
| Match style | Exact MAC match | Longest-prefix match |
| Scope | One broadcast domain (one LAN / VLAN) | Between networks |
| Stops broadcasts? | No — floods them out every port | Yes — broadcasts don’t cross routers |
| Learns from | Source MACs of frames it sees | Static config, dynamic protocols (OSPF/BGP/etc.) |
| Default behaviour for unknown destination | Flood | Drop (no default route) or forward (with default) |
A concrete packet, end to end
Let’s walk one packet through both devices. Setup: a laptop at 192.168.10.42 wants to reach a web server at 203.0.113.50. The home router is 192.168.10.1. The home network is on a single switch attached to the home router’s LAN port.
Step 1: laptop builds the packet
Laptop checks: is 203.0.113.50 on my subnet (192.168.10.0/24)? No. So it has to go to the default gateway. Laptop also checks its ARP cache for the gateway’s MAC; let’s say it has it: e8:cc:18:11:22:33.
The laptop wraps the packet in an Ethernet frame:
Frame:
src MAC: aa:bb:01:02:03:04 (laptop)
dst MAC: e8:cc:18:11:22:33 (gateway / router)
Packet inside:
src IP: 192.168.10.42
dst IP: 203.0.113.50Notice the destination MAC is the router, not the destination server. That’s the switch’s job to deliver: get this frame to e8:cc:18:11:22:33.
Step 2: switch forwards the frame
The switch looks up e8:cc:18:11:22:33 in its MAC table. Found it — on the port the router is plugged into. It forwards the frame out that port. Done. The switch never opened the IP packet inside the frame, didn’t look at 203.0.113.50, doesn’t care.
Step 3: router receives the frame
The router strips the Ethernet frame off and reads the IP packet. The destination is 203.0.113.50. It does longest-prefix match against its routing table:
0.0.0.0/0 via 198.51.100.1 <-- match (only the default catches it)So the router needs to send the packet to 198.51.100.1 via its WAN interface. It builds a new Ethernet frame on that interface, with the source MAC of its WAN port and the destination MAC of the upstream ISP router (which it finds via ARP on the WAN side). The IP packet inside is the same packet that arrived — same source IP, same destination IP — but the frame around it is brand-new.
Step 4: the rest of the internet
That packet bounces from router to router across the internet. Each router does the same thing: strip the inbound frame, look at the IP, longest-prefix match in its routing table, build a new outbound frame to the next hop. Eventually it reaches a router that has a directly-connected route to 203.0.113.0/24; that router forwards the frame onto the local segment where the web server lives. The server’s switch delivers the frame to the server’s port. The server processes the IP packet and replies.
The entire trip is governed by the same two questions repeated at every hop: switch — which port has the destination MAC? and router — which prefix matches the destination IP?
Three common questions
“Why does my home router have a switch in it?”
Convenience. A home box typically has one WAN port (uplink to the ISP), four or so LAN ports, and a Wi-Fi radio. Internally the LAN ports and Wi-Fi are all bridged into a single switch fabric, and that fabric is connected to the router’s LAN-side IP. Logically there’s a switch and a router; physically they share a chassis.
The same is true of consumer access points, mesh nodes, and small-business gateways. Once you start working with enterprise gear, switches and routers separate again — you’ll have a closet full of switches feeding a couple of routers (or a Layer-3 switch), and the wiring suddenly makes a lot more sense.
“What about a Layer-3 switch?”
A Layer-3 switch is a switch that can also do routing in hardware. Functionally, it’s a router that has a lot of switch ports. The chip looks at MAC addresses for traffic within a VLAN (switching) and at IP addresses for traffic between VLANs (routing). The reason it exists is performance: when you have a lot of inter-VLAN traffic in a data centre, doing it on a router with a few uplink ports is a bottleneck; doing it on the switch ASIC is line-rate.
The mental model still holds: there’s a switching function and a routing function. They’re just packaged together for speed.
“Where do VLANs fit?”
A VLAN is a way to slice one physical switch into multiple logical switches. Ports tagged into VLAN 10 form one broadcast domain; ports tagged into VLAN 20 form another. Within each VLAN, the switch behaves exactly as described above. Between VLANs, you need a router (or a Layer-3 switch’s routing function), because VLANs are different networks. We’ll cover VLANs in their own article later in the pathway — for now, the right way to think of a VLAN is “a separate switch that happens to share hardware with another one.”
Why both exist — the broadcast problem
You might wonder why we don’t just use one giant flat network with one giant switch. The answer is broadcasts. Every device on a single broadcast domain hears every ARP request, every DHCP discover, every Spanning Tree update, every multicast that isn’t pruned. With ten devices, that’s noise. With ten thousand, every device burns CPU processing broadcasts that have nothing to do with it — and the broadcast traffic alone can saturate links.
Routers stop broadcasts. They are the wall. By chopping a network into smaller broadcast domains and routing between them, you keep broadcast noise local and let each segment scale independently. Subnetting (lesson 3) and routing (this lesson) are two halves of the same idea: divide and conquer.
What you can now answer
- What does a switch look at? — Destination MAC; consults the MAC address table; forwards on a port match.
- What does a router look at? — Destination IP; consults the routing table; forwards on the longest-prefix match.
- What stops a broadcast from spreading across the entire internet? — Routers. Switches happily forward broadcasts; routers do not.
- Why is my home box both a switch and a router? — Because consumer hardware bundles them. Logically they’re two devices.
- Why are there both? — To break broadcast domains into manageable sizes while still letting everything reach everything.
What’s next
You now have the four-quadrant mental model: addresses (lesson 2), subnetting math (lesson 3), how a host gets configured and finds neighbours (lesson 4), and the difference between L2 and L3 forwarding (this article). The next lesson moves down a layer: cabling, Wi-Fi, and the physical layer — what’s actually carrying the bits, how to choose between copper and fiber, what PoE is, and why your office’s 2.4 GHz Wi-Fi feels worse on Tuesdays.