What is a network switch?
A network switch connects devices within a network (often a local area network, or LAN*) and forwards data packets to and from those devices. Unlike a router, a switch only sends data to the single device it is intended for (which may be another switch, a router, or a user's computer), not to networks of multiple devices.
The concept of a network switch can be compared to railroad switches. On a railroad, a switch is a point at which a train can change from one track to another. A railroad employee activates the switch when a train needs to move to a different track in order to reach its destination. Similarly, network switches move data packets onto the right "track," or network path, to help that data get to its destination.
*A local area network (LAN) is a group of connected devices within close physical proximity. Home WiFi networks are one common example of a LAN.
What is the difference between a switch and a router?
Routers select paths for data packets to cross networks and reach their destinations. Routers do this by connecting with different networks and forwarding data from network to network — including LANs, wide area networks (WANs), or autonomous systems, which are the large networks that make up the Internet.
Essentially, routers forward data between groups of switches, while switches forward data between groups of devices. In practice, what this means is that routers are necessary for an Internet connection, while switches are necessary for interconnecting devices. Homes and small offices need routers for Internet access, but most do not need a network switch, unless they require a large amount of Ethernet* ports. However, large offices, networks, and data centers usually do require switches.
*Ethernet is a layer 2 protocol for sending data between devices. Unlike WiFi, Ethernet requires a physical connection via an Ethernet cable.
What is a layer 2 switch? What is a layer 3 switch?
Network switches can operate at either OSI layer 2 (the data link layer) or layer 3 (the network layer). Layer 2 switches forward data based on the destination MAC address (see below for definition), while layer 3 switches forward data based on the destination IP address. Some switches can do both.
Because they forward data based on IP address, layer 3 switches can also act as routers, sending data back and forth between networks.
What is the difference between a MAC address and an IP address?
Every device that connects to the Internet has an IP address. An IP address is a series of alphanumeric characters, like 192.0.2.255 or 2001:0db8:85a3:0000:0000:8a2e:0370:7334. IP addresses act like a mailing address, enabling Internet communications directed at that address to reach that device. IP addresses often change: because there is a limited number of IPv4 addresses, user devices are typically assigned new ones when they form a new connection with a network.
IP addresses are used at layer 3, which means computers and devices all over the Internet use IP addresses for sending and receiving data, no matter which network they are connected to. All IP packets include their source and destination IP addresses in their headers, just as a piece of mail has a destination address and a return address.
In contrast, a MAC address is a permanent identifier for each piece of hardware, somewhat like a serial number. Unlike IP addresses, MAC addresses do not change. MAC addresses are used at layer 2, not layer 3 — which means they are not included in IP packet headers. In other words, MAC addresses are not part of Internet traffic.
However, network switches refer to MAC addresses in order to send Internet traffic to the right devices. Network switches use a technique called IGMP snooping to map IP addresses to MAC addresses. Without this process, switches would be unable to send IP packets to the correct devices. (Although this process is called "snooping," IGMP snooping is harmless, and in fact useful.)
What is an unmanaged switch? What is a managed switch?
An unmanaged switch simply creates more Ethernet ports on a LAN, so that more local devices can access the Internet. Unmanaged switches pass data back and forth based on device MAC addresses.
A managed switch fulfills the same function for much larger networks, and offers network administrators much more control over how traffic is prioritized. They also enable administrators to set up Virtual LANs (VLANs) to further subdivide a local network into smaller chunks.
What is an Ethernet switch?
An Ethernet switch is a layer 2 switch that offers multiple Ethernet ports. Ethernet switches make it easier to reliably interconnect computers, printers, and other devices. Unmanaged Ethernet switches are often used to expand the number of Ethernet ports offered by the network router.
What is a packet?
All data sent over the Internet, from HTML code to video streams, is broken up into smaller pieces called packets. For instance, suppose Alice loads this "What is a network switch?" article on her computer. When she does so, Cloudflare's origin server breaks this webpage down into small packets, each with an IP header attached that specifies the destination (Alice's device). Alice's computer receives all the packets, reassembles them, and interprets the content within them in order to display this webpage.
On their way to Alice's device, these data packets are likely to pass through a number of switches. If Alice is connected to a large corporate network, the packets' last stop before the destination device is probably a network switch. The switch inspects the packet headers, matches the destination IP address to Alice's computer's MAC address, and sends the packets to that MAC address. This last step is necessary because when Alice requested this webpage from the Cloudflare origin server, the Cloudflare server did not know her MAC address — only her IP address.
How does Cloudflare protect network switches?
Cloudflare Magic Transit protects network infrastructure devices such as switches and routers from DDoS attack traffic that can knock them offline or compromise them. Magic Transit protects on-premise, cloud, and hybrid networks. Learn more about Magic Transit or about layer 3 attacks.