So far, we’ve looked at how individual hosts communicate using IP addresses and interfaces. But real networks consist of dozens, hundreds, or thousands of devices connected through switches and routers — purpose-built hardware (and software) that directs traffic at Layer 2 and Layer 3 respectively.
This chapter explains how these devices work, how VLANs segment networks logically, and how routing protocols allow networks to discover paths automatically.
A network switch operates at Layer 2 (Data Link). It connects multiple devices on the same network and forwards frames based on MAC addresses. Unlike a hub (which blindly broadcasts every frame to all ports), a switch learns which MAC addresses are reachable on which ports and sends frames only where they need to go.
A switch maintains a MAC address table (also called a CAM table):
| MAC Address | Port | VLAN |
|---|---|---|
| aa:bb:cc:dd:ee:01 | Port 1 | 10 |
| aa:bb:cc:dd:ee:02 | Port 3 | 10 |
| aa:bb:cc:dd:ee:03 | Port 5 | 20 |
When a frame arrives:
ff:ff:ff:ff:ff:ff → forward to all ports (broadcast)When switches are interconnected with redundant links (for fault tolerance), loops can form — causing broadcast storms that bring down the network. Spanning Tree Protocol (STP) prevents this by electing a root switch and blocking redundant paths, creating a loop-free tree topology.
[Switch A] ← Root
/ \
[Switch B] [Switch C]
\ /
[Switch D] ← One link blocked by STP
Modern networks use Rapid STP (RSTP) or Multiple STP (MSTP) for faster convergence.
By default, all ports on a switch belong to the same broadcast domain — every broadcast frame reaches every device. In large networks, this creates noise and security concerns. VLANs (Virtual LANs) solve this by partitioning a physical switch into multiple logical networks.
Each VLAN is identified by a VLAN ID (1–4094). Ports are assigned to VLANs, and traffic is isolated between them:
Switch with VLANs:
┌────────────────────────────────┐
│ VLAN 10 (Office) │
│ Ports: 1, 2, 3, 4 │
├────────────────────────────────┤
│ VLAN 20 (Servers) │
│ Ports: 5, 6, 7 │
├────────────────────────────────┤
│ VLAN 30 (Guest Wi-Fi) │
│ Ports: 8, 9 │
└────────────────────────────────┘
A device on VLAN 10 cannot communicate with a device on VLAN 20 without a router (or Layer 3 switch) to bridge the VLANs.
When VLANs span multiple switches, traffic between switches must be tagged to indicate which VLAN each frame belongs to. This is done using 802.1Q tagging, which inserts a 4-byte VLAN tag into the Ethernet frame header.
[Switch A]──trunk──[Switch B]
VLAN 10,20 VLAN 10,20
Linux can handle 802.1Q VLAN tagging natively:
# Create a VLAN interface (VLAN 10 on eth0)
sudo ip link add link eth0 name eth0.10 type vlan id 10
sudo ip addr add 192.168.10.1/24 dev eth0.10
sudo ip link set eth0.10 up
# Verify
cat /proc/net/vlan/eth0.10
| Feature | Switch (L2) | Router (L3) |
|---|---|---|
| Operates on | MAC addresses | IP addresses |
| Forwards | Frames | Packets |
| Scope | Within a LAN/VLAN | Between networks |
| Broadcast domain | Single (per VLAN) | Separate per interface |
A Layer 3 switch combines both — it can switch at wire speed and route between VLANs (called inter-VLAN routing).
Static routes are manually configured paths. They’re simple and predictable, suitable for small networks:
# Route traffic for 10.10.0.0/16 through gateway 192.168.1.254
sudo ip route add 10.10.0.0/16 via 192.168.1.254 dev eth0
# Route traffic for 172.16.0.0/12 through a different gateway
sudo ip route add 172.16.0.0/12 via 192.168.1.253 dev eth0
Static routing becomes unmanageable in large networks because every route must be manually added and updated when the topology changes.
Dynamic routing protocols allow routers to discover and maintain routes automatically by exchanging information with neighboring routers.
Used within an organization (autonomous system):
OSPF (Open Shortest Path First):
RIP (Routing Information Protocol):
Used between organizations (autonomous systems):
BGP (Border Gateway Protocol):
Linux can function as a router by enabling IP forwarding:
# Enable IPv4 forwarding (temporary)
sudo sysctl -w net.ipv4.ip_forward=1
# Enable IPv6 forwarding (temporary)
sudo sysctl -w net.ipv6.conf.all.forwarding=1
# Make persistent — add to /etc/sysctl.conf:
# net.ipv4.ip_forward = 1
# net.ipv6.conf.all.forwarding = 1
For dynamic routing on Linux, FRRouting (FRR) is the standard open-source routing suite supporting OSPF, BGP, IS-IS, and more.
To allow communication between VLANs, you need a router or L3 switch. Two common patterns:
A single router interface connects to a trunk port on the switch. The router creates sub-interfaces — one per VLAN:
# Create sub-interfaces for each VLAN
sudo ip link add link eth0 name eth0.10 type vlan id 10
sudo ip addr add 192.168.10.1/24 dev eth0.10
sudo ip link set eth0.10 up
sudo ip link add link eth0 name eth0.20 type vlan id 20
sudo ip addr add 192.168.20.1/24 dev eth0.20
sudo ip link set eth0.20 up
# Enable forwarding so the Linux box routes between VLANs
sudo sysctl -w net.ipv4.ip_forward=1
A more performant solution — the switch itself handles routing between VLANs at hardware speed, without sending traffic through an external router.
The classic enterprise network design:
[Core Layer]
/ | \
[Distribution] [Distribution]
/ \ / \
[Access] [Access] [Access] [Access]
| | | |
Users Users Servers Users
Modern data centers use a flatter spine-leaf topology:
[Spine 1] [Spine 2] [Spine 3]
/ | \ \ / | \ \ / | \
[Leaf1] [Leaf2] [Leaf3] [Leaf4]
| | | |
Servers Servers Servers Servers
Every leaf connects to every spine, providing equal-cost paths and predictable latency. This is the standard in cloud and hyperscale environments.
| ← Previous: Network Configuration and Interfaces | Table of Contents | Next: Firewalls, NAT, and DMZ → |