The Hardware Hierarchy
Hub vs Switch vs Router
1. The Hub: The Dumb Repeater (Layer 1)
A Hub is a multiport repeater. It has zero intelligence. When a signal arrives on Port 1, the hub simply copies that electrical signal to every other port on the device.
- Collision Domain: One. If two devices talk at once, the signal is destroyed.
- Security: None. Every computer on the hub sees all the data meant for everyone else.
- Modern Use: Almost non-existent, except for legacy industrial systems.
2. The Switch: The Bridge of Learning (Layer 2)
A Switch looks at the MAC Address of the incoming frames. It builds a CAM (Content Addressable Memory) table to remember which device is on which port.
This allows for "Unicast" communication: data is sent only to the port where the destination device is plugged in.
3. The Router: The Gatekeeper (Layer 3)
A Router connects completely different networks together (e.g., your home network to the Internet). It makes decisions based on IP Addresses.
4. Technical Comparison
| Feature | Hub | Switch | Router |
|---|---|---|---|
| Intelligence | None (Repeats) | Low (Learns MACs) | High (Calculates Paths) |
| Transfer Type | Broadcast Only | Unicast / Multicast | Routed / NAT |
| Collision Domain | Shared (1) | Individual (Per Port) | Individual (Per Port) |
5. Collision vs Broadcast Domains
To truly master these devices, you must understand the two types of "Traffic Borders":
- Collision Domain: Hubs group all ports into one collision domain. Switches split them into individual domains (Full Duplex).
- Broadcast Domain: Switches group all ports into one broadcast domain (unless using VLANs). Routers split them into separate domains.
6. The Layer 3 Switch: The Modern Hybrid
In a modern data center, we don't use traditional routers for local traffic. We use Layer 3 Switches. These devices have specialized hardware (ASICs) that allow them to route between IP subnets at massive speeds, far faster than a traditional software-based router could manage.
7. The ASIC Revolution: How Modern Switches Achieve Wire-Speed Forwarding
The performance chasm between an old hub and a modern switch is not merely a function of CPU clock speed. It is the result of a fundamental architectural shift to Application-Specific Integrated Circuits (ASICs). Unlike a general-purpose CPU which fetches instructions from memory, decodes them, and executes them sequentially, an ASIC implements the entire forwarding pipeline directly in silicon gates. A Layer 2 ASIC can perform MAC address lookup, VLAN classification, and egress port selection in a single clock cycle.
The Ternary Content-Addressable Memory (TCAM) at the Core
The heart of any switch ASIC is the TCAM (Ternary Content-Addressable Memory). Unlike standard RAM where the CPU provides an address and retrieves data, TCAM takes data as input and returns the address where that data resides — a "reverse lookup." This enables a switch to evaluate an incoming frame against all entries in the forwarding table in a single operation, regardless of table size. The "Ternary" refers to the ability to store values of 0, 1, or X (don't-care), which is essential for matching VLAN IDs and MAC addresses with wildcard bits.
The performance equation for a switch ASIC is determined by its Packet Per Second (PPS) throughput, which is a function of the forwarding pipeline depth and the TCAM access latency:
For a modern switch ASIC clocked at 1 GHz with a three-stage pipeline consuming 6 clock cycles total, the theoretical maximum is approximately — enough to saturate 48 ports of 10 Gbps line-rate Ethernet (each at roughly 14.88 Mpps for minimum-sized 64-byte frames). Hubs, which have no lookup pipeline, achieve far less because they must rely on the electrical propagation delay of the medium rather than deterministic gate-level switching.
The Cut-Through vs Store-and-Forward Latency Trade-off
A switch must decide when to begin transmitting a frame. Store-and-Forward switches buffer the entire frame into internal memory, verify the Frame Check Sequence (CRC-32), and only then forward the frame. This guarantees that corrupt or runt frames are never propagated, but it introduces a latency equal to the full frame serialization time. For a 1500-byte frame on a 1 Gbps link, that delay is:
Cut-Through switching begins forwarding the frame as soon as the destination MAC address (the first 6 bytes after the preamble and SFD) has been received. This reduces switching latency to approximately for 10 Gbps links — roughly half the store-and-forward latency. However, cut-through propagates corrupt frames because the FCS is not checked before forwarding. Modern switches mitigate this with Cut-Through with CRC Snoop, which forwards the frame immediately but flags it as potentially corrupt if the trailing FCS verification fails.
8. Routing Engine Architecture: The Control-Plane/Data-Plane Separation
A router's architecture is fundamentally different from a switch's. While a switch ASIC handles the data plane entirely in hardware, a router's Route Processor (RP) — typically a general-purpose CPU running a network operating system — is responsible for the control plane. The routing table calculated by the RP is downloaded to the Forwarding Engine (FE), which is implemented as a Network Processor (NPU) or an ASIC with integrated TCAM.
Punt and Inject Pathfinding
When a forwarding ASIC encounters a packet that it cannot switch in hardware (e.g., an IP packet with IP options, a TTL-expired packet, or an IPv6 packet with extension headers), it punts the packet to the control-plane CPU. The CPU processes the exceptional case and, in some architectures, installs an accelerated path entry in the hardware so subsequent packets in the same flow bypass the CPU. This "fast path vs slow path" model is the single most important performance concept in router engineering.
The punt rate is constrained by the CoPP (Control-Plane Policing) mechanism, which imposes a rate limit on packets destined for the RP:
If the punt rate exceeds the policer threshold, excess packets are dropped at the hardware level before they reach the CPU, protecting the control plane from denial-of-service. This is distinct from hub behavior, where every packet indiscriminately consumes all available bandwidth and CPU resources.
The Multi-Layer Switch: Blurring the Lines
Modern Multi-Layer Switches (MLS) combine the ASIC data plane of a switch with the routing intelligence of a router. The key innovation is hardware-based CEF (Cisco Express Forwarding) or equivalent FIB (Forwarding Information Base) programming. The MLS pre-loads the ASIC with both Layer 2 MAC entries and Layer 3 prefix entries. When a packet arrives, the ASIC performs a unified lookup: if the destination MAC is local, the L2 lookup wins; if the destination is on a different subnet, the L3 FIB lookup provides the next-hop MAC and egress interface — all in a single hardware pass. This achieves routing at wire-speed, matching the latency and throughput of a pure Layer 2 switch.
Conclusion: Choosing the Right Tool
Choosing between a Hub, Switch, and Router is no longer a matter of cost—it is a matter of architecture. Hubs are a relic of the past, useful only for specific sniffing tasks. Switches are the heartbeat of our local networks, providing dedicated lanes for our data. Routers are the brains of our global infrastructure, navigating millions of possible paths to find the right destination.
Frequently Asked Questions
Can I use a Router as a Switch?
Most consumer routers have a built-in 4-port switch. If you disable the DHCP server and ignore the WAN port, you can technically use it as a standard switch.
Is an 'Unmanaged Switch' basically a Hub?
No. Even the cheapest unmanaged switch still learns MAC addresses and prevents collisions. A Hub is physically incapable of distinguishing between ports.
What is 'Flooding'?
When a Switch receives a frame for a MAC address it hasn't learned yet, it "floods" the frame out of every port except the one it came in on. Once the target device replies, the switch "learns" its position and stops flooding.