A network switch is a fundamental piece of any network, so it’s critical that you as an IT professional understand the role of a switch in a properly functioning network. And to best understand the difference between Layer 2 switches and Layer 3 switches, you also need to know the difference between Layer 2 and Layer 3 in the OSI networking model.
Layer 2 vs Layer 3 switches
The OSI networking model defines a number of network “layers.” (Getting into each layer is beyond the scope of this article but our Network Management in a Nutshell blog post has a good recap if you want to brush up.)
Layer 2 of the OSI model is known as the data link layer. The Layer 2 protocol you’re likely most familiar with is Ethernet. Devices in an Ethernet network are identified by a MAC (media access control) address, which is generally hardcoded to a particular device and doesn’t normally change.
Layer 3 is the network layer and its protocol is the Internet Protocol or IP. Devices in an IP network are identified by an IP address, which can be dynamically assigned and may change over time. Traditionally, the network device most associated with Layer 3 has been the router, which allows you to connect devices to different IP networks.
Network switches defined
Switches are one of the traffic directors on the network, and traditionally operate at Layer 2. They allow for the connection of multiple devices in a LAN while decreasing the collision domain by employing packet switching. By inspecting the contents of packet headers, a switch builds up a table of MAC addresses and their corresponding physical ports on the switch to intelligently make decisions on directing future packets.
Then, when a packet arrives at the switch, the switch inspects the header of the packet to determine the destination, consults the table of MAC addresses with their corresponding physical ports, and makes a decision on which physical port to send the packet out to.
Switches can get a bit more complicated when you introduce VLANs (virtual LANs). VLANs allow you to carve off components of one physical device into different networks, essentially separating one network of physically connected devices into multiple logical networks that can’t directly communicate with one another. VLANs support one of the tenets of good network design: network segmentation.
There’s a bit more to how a switch works, but that should cover the basics.
Bringing it all together
For two devices to communicate across a typical business or home network, they need to have both an IP address, associated with Layer 3 (the IP layer), and a MAC address, associated with Layer 2 (the Ethernet layer).
In legacy networks, built before there were smart switches capable of supporting VLANs, the only way for two devices on separate Layer 2 Ethernet networks was to be routed between those two networks. The routing was done by a Layer 3 device called… a router.
As network technologies progressed and VLANs were introduced, managed switches gained the ability to connect two devices on separate Ethernet networks. While this reduced the need to have different physical switches for each Ethernet network, devices connected to two separate VLANs still needed to communicate through a Layer 3 device, which in most networks was a router.
Then came the Layer 3 switch. This device operates at both Layer 2 and Layer 3, allowing devices connected to different VLANs to communicate with one another without going through a dedicated router.
It’s important to note the traffic is still being routed, as this is the terminology we use to describe information transferred between networks at Layer 3. The routing is simply being done by the switch instead of a dedicated router.
So does this mean that all Layer 3 switches do routing? Not exactly.
Just because a device is Layer 3-capable, doesn’t necessarily mean the device is performing routing. As a network administrator, you need to configure the device to route traffic between VLANs if that’s what you want. You can have a Layer 3-capable switch operating in Layer 2-only mode.
With the functionality of most managed switches today, having your switch act as a Layer 3 device is an option on all but most entry-level switches.
So what happens when a Layer 3 switch receives a packet from an end device? When inspecting the packet header, if that packet is destined for another VLAN, the Layer 3 switch “elevates” the packet to the routing layer. A decision is then made at the Layer 3 routing layer on where to send the packet—the switch consults the MAC address forwarding table to decide which port to send the outgoing packet on.
And there you have it: a switch that makes routing decisions on traffic and therefore operates at Layer 3.
When should you use Layer 3 switches?
The recommendation on whether to use a switch at Layer 2 or Layer 3 depends in part on the size and complexity, and security requirements, of the network you’re managing.
When designing your network topology, consider some of the following points:
- Is more than one VLAN required for the network? Layer 3 switches are useful when you have more than one VLAN needing to communicate with one another.
- Does your network consist of dozens, hundreds, or thousands of users? As the size of your network grows, you’ll need more than one switch to physically connect all of the users. In this case, you may find you need a mix of Layer 2 switches and a Layer 3 device (switch, dedicated router, or firewall) to perform the Layer 3 functions.
- Does your security policy require putting access control rules between devices on different networks, or doing deep packet inspection on traffic between networks? If so, having a firewall perform the Layer 3 function may be better suited.
- How do you plan on managing your network infrastructure? With the introduction of Layer 3 switches, it may be possible to reduce the number of network devices on your network, which may simplify some of the device management, including things like patching and policy updates.
Pros and cons of Layer 3 switches
Why would you choose to use a Layer 3 switch? What are the pros and cons?
- In most cases, introducing a Layer 3 switch reduces the number of network devices you need to monitor, manage, and maintain.
- You reduce or eliminate the need for dedicated routers in your network by pushing the Layer 3 function to either the firewall or the Layer 3 switch.
- While Layer 3 switches are typically competitively priced, if your budget is limited you may not have a lot of choice when looking for Layer 3-capable switches.
- If the size of your network is relatively small, adding a Layer 3 switch may increase complexity without providing much in the way of additional benefits.
What about Layer 3 routers?
With all this talk about Layer 3 switches, are dedicated routers a thing of the past? In most small to midsize networks, a dedicated router for intra-office communication is no longer required.
For example, if you put your users on a separate VLAN from your network infrastructure like servers, then the routing of traffic between the users and the server can be done on either a Layer 3 switch or a firewall. No need for a dedicated router.
But routers do still have an important role to play in many business networks, especially for communication outside of the local network. Connecting to remote offices or the internet requires connecting to a non-Ethernet network, like that provided by your ISP, and this is where routers shine. Routers can also be found in larger enterprise networks where routers are often still dedicated devices.
Looking for visibility into how your network is connected, configured, and performing? With Auvik, you can get visibility into the traffic crossing your network, so you can make data-based decisions to bring your organization’s network into 2021 and beyond. Get your free 14-day Auvik trial.
Thanks Steve. That’s a very well summed up article.
It’s really good article to understand the basic difference between the two. But my question is most of the Layer 2 managed switches support VLAN and different subnets, still do we need Layer 3 switches for the communication between these different networks/subnetworks ?
How to calculate bandwidth for each user on a 1Gb between the access layer and distribution layer?