L3 or L4 Switch and firewall

[ppaik]

What does an L3 and L4 switch do? I know that either the L3 or L4 is used as a load balancer, but thats all I know.

I read a technical document today that said if you have an L3 switch with ACL, there is no need for a firewall. So now I have no idea what the difference is. Is an L3 switch actually a firewall?

 

[ITJunkie]

no...a layer 3 switch gives you routing capabilities, such as multiple subnets (vlans) on one switch and being able to forward packets between them. ACL's are access lists...they do act like a firewall in that they can block and allow traffic based on ports, ip addresses and whatnot but I don't think they offer all of the functionality that you might get from a full-service firewall. Such as Intrusion Detection and upper OSI layer inspection(?).
Please feel free to correct weaknesses in the above info, though.

 

[spidey07]

that's pretty much it. A L3 switch is at it's core just a switch that can route at layer3 via hardwere that detects the traffic flow and from then on that L3 conversation is hardware switched. It may also have other functionality like access control lists, NAT, DHCP and arp inspection for security and VLAN access control lists, private vlans or port based/802.1x security.

But it is not a full featured firewall, mainly because of stateful inspection and deep packet inspection along with a whole slew of other features designed around firewall functionality. That functionality being to securely manage and log traffic flows and detect attacks as traffic flows between interfaces based on L3 - L7 information.

There is also a L7 switch but that is another topic.

 

[ppaik]

thanks for the info guys and hi again spidey ^^. I think I got it, cause I used to think L3 switches were basically fancy switches that can have multiple vlans behind it.

Can I just ask what other features a firewall would have that an L3 switch wouldn't be able to do?

 

[spidey07]

Statefull inspection
deep packet inspection
redundancy tools wth stateful failover
redirection to virus scubbers/proxies
other security features, too numerous to list - specifically recognizing unusual activity/patterns like IDS/IPS
Software/hardware that is optimized for the task at hand - being a firewall, large NAT/PAT tables, better logging, higher performance
VPNs
SSL VPNs

The list really can go on and on

A switch switches
A firewall, firewalls

They really can't be compared