We often think of the internet as a web of connected nodes which stretches across the globe, but that’s not how network engineers see things. In their world, the internet is more like a pyramid (or “stack”) than a web – with seven different network layers one on top of the other. Each of these network layers refers to a vital part of the system, but the base is the most critical. As you rise up the pyramid, you can remove the layer above without compromising the network as a whole. However, removing the base layers would cause the web to collapse.

In this article, we aren’t really going to be concerned with each of those layers. In fact, we are mainly interested in layers 2 and 3. Why? Because engineers talk about two types of network – Layer 2 network architectures and L3 architectures. Each have their own features, and they are extremely relevant to the online security, so if we want to understand how to stay private and safe online, we need to know about them.

Introducing network layers

However, before we tackle layers 2 and 3, it’s important to visualize how the stack as a whole functions, so here’s a quick summary:

1. The Physical Layer – Which includes the cables and wireless transmission architecture required to actually transmit electronic signals across the internet.

2. The Data-Link Layer – The infrastructure which allows signals to be transmitted between devices, including the “media access control layer” (MAC) and standards like wireless ethernet.

3. The Network Layer – Involves routing information across network infrastructure, which is generally referred to as the “IP” layer when talking about the web.

4. The Transport Layer – Involves turning raw data into packets that can be moved around the web, as well as authentication procedures (via protocols like TCP).

5. The Session Layer – Involves bringing devices together on the web to exchange packets, along with systems to authenticate those devices and to maintain sessions if interruptions occur.

6. The Presentation Layer – Where the data sent between devices is turned into usable information via tools like web browsers, as well as being encrypted to send over the web.

7. The Application Layer – The layer most of us think of as the internet itself. This involves systems to allow browsers to operate, such as opening network capacity and ensuring that applications can talk to each other.

What you need to know about network Layer 2

First, a quick definition: Layer 2 network switches work on OSI Layer 2 (see above) and control the transport of frames around a specific network. They are also commonly referred to a multiport bridges, as opposed to routers.

Layer 2 network systems deal with MAC addresses. These “media access control” addresses are assigned to all devices on wifi or ethernet networks. Each MAC address is unique to the device concerned. Or, to be more specific, each Network Interface Controller (NIC) must have a unique MAC address to allow networks to function.

Typically, a MAC address will take the form of a code featuring six sets with two digits. So, an example could be something like this: 34-25-AB-65-1B-C8-E9. This is a global standard, laid down by the IEEE (Institute of Electrical and Electronic Engineers), and applies to every NIC manufactured anywhere in the world.

Generally speaking, Layer 2 networks involve Wide Area Networks (WAN) or Local Area Networks (LAN). They work by creating what are called “frames”, which act like digital parcels, carrying packets of data across the network. When packaged as frames, this data can be authenticated, ensuring that it travels from A to B as planned.

When data passes through a Layer 2 network, it is forwarded by a Layer 2 switch. This can “broadcast” frames extremely quickly to all MAC addresses registered on the Layer 2 switch, providing rapid networking for offices, universities or organizations like hospitals. But it also means that Layer 2 networks can become heavily congested, potentially limiting their size.

What you need to know about network Layer 3

Now, a quick definition of a Layer 3 switch: These switches govern the transmission of packets via IP addresses (Layer 3 information), enabling managers to inspect data on a packet-by-packet basis.

Layer 3 networking is a little bit different, and overlays Layer 2. So it’s not really a case of counterposing Layer 2 vs Layer 3. The two function together. Without Layer 2, there would be no chance of creating wider networks via L3.

The third stack layer works on the basis of IP addresses, not MAC addresses. This is what allows devices to communicate with computers outside their home networks, via the World Wide Web. Instead of frames, Layer 3 deals exclusively with packets, which are transported via path determination and logical addressing.

This means that information entering and passing through L3 networks is not broadcast to all devices on the network as with Layer 2 networks. Instead, it can be precisely transported to specific IP addresses. In theory, this means that Layer 3 switch based networks can be extended and sub-divided much more extensively, because problems of congestion are avoided.

You can construct networks based on either Layer 2 or Layer 3 technology, which is party why this discussion is so important. So which is better, a Layer 2 network or one based on Layer 3 switch technologies?

Comparing Layer 2 vs Layer 3: Which network to choose?

As we noted earlier, in many cases, networks feature both L2 and L3 technologies, but there may also be a need to choose, and here’s why. The way information is transmitted across both types of network gives them unique advantages and drawbacks which condition their relevance for network architects. So let’s consider their pros and cons:

Layer 2

The PROS of using a Layer 2 network:

    • Layer 2 networking tends to be cheaper to set up, and has lower maintenance overheads.
    • Layer 2 networks require no routers, just the right array of network switches. This makes them simpler and easier to understand.
    • Broadcasting data to all MAC addresses can be much faster on LAN and WAN setups, up to a certain point (see below).

The CONS of using a Layer 2 switch:

    • Layer 2 frames cannot be customized as extensively by network managers, excluding options like Voice Over IP.
    • When layer 2 networks become large or busy enough, congestion can result, radically restricting their performance.

Layer 3

The PROS of Layer 3 based networks:

    • Can incorporate packet-by-packet inspection, enabling in depth authentication and security procedures.
    • Data can be channeled directly to specific workstations via IP addresses. This makes Layer 3 switches useful for networks with large numbers of subnets to organize.
    • Can combine Layer 2 switching within LANs and IP-based switching between LANs or the wider internet.

The CONS of using Layer 3:

    • Tend to be significantly more expensive than Layer 2 switches.
    • Can be slower in some cases, and setting up Layer 3 switches for LANs takes more effort and time.

Recapping: how to choose between Layer 2 and Layer 3 networks

As you can see, there are big differences between Layer 2 and Layer 3 switches for organizing network traffic, so which one should you go for? In theory, a Layer 3 bridge with Layer 2 capabilities built-in offers the best solution, providing maximum flexibility about expanding your network and routing traffic to subnets. So that would suit larger companies or organizations.

However, a hybrid network is often more expensive to configure and maintain. For most LANs, a Layer 2 setup is preferred due to its low configuration costs and high speed performance. Many network managers see no need to incorporate Layer 3 technology. Layer 2 setups will do just fine for their needs, with the advantage of not creating interfaces to external networks. Only devices with registered MAC addresses will be connected, making Layer 2 networks more secure.

Additionally, Layer 2 systems suffer very little from latency. Because of their packet inspection processes, this can become an issue with Layer 3 routers and bridges. But as we’ve seen, when networks become too large, the broadcasting features of Layer 2 bridges can be overwhelmed.

The ultimate solution usually represents some form of compromise. If your network needs are modest and expansion is unlikely, then simple Layer 2 solutions will do fine. But if expansion is likely and routing will need to be implemented, the extra functionality of Layer 3 networks will be superior. And if you can afford a technical solution which suits both layers, that’s even better.

Are Layer 2 and Layer 3 networks secure?

Networks are only as secure as the measures put in place to protect them. This means that both Layer 2 and 3 networks need to be properly secured from outside threats, and there are a number of ways to do so.

Firstly, many networks employ VLANs (Virtual Local Area Networks) do shield sensitive data from external connections. That way, you can make financial information or customer data accessible to local users without running the risk of making it accessible to hackers.

Additionally, if remote access is required, managers can implement solutions like RADIUS (the “Remote Authentication Dial-In User Service”). This is essentially an authentication tool for dial-up connections, providing a database of legitimate user profiles in a single storage location. These systems can also restrict administrator access, making it harder for technicians to make damaging changes to the LAN without authorization.

Can switching to Layer 3 make networks more secure?

If network managers require more control over traffic across their systems, it might make sense to shift up the stack to Layer 3-based tools. That’s because at the higher stack level, it’s much easier to monitor packets from individual workstations or even applications. That way, you can set up alerts and tools like firewalls or VPNs to deal with unwanted traffic.

At the upper stack level, networks can also be divided into segments, allowing for even more protection than VLANs. If a router or bridge is compromised on a Layer 3 network, it should be easy to restrict their access to certain devices or subnets, and not the whole network as can be the case with Layer 2 network solutions.

Choosing between Layer 2 vs Layer 3 VPNs

However, there is another essential security tool for both Layer 2 and Layer 3 networks: VPNs. At Layer 3, L3VPNs can provide watertight protection for peer to peer connections, whether they are from remote workers, offices in other parts of the world, or suppliers. L3VPNs can also incorporate IPSec protocols for extra security, something you won’t get with lower level versions.

At the lower stack level, a Layer 2 VPN (L2VPN) can be used to connect together VLANs, which could work well for communicating sensitive information between national offices. As with Layer 2 network solutions in general, Layer 2 VPN tools tend to be a cheaper security option, and can be faster as well. But they lack the flexibility regarding routing and traffic management you get with L3VPN.

Ensure that your network is secure and efficient

To summarize, Layer 2 networks involve bridges which connect devices with MAC addresses, while Layer 3 networks use IP addresses to achieve the same result. Both types of network have their strengths and weaknesses, with Layer 3 winning out on flexibility, and Layer 2 being simpler and cheaper.

Moreover, both network types can benefit from the security provided by specialist VPNs. So if you’re implementing either type, it makes sense to source a VPN at the same time.