I often have discussions with people who want to deploy their firewalls in Layer 2 mode. This isn’t a decision to take lightly and needs a lot of careful planning.
Here are my notes both for and against Layer 2 Firewalls. Keep in mind that L2 Firewalls are most common in data centres and are typically retrofitted to provide security.
In general terms, I would only recommend using L3 firewalls for any new design or new build.
|No change to existing IP addressing or Servers||This is the most common reason. You have a legacy infrastructure that you need to add new firewalls without changing IP addresses|
|Routing protocols can establish adjacencies through the firewall||Passing OSPF neighbours through a firewall is possible but a “bad idea”™|
|Protocols such as HSRP, VRRP, GLBP can pass||For certain designs and requirements, you might even want to do this.|
|Multicast streams can traverse the firewall||A major reason. Most firewalls are “feature incomplete” when it comes to Multicast and cause much pain in deployment|
|Non-IP traffic can be allowed (IPX, MPLS, BPDUs)||There is still legacy traffic (in the data centre especially) and you may be firewalling IP but passing legacy traffic.|
|No visibility makes it hard to troubleshoot||Troubleshooting a L3 network is much easier since each step of the path is known|
|Layer 2 Firewalls are hard to detect||This isn’t a good reason. Security by obscurity is false security. If you need to obscure your security controls then you have a deficiency in your security process|
|Can easily insert loops into networks||Strong design and implementation discipline is necessary|
|Only allows for two interfaces, inside and outside (no DMZ interfaces)||Enforced design limitation may be functionally incomplete or need more firewall instances|
|NO dynamic routing protocol support or VPN support||The firewall control plane cannot insert itself into the IP circuit and cannot provide a lot of services|
|Specific design limitations||Most Layer 2 implementation lose a lot of features. Often unexpected features like QoS, VPN or GRE tunnels. You will need to research very carefully|
|Dual Homed Devices can creates L2 Path defects||Dual homed servers using active/standby are OK, but Active/Active can cause of lot of pain ( MLAG can help)|
The EtherealMind View
As a general rule, I would not deploy Layer 2 Firewalls in a network. The negative aspects outweigh the positive features as a general topic. There are times when nothing else will do and a L2 solution is the only way. Just be careful to use your knowledge of first principles to consider the design you need to use, and then test it. You don’t want to find out what the real problems are after you have completed the deployment.
I imagine that many people will have different views. Lets hear them and I’ll try to respond.