How do I know if I need a layer 3 switch?

We currently have a flat network with a bunch of unmanaged switches. I would like to use VLANs to segregate certain users like guests and I would like to use 802.1x. However, I'm not sure if what I need is a layer 3 or a level 2 switch.

From what I understand a layer 3 switch does routing between VLANs. I don't think I need this at the moment but as I said I'm not sure since this is all new to me. What else would a layer 3 switch do for me? Our network is relatively small, less than a 100 users. What exactly does a layer 3 switch do that I can't get with a layer 2 switch? When would I need a layer 3?


Unmanaged, is a basic switch, just passes packets from A to B.
L2, will do basic segregation based on things like vLan, and usually will do QoS, and might do other things like GVRP. This is most useful when used in conjunction with a L3 core switch, or a router that fully supports vLans.
L3, will do routing between different subnets on different vLans and might do basic traffic shaping (depends on manufacturer and model). It may support ACLs, but it's not terribly common. This is most useful as a switching core in a semi-complicated network.
L4, is basically a simple router with a ton of ports. These allow for very complicated networks, and the price reflects it. Usually these have every feature mentioned above plus all the features commonly found in cheaper (business grade) routers.

Edit:
Generally people use vLans to separate different types of traffic. It's common for VoIP phones to use a different vLan for voice traffic than "normal" network traffic. Also it's common to separate SAN and Management networks from the rest of the network. Particularly with the management features it's convenient to have a L3/4 switch with ACLs so that only Admin computers can access the Management controllers (iLO/iLOM, network connected UPSes). Before anyone launches into a "don't you trust your employees" argument, sometimes it's better to just know who can/can't access things.

Also you can use vLans to make a visitors' network. That way certain ports (in conference rooms, waiting rooms, or public areas) can be used by guests/visitors without letting them on your network.

Most of these things can be accomplished with a L2 switch and a vLan aware router. However going this option will reduce your vLan switching fabric to the links to the router; which may not be enough bandwidth (depends on your network and requirements).


a layer 3 switch is basically a layer 2 switch with routing function. If you do multiple vlan and want them to exchange data, you need routing function. So you have 2 choice for this:

  1. Take a Layer 3 switch
  2. Keep your existing Layer 2 switchs and buy a router. This could be cheaper as most Layer 3 switch are generally high end

If you have users in different Vlans (different IP ranges) and want them to talk to each other you need at least one layer 3 device in your network. If you don't have a router with you already you will need to go for layer 3 switch.