Referring to the following Cisco SAFE design :
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Small_Enterprise_Design_Profile/SEDP/chap5.html#wp1058019
Why use an L3 switch in front of a firewall? Why not let the firewall do all the routing and put an L2 switch instead? The firewall will have to route anyway from my understanding. It seems to me there is too much routing devices "daisy chained".
I'm referring to Cisco SAFE because it represent the kind of design I commonly see.
Thanks!
Best Answer
You certainly could use a L2 switch, and it would probably work just fine. But here are a few reasons why a L3 switch might be a better choice:
You may want to segregate your servers into different VLANs to simplify access control, apply QoS, limit failure domains, etc. An L3 switch will make this much easier.
While Firewalls can run routing protocols, they don't seem to do it as well as routers, except in the most simplest of cases.
Network management features are usually more mature on routers than firewalls.
In many organizations, firewalls are administered by the security team (a bad idea, IMO), so they need to get involved if routing changes are needed. It's better if network routing is controlled by a single administrative group.
In the simple diagram you presented, there aren't many routing decisions to be made (there is only one data path), so static routes would probably suffice. but if you start adding redundant switches with redundant paths, then you need devices that can detect and respond to topology changes -- i.e. run routing protocols. "Daisy-chaining" routers is not going to cause problems unless the network is very large.