In a Layer 3 deployment, the firewall routes traffic
between multiple ports. Before you can Configure
Layer 3 Interfaces, you must configure the Virtual
Routers that you want the firewall to use to route the traffic
for each Layer 3 interface.
If you’re using security group tags (SGTs)
in a Cisco TrustSec network, it’s a best practice to deploy inline firewalls
in either Layer 2 or virtual wire mode. However, if you need to
use a Layer 3 firewall in a Cisco TrustSec network, you should deploy
the Layer 3 firewall between two SGT exchange protocol (SXP) peers,
and configure the firewall to allow traffic between the SXP peers.
The following topics describe how to configure Layer 3 interfaces,
and how to use Neighbor Discovery Protocol (NDP) to provision IPv6
hosts and view the IPv6 addresses of devices on the link local network
to quickly locate devices.