If you’re using security group tags (SGTs)
in a Cisco TrustSec network, it’s a best practice to deploy inline
firewalls in either Layer 2 or virtual wire mode. However, if you
need to use a Layer 3 firewall in a Cisco TrustSec network, you
should deploy the Layer 3 firewall between two SGT exchange protocol
(SXP) peers, and configure the firewall to allow traffic between
the SXP peers.