In a Layer 2 deployment, the firewall provides switching
between two or more networks. Devices are connected to a Layer 2
segment; the firewall forwards the frames to the proper port, which
is associated with the MAC address identified in the frame. Configure
a Layer 2 Interface when switching is required.
If you’re using security group tags (SGTs)
in a Cisco TrustSec network, it’s a best practice to deploy inline firewalls
in either Layer 2 or virtual wire mode. Firewalls in Layer 2 or
virtual wire mode can inspect and provide threat prevention for the
tagged traffic.
The following topics describe the different types of Layer 2
interfaces you can configure for each type of deployment you need, including
details on using virtual LANs (VLANs) for traffic and policy separation
among groups. Another topic describes how the firewall rewrites
the inbound port VLAN ID number in a Cisco per-VLAN spanning tree
(PVST+) or Rapid PVST+ bridge protocol data unit (BPDU).