In a Layer 2 deployment, the firewall provides switching between two or more networks. You must assign a group of interfaces to a VLAN object in order for the firewall to switch between them. The firewall performs VLAN tag switching when Layer 2 subinterfaces are attached to a common VLAN object. Choose this option when switching is required.
Figure: Layer 2 Deployment
In a Layer 2 deployment, the firewall rewrites the inbound Port VLAN ID (PVID) number in a Cisco per-VLAN spanning tree (PVST+) or Rapid PVST+ bridge protocol data unit (BPDU) to the proper outbound VLAN ID number and forwards it out. The firewall rewrites such BPDUs on Layer 2 Ethernet and Aggregated Ethernet (AE) interfaces only.
A Cisco switch must have the loopguard disabled for the PVST+ or Rapid PVST+ BPDU rewrite to function properly on the firewall.

Related Documentation