In a Layer 2 deployment, the firewall provides switching
between two or more networks. Devices are connected to a Layer 2
segment; the firewall forwards the frames to the proper port, which
is associated with the MAC address identified in the frame. Configure
a Layer 2 Interface when switching is required.
In a Layer 2 deployment, the firewall rewrites the inbound Port
VLAN ID (PVID) number in a Cisco per-VLAN spanning tree (PVST+)
or Rapid PVST+ bridge protocol data unit (BPDU) to the proper outbound
VLAN ID number and forwards it out. The firewall rewrites such BPDUs
on Layer 2 Ethernet and Aggregated Ethernet (AE) interfaces only.
A Cisco switch must have the loopguard disabled
for the PVST+ or Rapid PVST+ BPDU rewrite to function properly on
The following topics describe the different types of Layer 2
interfaces you can configure for each type of deployment you need,
including details on using virtual LANs (VLANs) for traffic and
policy separation among groups.