In a Layer 3 deployment, the firewall routes traffic
between multiple ports. Before you can Configure
Layer 3 Interfaces, you must configure the Virtual
Routers that you want the firewall to use to route the traffic for
each Layer 3 interface.
If you’re using security group tags (SGTs)
in a Cisco Trustsec network, it’s a best practice to deploy inline
firewalls in either Layer 2 or virtual wire mode. However, if you
need to use a Layer 3 firewall in a Cisco Trustsec network, you
should deploy the Layer 3 firewall between two SGT exchange protocol (SXP)
peers, and configure the firewall to allow traffic between the SXP peers.
The following topics describe how to configure Layer 3 interfaces,
and how to use Neighbor Discovery Protocol (NDP) to provision IPv6
hosts and view the IPv6 addresses of devices on the link local network
to quickly locate devices.