Understanding Firewall Filter Processing Points for Bridged and Routed Packets
You apply firewall filters at multiple processing points in the forwarding path. At each processing point, the action to be taken on a packet is determined by the configuration of the filter and the results of the lookup in the forwarding or routing table.
For both bridged (Layer 2) unicast packets and routed (Layer 3) unicast packets, firewall filters are applied in the prescribed order shown below (assuming that each filter is present and a packet is accepted by each one).
Bridged packets:
Ingress port filter
Ingress VLAN filter
Egress VLAN filter
Egress port filter
Routed packets:
Ingress port firewall filter
Ingress VLAN firewall filter (Layer 2 CoS)
Ingress router firewall filter (Layer 3 CoS)
Egress router firewall filter
Egress VLAN firewall filter
Egress port filter
MAC learning occurs before filters are applied, so switches learn the MAC addresses of packets that are dropped by ingress filters.