IP-based firewalls function like Access Control Lists (ACLs) to filter or mark packets, as opposed to filtering packets on Layer 2 ports.
IP-based Firewall rules are specific to source and destination IP addresses and the unique rules and precedence definitions assigned. Both IP and non-IP traffic on the same Layer 2 interface can be filtered by applying an IP ACL. Firewall rules are processed by a firewall supported device from first to last. When a rule matches the network traffic a controller or service platform is processing, the firewall uses that rule's action to determine whether traffic is allowed or denied.
Note
Once defined, a set of IP firewall rules must be applied to an interface to be a functional filtering tool.There are separate policy creation mechanisms for IPv4 traffic. With IPv4, if you intend to deny specific types of packets, best practice is to create access rules for traffic entering a controller, service platform, or access point interface before the controller, service platform, or access point spends time processing them. This is because access rules are processed before other types of firewall rules.