As we have discussed elsewhere, communication between two devices residing on different sub-networks or VLANs must traverse a subnetwork boundary router. The router makes forwarding decisions primarily based upon the IP address and sub-network mask.
Firewalls are able to look into the data transmission header information that contains layer 3 source and destination IP addresses and also the Layer 4 socket addresses used to direct communication between applications.
The process of scanning each and every packet looking for reasons to block and drop transmission is critical to maximise security. Done correctly a network can be tightly secured.
Network security is further enhanced through monitoring firewalls and switches to learn what is happening across your network.
A typical monitoring policy is to log all dropped packets and report these network events back to a central and time synchronised system wide logging service.