Use Case: Non-IP Protocol Protection Within a Security Zone on Layer 2 Interfaces

Where Can I Use This?	What Do I Need?
NGFW (Managed by PAN-OS or Panorama)	No prerequisites needed

If you don’t implement a Zone Protection profile with non-IP protocol protection, the firewall allows non-IP protocols in a single zone to go from one Layer 2 interface to another. In this use case, blocking LLDP packets ensures that LLDP for one network doesn’t discover a network reachable through another interface in the zone.

In the following figure, the Layer 2 VLAN named Datacenter is divided into two subinterfaces: 192.168.1.1/24, subinterface .7 and 192.168.1.2/24, subinterface .8. The VLAN belongs to the User zone. By applying a Zone Protection profile that blocks LLDP to the User zone:

• Subinterface .7 blocks LLDP from its switch to the firewall at the red X on the left, preventing that traffic from reaching subinterface .8.
• Subinterface .8 blocks LLDP from its switch to the firewall at the red X on the right, preventing that traffic from reaching subinterface .7.

1. Create a subinterface for an Ethernet interface.

   1. Select NetworkInterfacesEthernet and select a Layer 2 interface, in this example, ethernet1/1.
   2. Select Add Subinterfaces.
   3. The Interface Name defaults to the interface (ethernet 1/1). After the period, enter 7.
   4. For Tag, enter 300.
   5. For Security Zone, select User.
   6. Click OK.
2. Create a second subinterface for the Ethernet interface.

   1. Select NetworkInterfacesEthernet and select the Layer 2 interface: ethernet1/1.
   2. Select Add Subinterfaces.
   3. The Interface Name defaults to the interface (ethernet 1/1). After the period, enter 8.
   4. For Tag, enter 400.
   5. For Security Zone, select User.
   6. Click OK.
3. Create a VLAN for the Layer2 interface and two subinterfaces.

   1. Select NetworkVLANs and Add a VLAN.
   2. Enter the Name of the VLAN; for this example, enter Datacenter.
   3. For VLAN Interface, select None.
   4. For Interfaces, click Add and select the Layer 2 interface: ethernet1/1, and two subinterfaces: ethernet1/1.7 and ethernet1/1.8.
   5. Click OK.
4. Block non-IP protocol packets in a Zone Protection profile.

   1. Select NetworkNetwork ProfilesZone Protection and Add a profile.
   2. Enter the Name, in this example, Block LLDP.
   3. Enter a profile Description—Block LLDP packets from an LLDP network to other interfaces in the zone (intrazone).
   4. Select Protocol Protection.
   5. Choose Rule Type of Exclude List.
   6. Enter Protocol Name LLDP.
   7. Enter Ethertype code 0x88cc. The Ethertype must be preceded by 0x to indicate a hexadecimal value.
   8. Select Enable.
   9. Click OK.
5. Apply the Zone Protection profile to the security zone to which Layer 2 VLAN belongs.

   1. Select NetworkZones.
   2. Add a zone.
   3. Enter the Name of the zone, User.
   4. For Location, select the virtual system where the zone applies.
   5. For Type, select Layer2.
   6. Add an Interface that belongs to the zone, ethernet1/1.7
   7. Add an Interface that belongs to the zone, ethernet1/1.8.
   8. For Zone Protection Profile, select the profile Block LLDP.
   9. Click OK.
6. Commit.

   Click Commit.
7. View the number of non-IP packets the firewall has dropped based on protocol protection.

   Access the CLI.

   > show counter global name pkt_nonip_pkt_drop 
   > show counter global name pkt_nonip_pkt_drop delta yes