For a firewall in a Cisco TrustSec network, create
a Zone Protection profile with a list of Layer 2 Security Group
Tags (SGTs) that you want to exclude. Apply the Zone Protection
profile to a Layer 2, virtual wire, or tap interface. If an incoming
packet with an 802.1Q (Ethertype 0x8909) header has an SGT that
matches an SGT in your list, the firewall drops the packet.