For a firewall in a Cisco TrustSec network, create
a Zone Protection profile with a list of Layer 2 Security Group
Tags (SGTs) that you want to exclude. Apply the Zone Protection
profile to a Layer 2, virtual wire, or tap interface. If an incoming
packet with an 802.1Q (Ethertype 0x8909) header has an SGT that
matches an SGT in your list, the firewall drops the packet.
Zone Protection Profile Settings
Layer 2 SGT Exclude List
Ethernet SGT Protection
Enter a name for the list of Security Group
Enter the Layer 2 SGTs in headers of packets
that you want to exclude (drop) when the SGT matches this list in the
Zone Protection profile applied to a zone (range is 0 to 65,535).
this exclude list for Ethernet SGT protection. De-select the