Zone Protection for Non-IP Protocols on a Layer 2 VLAN or
You can now use a Zone Protection profile
to block or allow non-IP protocols between security zones on a Layer
2 VLAN or a virtual wire. You can also block or allow such protocols
between interfaces within a single zone on a Layer 2 VLAN. Controlling non-IP
protocols for a zone reduces security risks and facilitates regulatory
compliance by preventing these less secure protocol packets from
entering a zone or interface in a zone where they don’t belong.
of non-IP protocols that you can control are AppleTalk, Banyan VINES,
LLDP, NetBEUI, Spanning Tree, and Supervisory Control and Data Acquisition
(SCADA) systems such as Generic Object Oriented Substation Event
(GOOSE), among many others.
Enhance your zone protection by
configuring protocol protection, which
lists non-IP protocols for the firewall to either block (exclude)
or allow (include). Apply the Zone Protection profile to an ingress
security zone for physical interfaces or AE interfaces.
example, a firewall in a Layer 2 VLAN can be divided into two subinterfaces,
each belonging to a VLAN and a zone. You can whitelist the GOOSE
protocol for one zone and blacklist it for the other zone, as shown
in the following figure:
don’t implement a Zone Protection profile with non-IP protocol control,
the firewall allows non-IP protocols in a single zone to go from
one Layer 2 interface to another. In the following intrazone example,
blacklisting LLDP packets ensures that LLDP for one network does
not discover a network reachable through another interface in the
zone. The Layer 2 VLAN is divided into two subinterfaces and belongs
to the User zone. By applying a Zone Protection profile that blocks
LLDP to the User zone:
Subinterface .7 blocks LLDP
from its switch to the firewall at the red X on the left, preventing
that traffic from reaching subinterface .8.
Subinterface .8 blocks LLDP from its switch to the firewall
at the red X on the right, preventing that traffic from reaching
List or Exclude List you configure for protocol protection supports
up to 64 Ethertype entries, identified by their IEEE hexadecimal
Ethertype code. Locate the Ethertype codes you want to use at sources
firewall supports multiple Zone Protection profiles, one per zone.
Protocol protection doesn’t let you block IPv4 (Ethertype 0x0800),
IPv6 (0x86DD), ARP (0x0806), or VLAN-tagged frames (0x8100). These
Ethertypes are always implicitly allowed in an Include List without listing
them and implicitly allowed even if you configure an Exclude List.
Configure non-IP Protocol Protection in
a Zone Protection profile and apply the profile to an ingress security
Access the CLI to view
the number of non-IP packets the firewall has dropped based on protocol
show counter global name pkt_nonip_pkt_drop
show counter global name pkt_nonip_pkt_drop delta yes