Zone Protection for Non-IP Protocols on a Layer 2 VLAN or Virtual Wire

You can now use a Zone Protection profile to block or allow non-IP protocols between security zones on a Layer 2 VLAN or a virtual wire. You can also block or allow such protocols between interfaces within a single zone on a Layer 2 VLAN. Controlling non-IP protocols for a zone reduces security risks and facilitates regulatory compliance by preventing these less secure protocol packets from entering a zone or interface in a zone where they don’t belong.
Examples of non-IP protocols that you can control are AppleTalk, Banyan VINES, LLDP, NetBEUI, Spanning Tree, and Supervisory Control and Data Acquisition (SCADA) systems such as Generic Object Oriented Substation Event (GOOSE), among many others.
Enhance your zone protection by configuring protocol protection, which lists non-IP protocols for the firewall to either block (exclude) or allow (include). Apply the Zone Protection profile to an ingress security zone for physical interfaces or AE interfaces.
For example, a firewall in a Layer 2 VLAN can be divided into two subinterfaces, each belonging to a VLAN and a zone. You can whitelist the GOOSE protocol for one zone and blacklist it for the other zone, as shown in the following figure:
If you don’t implement a Zone Protection profile with non-IP protocol control, the firewall allows non-IP protocols in a single zone to go from one Layer 2 interface to another. In the following intrazone example, blacklisting LLDP packets ensures that LLDP for one network does not discover a network reachable through another interface in the zone. The Layer 2 VLAN is divided into two subinterfaces and belongs to the User zone. By applying a Zone Protection profile that blocks LLDP to the User zone:
  • Subinterface .7 blocks LLDP from its switch to the firewall at the red X on the left, preventing that traffic from reaching subinterface .8.
  • Subinterface .8 blocks LLDP from its switch to the firewall at the red X on the right, preventing that traffic from reaching subinterface .7.
Each Include List or Exclude List you configure for protocol protection supports up to 64 Ethertype entries, identified by their IEEE hexadecimal Ethertype code. Locate the Ethertype codes you want to use at sources such as:
The firewall supports multiple Zone Protection profiles, one per zone. Protocol protection doesn’t let you block IPv4 (Ethertype 0x0800), IPv6 (0x86DD), ARP (0x0806), or VLAN-tagged frames (0x8100). These Ethertypes are always implicitly allowed in an Include List without listing them and implicitly allowed even if you configure an Exclude List.
  1. Configure non-IP Protocol Protection in a Zone Protection profile and apply the profile to an ingress security zone.
  2. Access the CLI to view the number of non-IP packets the firewall has dropped based on protocol protection.
    > show counter global name pkt_nonip_pkt_drop
    > show counter global name pkt_nonip_pkt_drop delta yes

Related Documentation