Use Case: Non-IP Protocol Protection Within a Security Zone on Layer 2 Interfaces

If you don’t implement a Zone Protection profile with non-IP protocol protection, the firewall allows non-IP protocols in a single zone to go from one Layer 2 interface to another. In this use case, blacklisting LLDP packets ensures that LLDP for one network doesn’t discover a network reachable through another interface in the zone.
In the following figure, the Layer 2 VLAN named Datacenter is divided into two subinterfaces: 192.168.1.1/24, subinterface .7 and 192.168.1.2/24, subinterface .8. The VLAN belongs to the User zone. By applying a Zone Protection profile that blocks LLDP to the User zone:
  • Subinterface .7 blocks LLDP from its switch to the firewall at the red X on the left, preventing that traffic from reaching subinterface .8.
  • Subinterface .8 blocks LLDP from its switch to the firewall at the red X on the right, preventing that traffic from reaching subinterface .7.
non_ip_protocol_l2_intrazone_trust.png
  1. Create a subinterface for an Ethernet interface.
    1. Select
      Network
      Interfaces
      Ethernet
      and select a Layer 2 interface, in this example, ethernet1/1.
    2. Select
      Add Subinterfaces
      .
    3. The
      Interface Name
      defaults to the interface (ethernet 1/1). After the period, enter 7.
    4. For
      Tag
      , enter 300.
    5. For
      Security Zone
      , select User.
    6. Click
      OK
      .
  2. Create a second subinterface for the Ethernet interface.
    1. Select
      Network
      Interfaces
      Ethernet
      and select the Layer 2 interface: ethernet1/1.
    2. Select
      Add Subinterfaces
      .
    3. The
      Interface Name
      defaults to the interface (ethernet 1/1). After the period, enter 8.
    4. For
      Tag
      , enter 400.
    5. For
      Security Zone
      , select User.
    6. Click
      OK
      .
  3. Create a VLAN for the Layer2 interface and two subinterfaces.
    1. Select
      Network
      VLANs
      and
      Add
      a VLAN.
    2. Enter the
      Name
      of the VLAN; for this example, enter Datacenter.
    3. For
      VLAN Interface
      , select
      None
      .
    4. For
      Interfaces
      , click
      Add
      and select the Layer 2 interface: ethernet1/1, and two subinterfaces: ethernet1/1.7 and ethernet1/1.8.
    5. Click
      OK
      .
  4. Block non-IP protocol packets in a Zone Protection profile.
    1. Select
      Network
      Network Profiles
      Zone Protection
      and
      Add
      a profile.
    2. Enter the
      Name
      , in this example, Block LLDP.
    3. Enter a profile
      Description
      —Block LLDP packets from an LLDP network to other interfaces in the zone (intrazone).
    4. Select
      Protocol Protection
      .
    5. Choose
      Rule Type
      of
      Exclude List
      .
    6. Enter
      Protocol Name
      LLDP.
    7. Enter
      Ethertype
      code 0x88cc. The Ethertype must be preceded by 0x to indicate a hexadecimal value.
    8. Select
      Enable
      .
    9. Click
      OK
      .
  5. Apply the Zone Protection profile to the security zone to which Layer 2 VLAN belongs.
    1. Select
      Network
      Zones
      .
    2. Add
      a zone.
    3. Enter the
      Name
      of the zone, User.
    4. For
      Location
      , select the virtual system where the zone applies.
    5. For
      Type
      , select
      Layer2
      .
    6. Add
      an
      Interface
      that belongs to the zone, ethernet1/1.7
    7. Add
      an
      Interface
      that belongs to the zone, ethernet1/1.8.
    8. For
      Zone Protection Profile
      , select the profile Block LLDP.
    9. Click
      OK
      .
  6. Commit.
    Click
    Commit
    .
  7. View the number of non-IP packets the firewall has dropped based on protocol protection.
    >
    show counter global name pkt_nonip_pkt_drop
    >
    show counter global name pkt_nonip_pkt_drop delta yes

Related Documentation