Use Case: Non-IP Protocol Protection Within a Security Zone
on Layer 2 Interfaces
If you don’t implement a Zone Protection profile
with non-IP protocol protection, the firewall allows non-IP protocols
in a single zone to go from one Layer 2 interface to another. In
this use case, blocking LLDP packets ensures that LLDP for one network
doesn’t discover a network reachable through another interface in
the zone.
In the following figure, the Layer 2 VLAN named
Datacenter is divided into two subinterfaces: 192.168.1.1/24, subinterface
.7 and 192.168.1.2/24, subinterface .8. The VLAN belongs to the
User zone. By applying a Zone Protection profile that blocks LLDP
to the User zone:
- Subinterface .7 blocks LLDP from its switch to the firewall at the red X on the left, preventing that traffic from reaching subinterface .8.
- Subinterface .8 blocks LLDP from its switch to the firewall at the red X on the right, preventing that traffic from reaching subinterface .7.

- Create a subinterface for an Ethernet interface.
- Selectand select a Layer 2 interface, in this example, ethernet1/1.NetworkInterfacesEthernet
- SelectAdd Subinterfaces.
- TheInterface Namedefaults to the interface (ethernet 1/1). After the period, enter 7.
- ForTag, enter 300.
- ForSecurity Zone, select User.
- ClickOK.
- Create a second subinterface for the Ethernet interface.
- Selectand select the Layer 2 interface: ethernet1/1.NetworkInterfacesEthernet
- SelectAdd Subinterfaces.
- TheInterface Namedefaults to the interface (ethernet 1/1). After the period, enter 8.
- ForTag, enter 400.
- ForSecurity Zone, select User.
- ClickOK.
- Create a VLAN for the Layer2 interface and two subinterfaces.
- SelectandNetworkVLANsAdda VLAN.
- Enter theNameof the VLAN; for this example, enter Datacenter.
- ForVLAN Interface, selectNone.
- ForInterfaces, clickAddand select the Layer 2 interface: ethernet1/1, and two subinterfaces: ethernet1/1.7 and ethernet1/1.8.
- ClickOK.
- Block non-IP protocol packets in a Zone Protection profile.
- SelectandNetworkNetwork ProfilesZone ProtectionAdda profile.
- Enter theName, in this example, Block LLDP.
- Enter a profileDescription—Block LLDP packets from an LLDP network to other interfaces in the zone (intrazone).
- SelectProtocol Protection.
- ChooseRule TypeofExclude List.
- EnterProtocol NameLLDP.
- EnterEthertypecode 0x88cc. The Ethertype must be preceded by 0x to indicate a hexadecimal value.
- SelectEnable.
- ClickOK.
- Apply the Zone Protection profile to the security zone to which Layer 2 VLAN belongs.
- Select.NetworkZones
- Adda zone.
- Enter theNameof the zone, User.
- ForLocation, select the virtual system where the zone applies.
- ForType, selectLayer2.
- AddanInterfacethat belongs to the zone, ethernet1/1.7
- AddanInterfacethat belongs to the zone, ethernet1/1.8.
- ForZone Protection Profile, select the profile Block LLDP.
- ClickOK.
- Commit.ClickCommit.
- View the number of non-IP packets the firewall has dropped based on protocol protection.>show counter global name pkt_nonip_pkt_drop>show counter global name pkt_nonip_pkt_drop delta yes
Recommended For You
Recommended Videos
Recommended videos not found.