Use Case: Non-IP Protocol Protection Within a Security Zone on Layer 2 Interfaces

If you don’t implement a Zone Protection profile with non-IP protocol protection, the firewall allows non-IP protocols in a single zone to go from one Layer 2 interface to another. In this use case, blacklisting LLDP packets ensures that LLDP for one network doesn’t discover a network reachable through another interface in the zone.

In the following figure, the Layer 2 VLAN named Datacenter is divided into two subinterfaces: 192.168.1.1/24, subinterface .7 and 192.168.1.2/24, subinterface .8. The VLAN belongs to the User zone. By applying a Zone Protection profile that blocks LLDP to the User zone:

Subinterface .7 blocks LLDP from its switch to the firewall at the red X on the left, preventing that traffic from reaching subinterface .8.
Subinterface .8 blocks LLDP from its switch to the firewall at the red X on the right, preventing that traffic from reaching subinterface .7.

Create a subinterface for an Ethernet interface.

Select
Network
Interfaces
Ethernet
and select a Layer 2 interface, in this example, ethernet1/1.
Select
Add Subinterfaces
.
The
Interface Name
defaults to the interface (ethernet 1/1). After the period, enter 7.
For
Tag
, enter 300.
For
Security Zone
, select User.
Click
OK
.

Create a second subinterface for the Ethernet interface.

Select
Network
Interfaces
Ethernet
and select the Layer 2 interface: ethernet1/1.
Select
Add Subinterfaces
.
The
Interface Name
defaults to the interface (ethernet 1/1). After the period, enter 8.
For
Tag
, enter 400.
For
Security Zone
, select User.
Click
OK
.

Create a VLAN for the Layer2 interface and two subinterfaces.

Select
Network
VLANs
and
Add
a VLAN.
Enter the
Name
of the VLAN; for this example, enter Datacenter.
For
VLAN Interface
, select
None
.
For
Interfaces
, click
Add
and select the Layer 2 interface: ethernet1/1, and two subinterfaces: ethernet1/1.7 and ethernet1/1.8.
Click
OK
.

Block non-IP protocol packets in a Zone Protection profile.

Select
Network
Network Profiles
Zone Protection
and
Add
a profile.
Enter the
Name
, in this example, Block LLDP.
Enter a profile
Description
—Block LLDP packets from an LLDP network to other interfaces in the zone (intrazone).
Select
Protocol Protection
.
Choose
Rule Type
of
Exclude List
.
Enter
Protocol Name
LLDP.
Enter
Ethertype
code 0x88cc. The Ethertype must be preceded by 0x to indicate a hexadecimal value.
Select
Enable
.
Click
OK
.

Apply the Zone Protection profile to the security zone to which Layer 2 VLAN belongs.

Select
Network
Zones
.
Add
a zone.
Enter the
Name
of the zone, User.
For
Location
, select the virtual system where the zone applies.
For
Type
, select
Layer2
.
Add
an
Interface
that belongs to the zone, ethernet1/1.7
Add
an
Interface
that belongs to the zone, ethernet1/1.8.
For
Zone Protection Profile
, select the profile Block LLDP.
Click
OK
.

Commit.

Click

Commit

.

View the number of non-IP packets the firewall has dropped based on protocol protection.

Access the CLI.

> 
show counter global name pkt_nonip_pkt_drop 
> 
show counter global name pkt_nonip_pkt_drop delta yes