Getting started with Ethernet rules

Ethernet rules are lists of matching criteria and actions that define whether Ethernet protocol traffic is allowed or discarded.

Ethernet rules are used by IPS engines, Layer 2 Firewalls, and layer 2 physical interfaces on Firewalls.

The traffic matching in Ethernet rules is based on the Source and Destination MAC Address in the packets. Any Ethernet network traffic, such as ARP, RARP, IPv6, Cisco Discovery Protocol (CDP), and Spanning Tree Protocol (STP), can be checked against the Ethernet rules. Ethernet traffic can be allowed or discarded. Regardless of the action taken, a matching rule can also create a log or alert entry.

The following types of interfaces can stop traffic when the Discard action is used:

  • Inline IPS Interfaces on Firewalls
  • Inline Layer 2 Firewall Interfaces on Firewalls
  • Inline Interfaces on IPS engines
  • Inline Interfaces on Layer 2 Firewalls

For the following types of interfaces, only the Allow action is available:

  • Capture Interfaces on Firewalls
  • Capture Interfaces on IPS engines
  • Capture Interfaces on Layer 2 Firewalls

If your policy is based on the IPS Template or the Layer 2 Firewall Template, the Ethernet rules direct IPv4 and IPv6 traffic to the Inspection Policy for inspection, and let ARP, RARP, and STP traffic through. You can use the first Insert Point in the template to make exceptions to this behavior for certain MAC addresses or Logical Interfaces. We recommend that you insert any other changes at the second insert point.

Make sure that your Ethernet rules direct IP traffic for inspection against Access rules by applying the default IPv4 and IPv6 Services to traffic. When traffic does not match any Ethernet rule, the traffic is let through without further inspection.