Example: restricting the use of Ethernet protocols

An example of configuring Ethernet rules to restrict which Ethernet protocols are allowed.

Now that the administrators at Company A from the previous example have a clear picture of which Ethernet protocols are being used, they want to restrict allowed protocols. The administrators determine that ARP and Spanning Tree Protocol (STP) must be allowed. Since most traffic will use these protocols, the administrators do not want to log matches to the rules that allow specific protocols.

They decide to block the Cisco Discovery Protocol (CDP) on the logical interface named Inline Interface because of security problems, and log detected CDP use.

To block the use of the CDP protocol, the administrators:
  1. Add a new rule in the Ethernet rules to allow ARP, Spanning Tree Protocol (STP), and IPv4 without producing any logs:
    Table 1. Ethernet rule for allowing ARP and STP use
    Logical Interface Source Destination Service Action Options
    ANY ANY ANY ARP, STP, IPv4 Allow Logging: None
  2. Add another rule to block the use of Cisco Discovery Protocol (CDP) on the Inline Interface, and produce logs that will be stored:
    Table 2. Ethernet rule for blocking CDP use
    Logical Interface Source Destination Service Action Options
    Inline Interface ANY ANY CDP Discard Logging: Stored
  3. Add a rule on the last line of the Ethernet rules to block the use of other Ethernet protocols without producing logs:
    Table 3. Ethernet rule for blocking other Ethernet protocols
    Logical Interface Source Destination Service Action Options
    ANY ANY ANY ANY Discard Logging: None
  4. Save and install the policy on the IPS engine.