If you don’t implement a Zone Protection profile
with non-IP protocol protection, the firewall allows non-IP protocols
in a single zone to go from one Layer 2 interface to another. In
this use case, blocking LLDP packets ensures that LLDP for one network
doesn’t discover a network reachable through another interface in
the zone.
In the following figure, the Layer 2 VLAN named
Datacenter is divided into two subinterfaces: 192.168.1.1/24, subinterface
.7 and 192.168.1.2/24, subinterface .8. The VLAN belongs to the
User zone. By applying a Zone Protection profile that blocks LLDP
to the User zone: