diff --git a/neutron/extensions/securitygroup.py b/neutron/extensions/securitygroup.py
index e1c8d45ad50..9ae3806da24 100644
--- a/neutron/extensions/securitygroup.py
+++ b/neutron/extensions/securitygroup.py
@@ -134,6 +134,11 @@ class SecurityGroupConflict(nexception.Conflict):
     message = _("Error %(reason)s while attempting the operation.")
 
 
+class SecurityGroupRuleInvalidEtherType(nexception.InvalidInput):
+    message = _("Security group rule for ethertype '%(ethertype)s' not "
+                "supported. Allowed values are %(values)s.")
+
+
 def convert_protocol(value):
     if value is None:
         return
@@ -161,6 +166,8 @@ def convert_ethertype_to_case_insensitive(value):
         for ethertype in sg_supported_ethertypes:
             if ethertype.lower() == value.lower():
                 return ethertype
+    raise SecurityGroupRuleInvalidEtherType(
+        ethertype=value, values=sg_supported_ethertypes)
 
 
 def convert_validate_port_value(port):
diff --git a/neutron/tests/unit/extensions/test_securitygroup.py b/neutron/tests/unit/extensions/test_securitygroup.py
index 6ff3ed0f332..c7195803b9d 100644
--- a/neutron/tests/unit/extensions/test_securitygroup.py
+++ b/neutron/tests/unit/extensions/test_securitygroup.py
@@ -1559,3 +1559,11 @@ class TestConvertProtocol(base.BaseTestCase):
 
     def test_convert_numeric_protocol_to_string(self):
         self.assertIsInstance(ext_sg.convert_protocol(2), str)
+
+
+class TestConvertEtherType(base.BaseTestCase):
+    def test_convert_unsupported_ethertype(self):
+        for val in ['ip', 'ip4', 'ip6', '']:
+            self.assertRaises(ext_sg.SecurityGroupRuleInvalidEtherType,
+                              ext_sg.convert_ethertype_to_case_insensitive,
+                              val)