I just configured LLDP, the Link Layer Discovery Protocol, on a Palo Alto Networks firewall. What I really like about those firewalls is the completeness of configuration capabilities while the possibility to use it easily. Everything can be done via the GUI, even the view of neighbors/peers. Per default, only a few TLVs are sent by the Palo, but this can be extended by using LLDP profiles.
Following are a few configuration screenshots from the Palo as well as the config and show commands from a Cisco switch.
(If you are interested in how LLDP looks like on the wire have a look at the downloadable pcap file in this blogpost and filter for lldp.)
The following documentation was made with a PA-3020 cluster with PAN-OS 8.0.1 and two Cisco C3750 switches (C3750-IPBASEK9-M), Version 12.2(50)SE3.
LLDP without Profiles
LLDP must be enabled globally and on every (hardware) interface it should run. In high availability environments the checkmark “Enable in HA Passive State” can be ticked to also run it on the passive unit (recommended). Note that I am not using the LLDP profiles so far (but later). The peers can then be viewed through the GUI:
To enable LLDP on a Cisco switch, issue the following command in global configuration mode: lldp run.
Without the LLDP profiles on the Palo Alto firewall the “show” commands on the Cisco switch reveal almost nothing ;) but only the MAC address and the connected port ID from the Palo Alto:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 |
---SW1 connected to active Palo Alto--- PA-TESTSW01#show lldp neighbors Capability codes: (R) Router, (B) Bridge, (T) Telephone, (C) DOCSIS Cable Device (W) WLAN Access Point, (P) Repeater, (S) Station, (O) Other Device ID Local Intf Hold-time Capability Port ID 001b.17eb.830c Gi1/0/3 120 ethernet1/15 PA-TESTSW02 Fa1/0/48 120 B Fa1/0/48 Total entries displayed: 2 PA-TESTSW01# PA-TESTSW01# PA-TESTSW01#show lldp neighbors gi1/0/3 detail ------------------------------------------------ Chassis id: 001b.17eb.830c Port id: ethernet1/15 Port Description - not advertised System Name - not advertised System Description - not advertised Time remaining: 110 seconds System Capabilities - not advertised Enabled Capabilities - not advertised Management Addresses - not advertised Auto Negotiation - not supported Physical media capabilities - not advertised Media Attachment Unit type - not advertised Vlan ID: - not advertised Total entries displayed: 1 PA-TESTSW01# ---SW2 connected to passive Palo Alto--- PA-TESTSW02#show lldp neighbors Capability codes: (R) Router, (B) Bridge, (T) Telephone, (C) DOCSIS Cable Device (W) WLAN Access Point, (P) Repeater, (S) Station, (O) Other Device ID Local Intf Hold-time Capability Port ID PA-TESTSW01 Fa1/0/48 120 B Fa1/0/48 001b.17eb.6fa2 Gi1/0/3 120 ethernet1/15 54ee.753c.c613 Fa1/0/47 3601 54ee.753c.c613 Total entries displayed: 3 PA-TESTSW02# PA-TESTSW02# PA-TESTSW02#show lldp neighbors gi1/0/3 detail ------------------------------------------------ Chassis id: 001b.17eb.6fa2 Port id: ethernet1/15 Port Description - not advertised System Name - not advertised System Description - not advertised Time remaining: 119 seconds System Capabilities - not advertised Enabled Capabilities - not advertised Management Addresses - not advertised Auto Negotiation - not supported Physical media capabilities - not advertised Media Attachment Unit type - not advertised Vlan ID: - not advertised Total entries displayed: 1 PA-TESTSW02# |
There is also a show command on the Palo side which shows much more information from the Cisco switch, since it sends more data per default:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 |
---Palo Alto active unit--- admin@PA-1(active)> show lldp neighbors ethernet1/15 Local information: Index 30 Local interface: ethernet1/15 Local Port ID: 15 Neighbor information: Chassis type: MAC address Chassis ID: 08:17:35:08:17:35 Port type: Interface name Port ID: Gi1/0/3 Port description: GigabitEthernet1/0/3 TTL: 109 System name: PA-TESTSW01.pa-lab.local System description: Cisco IOS Software, C3750 Software (C3750-IPBASEK9-M), Version 12.2(50)SE3, RELEASE SOFTWARE (fc1 ) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2009 by Cisco Systems, Inc. Compiled Wed 22-Jul-09 06:19 by prod_rel_team System capabilities: Supported: B, R, Enabled: B, Management address type: ipv4 Management address: 172.31.30.5 Interface number: 300 Interface type: Ifindex oid: ---Palo Alto passive unit--- admin@PA-2(passive)> show lldp neighbors ethernet1/15 Local information: Index 30 Local interface: ethernet1/15 Local Port ID: 15 Neighbor information: Chassis type: MAC address Chassis ID: 9c:af:ca:9c:af:ca Port type: Interface name Port ID: Gi1/0/3 Port description: GigabitEthernet1/0/3 TTL: 116 System name: PA-TESTSW02.pa-lab.local System description: Cisco IOS Software, C3750 Software (C3750-IPBASE-M), Version 12.2(50)SE3, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2009 by Cisco Systems, Inc. Compiled Wed 22-Jul-09 06:19 by prod_rel_team System capabilities: Supported: B, R, Enabled: B, Management address type: ipv4 Management address: 172.31.30.6 Interface number: 300 Interface type: Ifindex oid: |
LLDP with Profiles
To reveal more information about the Palo Alto, an LLDP profile must be used which is then selected by an interface:
Now the show commands on the Cisco switches show the following information:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 |
---SW1 connected to active Palo Alto--- PA-TESTSW01#show lldp neighbors gi1/0/3 detail ------------------------------------------------ Chassis id: 001b.17eb.830c Port id: ethernet1/15 Port Description - not advertised System Name: PA-1 System Description: Palo Alto Networks PA-3000 series firewall Time remaining: 115 seconds System Capabilities: O,P,B,R Enabled Capabilities: O,R Management Addresses - not advertised Auto Negotiation - not supported Physical media capabilities - not advertised Media Attachment Unit type - not advertised Vlan ID: - not advertised Total entries displayed: 1 PA-TESTSW01# ---SW2 connected to passive Palo Alto--- PA-TESTSW02#show lldp neighbors gi1/0/3 detail ------------------------------------------------ Chassis id: 001b.17eb.6fa2 Port id: ethernet1/15 Port Description - not advertised System Name: PA-2 System Description: Palo Alto Networks PA-3000 series firewall Time remaining: 115 seconds System Capabilities: O,P,B,R Enabled Capabilities: O,R Management Addresses - not advertised Auto Negotiation - not supported Physical media capabilities - not advertised Media Attachment Unit type - not advertised Vlan ID: - not advertised Total entries displayed: 1 PA-TESTSW02# |
One more Note
On the passive Palo Alto device, the high availability widget shows the following information when using the “Enable in HA Passive State” option:
Links
- Palo Alto Networks – LLDP Overview
- Cisco Systems – Using Link Layer Discovery Protocol in Multivendor Networks
- Wikipedia – Link Layer Discovery Protocol
That’s it.
Featured image: “Neighbors” by Jeremy Brooks is licensed under CC BY-NC 2.0.