Palo Alto LLDP Neighbors

I just configured LLDP, the Link Layer Discovery Protocol, on a Palo Alto Networks firewall. What I really like about those firewalls is the completeness of configuration capabilities while the possibility to use it easily. Everything can be done via the GUI, even the view of neighbors/peers. Per default, only a few TLVs are sent by the Palo, but this can be extended by using LLDP profiles.

Following are a few configuration screenshots from the Palo as well as the config and show commands from a Cisco switch.

(If you are interested in how LLDP looks like on the wire have a look at the downloadable pcap file in this blogpost and filter for lldp.)

The following documentation was made with a PA-3020 cluster with PAN-OS 8.0.1 and two Cisco C3750 switches (C3750-IPBASEK9-M), Version 12.2(50)SE3.

LLDP without Profiles

LLDP must be enabled globally and on every (hardware) interface it should run. In high availability environments the checkmark “Enable in HA Passive State” can be ticked to also run it on the passive unit (recommended). Note that I am not using the LLDP profiles so far (but later). The peers can then be viewed through the GUI:

To enable LLDP on a Cisco switch, issue the following command in global configuration mode: lldp run.

Without the LLDP profiles on the Palo Alto firewall the “show” commands on the Cisco switch reveal almost nothing ;) but only the MAC address and the connected port ID from the Palo Alto:

There is also a show command on the Palo side which shows much more information from the Cisco switch, since it sends more data per default:

LLDP with Profiles

To reveal more information about the Palo Alto, an LLDP profile must be used which is then selected by an interface:

Now the show commands on the Cisco switches show the following information:

 

One more Note

On the passive Palo Alto device, the high availability widget shows the following information when using the “Enable in HA Passive State” option:

Links

That’s it.

Featured image: “Neighbors” by Jeremy Brooks is licensed under CC BY-NC 2.0.

Leave a Reply

Your email address will not be published. Required fields are marked *