Understand Link Layer Discovery Protocol (LLDP) and LLDP data units.
Where Can I Use This?
What Do I Need?
NGFW (Managed by PAN-OS or Panorama)
Palo Alto Networks firewalls support Link Layer Discovery Protocol (LLDP), which functions at the
link layer to discover neighboring devices and their capabilities. LLDP enables the
firewall and other network devices to send and receive LLDP data units (LLDPDUs) to and
from neighbors. The receiving device stores the information in a MIB, which the Simple
Network Management Protocol (SNMP) can access. LLDP makes troubleshooting easier,
especially for virtual wire deployments where the firewall would typically go undetected
by a ping or traceroute.
LLDP operates at Layer 2 of the OSI model, using MAC addresses. An LLDPDU is a sequence
of type-length-value (TLV) elements encapsulated in an Ethernet frame. The IEEE 802.1AB
standard defines three MAC addresses for LLDPDUs: 01-80-C2-00-00-0E, 01-80-C2-00-00-03,
and 01-80-C2-00-00-00.
Palo Alto Networks firewalls support only one MAC address for transmitting and receiving
LLDP data units: 01-80-C2-00-00-0E. When transmitting, the firewall uses
01-80-C2-00-00-0E as the destination MAC address. When receiving, the firewall processes
datagrams with 01-80-C2-00-00-0E as the destination MAC address. If the firewall
receives either of the other two MAC addresses for LLDPDUs on its interfaces, the
firewall takes the same forwarding action it took prior to this feature, as follows:
If the interface type is vwire, the firewall forwards the datagram to the other
port.
If the interface type is L2, the firewall floods the datagram to the rest of the
VLAN.
If the interface type is L3, the firewall drops the datagrams.
Panorama and the WF-500 appliance are not supported.
Interface types that don’t support LLDP are tap, high availability (HA), Decrypt Mirror,
virtual wire/vlan/L3 subinterfaces, and PA-7000 Series Log Processing Card (LPC)
interfaces.
An LLDP Ethernet frame has the following format:
Within the LLDP Ethernet frame, the TLV structure has the following format:
LLDP Syslog Messages and SNMP Traps
The firewall stores LLDP information in MIBs, which an SNMP Manager can monitor. If
you want the firewall to send SNMP trap notifications and syslog messages about LLDP
events, you must enable SNMP Syslog Notification in an LLDP
profile.
Per RFC 5424, The Syslog Protocol, and RFC 1157, A Simple Network Management Protocol, LLDP
sends syslog and SNMP trap messages when MIB changes occur. These messages are
rate-limited by the Notification Interval, an LLDP global
setting that defaults to 5 seconds and is configurable.
Because the LLDP syslog and SNMP trap messages are rate-limited, some LLDP
information provided to those processes might not match the current LLDP statistics
seen when you view the LLDP status information. This is normal, expected behavior.
A maximum of five MIBs can be received per interface (Ethernet or AE). Each different
source has one MIB. If this limit is exceeded, the error message
tooManyNeighbors is triggered.