>
    LLDP
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. LLDP
    Download PDF
    Next-Generation Firewall

    LLDP

    Table of Contents

    LLDP

    Understand Link Layer Discovery Protocol (LLDP) and LLDP data units.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by PAN-OS or Panorama)
    Palo Alto Networks firewalls support Link Layer Discovery Protocol (LLDP), which functions at the link layer to discover neighboring devices and their capabilities. LLDP enables the firewall and other network devices to send and receive LLDP data units (LLDPDUs) to and from neighbors. The receiving device stores the information in a MIB, which the Simple Network Management Protocol (SNMP) can access. LLDP makes troubleshooting easier, especially for virtual wire deployments where the firewall would typically go undetected by a ping or traceroute.
    LLDP operates at Layer 2 of the OSI model, using MAC addresses. An LLDPDU is a sequence of type-length-value (TLV) elements encapsulated in an Ethernet frame. The IEEE 802.1AB standard defines three MAC addresses for LLDPDUs: 01-80-C2-00-00-0E, 01-80-C2-00-00-03, and 01-80-C2-00-00-00.
    Palo Alto Networks firewalls support only one MAC address for transmitting and receiving LLDP data units: 01-80-C2-00-00-0E. When transmitting, the firewall uses 01-80-C2-00-00-0E as the destination MAC address. When receiving, the firewall processes datagrams with 01-80-C2-00-00-0E as the destination MAC address. If the firewall receives either of the other two MAC addresses for LLDPDUs on its interfaces, the firewall takes the same forwarding action it took prior to this feature, as follows:
    • If the interface type is vwire, the firewall forwards the datagram to the other port.
    • If the interface type is L2, the firewall floods the datagram to the rest of the VLAN.
    • If the interface type is L3, the firewall drops the datagrams.
    Panorama and the WF-500 appliance are not supported.
    Interface types that don’t support LLDP are tap, high availability (HA), Decrypt Mirror, virtual wire/vlan/L3 subinterfaces, and PA-7000 Series Log Processing Card (LPC) interfaces.
    An LLDP Ethernet frame has the following format:
    Within the LLDP Ethernet frame, the TLV structure has the following format:

    LLDP Syslog Messages and SNMP Traps

    The firewall stores LLDP information in MIBs, which an SNMP Manager can monitor. If you want the firewall to send SNMP trap notifications and syslog messages about LLDP events, you must enable SNMP Syslog Notification in an LLDP profile.
    Per RFC 5424, The Syslog Protocol, and RFC 1157, A Simple Network Management Protocol, LLDP sends syslog and SNMP trap messages when MIB changes occur. These messages are rate-limited by the Notification Interval, an LLDP global setting that defaults to 5 seconds and is configurable.
    Because the LLDP syslog and SNMP trap messages are rate-limited, some LLDP information provided to those processes might not match the current LLDP statistics seen when you view the LLDP status information. This is normal, expected behavior.
    A maximum of five MIBs can be received per interface (Ethernet or AE). Each different source has one MIB. If this limit is exceeded, the error message tooManyNeighbors is triggered.

    © 2025 Palo Alto Networks, Inc. All rights reserved.