cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

how to pass Cisco CDP traffic through a Paloalto in virtual wire mode

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
ext22
ext22
Not applicable
‎07-25-2011 04:57 AM
‎07-25-2011 04:57 AM

how to pass Cisco CDP traffic through a Paloalto in virtual wire mode

hello everyone,
I think the title of my subject is explisite, I want to get Cisco Discovery Protocol (CDP)  traffic through my palo alto, which is in virtual wire the problem is that frame cdp does not contain IP header so my the question is how to get it through a firewall.
I did catch the traffic levels I see the traffic coming into the firewall and I see it being simply droped

Reply
Highlighted
jdavis
jdavis
Not applicable
‎07-25-2011 10:46 AM
‎07-25-2011 10:46 AM

Re: how to pass Cisco CDP traffic through a Paloalto in virtual wire mode

ext22,

Check your Traffic Log.  Which rule is denying the traffic?

Is this traffic moving between interfaces in the same zone?

Is it moving between two different zones?  Do you have a policy defined to allow traffic between those zones?

You shouldn't need anything more than the proper security policy configuration for this to work.

Best Regards,

Jared

Reply
ext22
ext22
Not applicable
‎07-27-2011 08:27 AM
‎07-27-2011 08:27 AM

Re: how to pass Cisco CDP traffic through a Paloalto in virtual wire mode

Hi jdavis,

The traffic has to pass between two interfaces in diffirents zone, you tell me that i have to make a polcie to allow CDP packets but CDP packets don't have any IP or TCP header how can i made a police to allow this type of traffic.

Thanks,

Ouassil

0 Likes
Reply
bpappas
bpappas
L6 Presenter
‎07-27-2011 09:32 AM
‎07-27-2011 09:32 AM

Re: how to pass Cisco CDP traffic through a Paloalto in virtual wire mode

CDP is a multicast protocol. Have you enabled "multicast firewalling" on the vwire? That ought to allow the traffic. The PAN does not pass multicast traffic in its default configuration state.

-Benjamin

0 Likes
Reply
jdavis
jdavis
Not applicable
‎07-27-2011 10:15 AM
‎07-27-2011 10:15 AM

Re: how to pass Cisco CDP traffic through a Paloalto in virtual wire mode

I did some more reading on CDP and found this Cisco.com web page (http://www.cisco.com/en/US/products/hw/switches/ps663/products_tech_note09186a0080094713.shtml#cdp).  It states, "CDP uses SNAP encapsulation with type code 2000".

Unfortunately, it looks like there is not a solution to your issue.  The release notes for PAN-OS 3.1.9 and 4.0.4 both list a known issue, bug 908.  It reads, "[908] LLC SNAP/802.2 packets do not pass through the device".  There are no plans to change this at this time.

Best Regards,

Jared

0 Likes
Reply
ext22
ext22
Not applicable
‎07-28-2011 07:30 AM
‎07-28-2011 07:30 AM

Re: how to pass Cisco CDP traffic through a Paloalto in virtual wire mode

Thanks,

0 Likes
Reply
KovalenkoDmitiriy
KovalenkoDmitiriy
L0 Member
‎01-27-2014 05:39 AM
‎01-27-2014 05:39 AM

Re: how to pass Cisco CDP traffic through a Paloalto in virtual wire mode

Anything has changed since 2011?

0 Likes
Reply
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!

Latest Blogs
Latest Posts
Privacy Policy Terms of Use
Copyright 2007 - 2019 - Palo Alto Networks