Tunneling CDP frames

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered
Best solutions out there to tunnel CDP in a mixed Extreme network... 

Edge is 150-460 summit running 12.6 to 15.6

Core is 670 or 8900 MSM 128 running 15.4 - 15.6 

Some support L2PT and some do not.  I think what I need to do is build a counter profile to see where the CDP are failing and then build the tunnel there for the vlans I need to forward cdp 

Here is what I am using for this which when applied to specific vlan on edge uni port works or to trunk port on next hop works.  Problem is this going to be a big tasks to go through 100 plus vlans one segment at a time to find the blocking points.

entry cdp_pdu {if {
ethernet-destination-address 01:00:0c:cc:cc:cc ;
snap-type 0x2000 ;
} then {
count cdp_ingress ;
}
}

Another question is when did replace-ethernet-destination-add get added to the image and made active.  I have not found a version of code that supports this statement yet.  I guess it is not needed on switches that support L2PT profiles?  

Problem started when we started updating code from 12.6 to 15.xx it seemed CDP started being blocked and not passing through the network. 

Thanks ahead of time
Photo of EtherMAN

EtherMAN, Embassador

  • 6,960 Points 5k badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of andreas

andreas

  • 1,218 Points 1k badge 2x thumb
I totally agree. CDP started blocking at 15.5. No idea why they implemented this "feature".
Why not have the one that wants cdp enable it ?
Photo of Prashanth KG

Prashanth KG, Employee

  • 5,300 Points 5k badge 2x thumb
Hi Etherman,

From 15.4, We (EXOS) started supporting CDP protocol and it is enabled by default. 

So, the CDP packets may be processed by the switch and not forwarded across to the Cisco device. Try disabling the CDP protocol on the Extreme switch(which were upgraded to 15.4 and above) ports and check if that helps. 

Command: disable cdp ports <>

if that does not help, the following article will guide you to configure l2tp profile to allow the CDP packets. 

https://gtacknowledge.extremenetworks.com/articles/Solution/Layer-two-layer-2-protocol-packets-does-not-pass-though-the-VMAN-tunnel-after-upgrade-of-EXOS

Hope this helps! 
Photo of Prashanth KG

Prashanth KG, Employee

  • 5,300 Points 5k badge 2x thumb
Regarding replace-ethernet-destination address attribute, I believe it is related to the hardware and not the software. 
We need not use this attribute if the EXOS supports l2tp profile. 
Photo of andreas

andreas

  • 1,218 Points 1k badge 2x thumb
This is freaking hilarious.

I have recently upgrade to 15.6.1.3

Trying the workaround described in
https://gtacknowledge.extremenetworks...

Gives me the following error.

Slot-1 L460.1 # show configuration | inc cdp
create protocol filter "cdp"
configure protocol filter "cdp" add snap 0x2000
Slot-1 L460.2 # create l2pt profile Allow-cdp
* Slot-1 L460.3 # configure l2pt profile "Allow-cdp" add protocol filter "cdp" action tunnel
Error: The protocol filter "cdp" is incompatible with L2PT since the protocol filter entry "Protocol id 0x2000 (SNAP)" does not specify a destination address.

So the article needs to be updated. ......

Btw I'm making a case of this cause right now this sucks so hard.
Photo of Prashanth KG

Prashanth KG, Employee

  • 5,300 Points 5k badge 2x thumb
Hi Andreas,

I am going to jump into the quick answer below and try to reduce the frustration this is causing already. 

For allowing the CDP packets, EXOS has a default filter already created. 

conf l2pt profile "allowcdp" add protocol filter 

<filter_name>   Protocol filter name
    "ANY"        "appletalk"  "cdp"        "decnet"     "dtp"
    "edp"        "IP"         "IPv6"       "ipx"        "ipx_8022"
    "ipx_snap"   "lacp"       "lldp"       "mpls"       "netbios"
    "pagp"       "stp"        "udld"       "vtp"

So, there is no need to define an additional filter. By modifying or creating one, EXOS recognises this as a new user defined filter and hence was expecting a destination address. 

Following are the sample configuration commands that needs to be configured on the VMAN switches:

- create l2pt profile <any name>
- configure l2pt profile add protocol filter cdp action tunnel
- configure vman <vman name> ports <port-list in which we expect to ingress and egress the CDP packets> l2pt profile <profile name>


I am working on editing the article. Will post the updated link.

Hope this helps!  
Photo of Prashanth KG

Prashanth KG, Employee

  • 5,300 Points 5k badge 2x thumb
Photo of EtherMAN

EtherMAN, Embassador

  • 6,960 Points 5k badge 2x thumb
Better explaination.. Still have questions.  This only works on vmans and not vlans???? Looks like it has to be done edge to edge so I would guess it we would need to have edge switches updated to support l2pt tunnels and you apply the filter to the untagged port at the edge?  Will not work if cdp is on a tagged frame where edge is passing frame through a tagged port to a core switch that blocks it due to being 15.4 or newer code?   Have verified this with cdp counter acls that our newer core switches are the ones blocking the cdp frames even though they are arriving as a tagged frame.
Photo of andreas

andreas

  • 1,218 Points 1k badge 2x thumb
Same here I tested this on a x460-24x with version 15.6.3.1. 

This is the response I get 

configure l2pt profile allowcdp add protocol filter cdp

create l2pt profile allowcdp
configure l2pt profile allowcdp add protocol filter cdp
Error: The protocol filter "cdp" is incompatible with L2PT since the protocol filter entry "Protocol id 0x2000 (SNAP)" does not specify a destination address.
show protocol "cdp" detail 
    Protocol Name      : cdp
    Protocol Id Type   : snap
    Protocol Id Value  : 0x2000
    Destination Address: 
    Field Offset       : 
    Field Value        : 
    Field Mask         :  Not sure how this would work event though the example is updated ? Please test with 15.6.3.1
Photo of Prashanth KG

Prashanth KG, Employee

  • 5,300 Points 5k badge 2x thumb
Hi Andreas,

I tested with 15.6.3.1 in an X460-24x

I am able to configure the protocol filter. 

X460-24x.12 # sh protocol filter cdp detailProtocol Name          : cdp
    Protocol Id Type   : snap
    Protocol Id Value  : 0x2000
    Destination Address: 01:00:0c:cc:cc:cc
    Field Offset       :
    Field Value        :
    Field Mask         :


Current State:    OPERATIONAL
Image Selected:   secondary
Image Booted:     secondary
Primary ver:      15.7.2.9
Secondary ver:    15.6.3.1

X460-24x.14 # conf l2pt profile "allowcdp" add protocol filter "cdp"
* X460-24x.15 # sh l2pt profile
  <cr>            Execute the command
  |               Filter the output of the command
  <profile_name>  Show only the specified profile
    "allowcdp"
* X460-24x.15 # sh l2pt profile "allowcdp"
Profile Name                      Protocol Filter Name              Action  CoS
--------------------------------  --------------------------------  ------  ---
allowcdp                          cdp                               Tunnel

Please share the following output: 

show configuration detail | include cdp

Have you modify the CDP protocol which was already defined? If so, what changes were made. 

I think if we exclusively configure the destination-address to this protocol again, we can make it work. 

configure protocol filter "cdp" add dest-mac 01:00:0c:cc:cc:cc snap 0x2000 

Please try this and let us know! 
Photo of Prashanth KG

Prashanth KG, Employee

  • 5,300 Points 5k badge 2x thumb
Hi Etherman,

We can configure the l2pt profiles for the VLAN as well. It does not matter if the port is tagged or untagged as these l2 protocol frames will not have a dot1q field. 

The article below explains the procedure for configuring l2pt profile. 

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-l2pt-profile-in-Extreme-Switches

Hope this helps! 
Photo of EtherMAN

EtherMAN, Embassador

  • 6,960 Points 5k badge 2x thumb
Thanks for the clarification... Now I have to figure out where the cdp frames are being blocked and setup the l2pt profiles... will report back in 2 weeks... heading to NANOG/ARIN for a week of meetings... I have successfully been able to set up cdp counter acls so now it is just a matter of going through a bunch of switches for about 150 vlans to see where in our systems they are being dropped..