Hi Raj & thanks for your

danailpetrov · ‎01-13-2016

Hello guys,

I have been using that command for many years now and I showed it to a colleague of mine today, who raised an interesting question: How exactly that works?

core01.acme.corp#traceroute mac 0025.84f7.0840 0026.3e03.5000 vlan 44
Source 0025.84f7.0840 found on core01.acme.corp
1 core01.acme.corp (10.0.1.1) : Vl44 => Gi1/11
2 dist01.acme.corp (10.0.1.50) : Gi0/3 => Gi0/4
3 access03.acme.corp (10.0.1.59) : Gi0/3 => Fa0/10
3 access16.acme.corp (10.0.1.67) : Fa0/1 => Fa0/22
Destination 0026.3e03.5000 found on access16.acme.corp
Layer 2 trace completed

And I couldn't answer.. I know it's using CDP, but not sure how exactly manages to go through all the switches this way.

I tried to find some documentation about it, but couldn't find anything explaining how exactly that works.

Can you explain or point me to a document explaining it?

Many thanks in advance!

devils_advocate · ‎01-13-2016

Found a document for you:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/l2trace.html

danailpetrov · ‎01-13-2016

Hi mate & thanks for your response.

I've seen the document you showed, but that still doesn't explain how exactly that works.

How does the switch know about exact port / mac location for switches a few hops away? Does it use a combination of CDP & SNMP? Is it relying upon CDP only? If so, again, how does it know about something which is a few hops away..

D

devils_advocate · ‎01-13-2016

Fair point, I see where you are coming from.

Its obviously using CDP to work out the next switch in the chain. The guide also states it uses the CAM tables but I guess you are asking how the command run on one switch is able to do a CAM table lookup on a neighbour switch yes?

Best guess, its a Cisco utility so they have designed it to do that. How? Not a clue I am afraid.

One of the more technical guys may come along and provide more information hopefully.

Rajeshkumar Gatti · ‎01-14-2016

Devils_advocate - You are on the right track. The L2 traceroute tool uses a combination of CDP, MAC table lookup along with the mgmt ip or inband IP assigned to the switch to help chalk out the path. Because of the proprietary nature of the tool this is all I can disclose :)

-Raj

danailpetrov · ‎01-15-2016

Hi Raj & thanks for your response.

I appreciate that CDP is indeed Cisco's proprietary protocol and as an employee you may have signed sort of a NDA and not being able to disclose information like that. In reality though, I don't think this is such a big deal, considering the fact there're tons of libraries for pretty much every programming language, where CDP has been dissected & everyone who has a really basic knowledge not even in programming but rather scripting is in a position to craft a CDP packet (e.g. python + scapy + <10lines of code)

It will probably cost me roughly 15min. in SPANing those ports & analyzing information with Wireshark, getting to the bottom of it. My gut feeling is that CDP just uses some internal/special TLV for those purposes, following the traditional traceroute behaviour/approach, but simply doing that on L2. I was looking for someone to confirm/explain this to me instead of me doing this "reverse engineering" :-)

I may indeed spend some time on that & get back to you guys with the results.

Thanks anyway!

D.

Tracing MAC address within L2 segment