Today I noticed that we lost a server. Actually we new the place but not the Switchport it is connected to. You might say: just look for the MAC address — yeeesss, but it is connected via LACP, the first link was up, but the 2nd one — the one I was interested in — not. Or better to say, it was up but disabled by the lacp algorithm on the Linux machine.
What happened? Someone rewired the switch and changed the 2nd port of the server to some other Switchport. Sadly he wasn’t at hand to be send to the offside Datacenter to follow the cables.
Luckily I got the idea to check for the LLDP messages the Switch sends out on every port and catch it with tcpdump. A short google away was this wonderful website from Darren:
## Switch: tcpdump -i eth0 -s 1500 -XX -c 1 'ether proto 0x88cc' ## Port and CDP Neighbor Info: tcpdump -v -s 1500 -c 1 '(ether[12:2]=0x88cc or ether[20:2]=0x2000)'
An output might look like
16:25:10.589903 LLDP, length 329 [...] Subtype Local (7): Eth155/1/27 [...] Port Description TLV (4), length 16: Ethernet155/1/27 System Name TLV (5), length 11: S1425-B2-01 [...] Management Address length 5, AFI IPv4 (1): s1425-b2-01.net.gwdg.de [...] Port VLAN Id Subtype (1) port vlan id (PVID): 991 [...]
As you can see, among others, we get the Switch, Port and VLAN information. Yeehaw!