Cisco Discovery Protocol (CDP) is a Cisco proprietary protocol designed to facilitate the network management of Cisco devices by discovering hardware and protocol information about neighboring devices. By using CDP, Network Engineers can gather information about neighboring network devices, determining the type of hardware or equipment, software version, active interfaces the device is using (whether physical or VLAN), how they are configured, and other useful information. That is quite a bit of information, and this is useful for troubleshooting and documenting the network.
Cisco Discovery Protocol performs functions similar to several other proprietary network protocols such as Foundry Discovery Protocol (FDP), Nortel Discovery Protocol (NDP), Link Layer Topology Discovery (LLTD), and the vendor-neutral Link Layer Discovery Protocol (LLDP). The CDP is a very useful protocol for Cisco Network Engineers. You may not realize how important this protocol is until you find yourself responsible for a network infrastructure you know little or nothing about.
Imagine you just got hired into an organization as a Network Administrator. Your predecessor was recently fired and so there was little or no information about the network. All you were told was that the organization has a local and a wide area network (WAN) across three locations made up of mostly Cisco devices, and you were provided login details to the primary router at the head office. You are expected to ensure that business activities go on unimpeded. What do you do? Well, this is where CDP comes in handy for a Network Engineer who wants to discover and map out all interconnected network devices. CDP is quite useful for someone who may be new to a network and is trying to map it out to learn about neighboring devices, their parameters, and other configuration details.
In this guide, we’re going to show you how to use Cisco Discovery Protocol to gather useful information about neighbor devices and map out a network. Here’s a list of the tasks we’ll be covering:
- How CDP works
- Enabling/disabling CDP on Cisco devices
- Setting CDP Timer and Holdtime
- Gathering Neighbor Information
- Gathering Port and Interface Information
- Documenting a Network Topology Using CDP
- CDP Security Issues
How Cisco Discovery Protocol works
CDP is enabled by default on all supported devices such as Cisco routers, switches, etc. These devices can send and receive CDP messages or advertisements out of their interfaces to directly connected neighboring devices. Since CDP is a layer two (data link layer) compatible protocol, those messages are not forwarded or routed across the device. So that means you can only get CDP information about the directly connected devices, and if those directly connected neighbor devices are also Cisco devices running CDP, they can basically exchange information.
When a Cisco device such as a router running CDP receives a CDP packet, it begins to build a table that lists the neighboring devices. Once the devices are discovered, they intermittently send a packet of updated information to each other. These CDP packets contain various useful information about network devices such as:
- Device type
- Hardware platform
- Hardware capabilities
- IOS version number
- Hostname
- The interface that generates CDP message
- IP address of the device
- Port ID
- Number of seconds for CDP advertisement is valid
CDP messages by default are generated every 60 seconds, and Holdtime (discussed below) for missing neighbors is 180 seconds. CDP messages are distributed as multicasts using the SNAP (Subnetwork Access Protocol) frame type. SNAP is only supported by these media types: Ethernet, Token Ring, Fiber Distributed Data Interface (FDDI), Asynchronous Transfer Mode (ATM), Point-to-Point Protocol (PPP), High- Level Data Link Control (HDLC), and Frame Relay. CDP is available in IOS from version 10.3 on Cisco routers, switches, and other supported devices. CDPV1 is the initial software version which is only capable of collecting device information at the other end. CDPV2 is the most recent release of the protocol and provides more intelligent device tracking features.
Enabling/Disabling CDP on Cisco Devices
For this section, our router will have a hostname of HQ_Router, and it will have two serial connections to routers named LOS_Router and NYC_Router, and one FastEthernet connection to a switch with the hostname HQ_Switch as shown in the diagram below:
As stated earlier, Cisco Discovery Protocol is enabled by default on all supported devices. If for whatever reason it’s not active, you can easily re-enable it. To enable or disable CDP, use the following command:
Description | Command |
---|---|
Enter privileged EXEC mode (Enter your password if prompted) | HQ_Router>enable |
Enter global configuration mode | HQ_Router#config t |
Enable CDP globally on a router | HQ_Router(config)# cdp run |
Disable CDP globally on a router | HQ_Router(config) )# no cdp run |
Enter interface configuration mode (for say int fa0/1) | HQ_Router(config)#int fa0/1 |
Enable CDP on an interface if CDP is enabled globally | HQ_Router(config-if)# cdp enable |
Disable CDP on an interface | HQ_Router(config-if)# no cdp enable |
Setting Cisco Discovery Protocol Timer and Holdtime
CDP Timer is the amount of time between CDP advertisements transmitted out of all router interfaces, by default. It basically describes how often CDP packets are transmitted out of all active interfaces. CDP timer is 90 seconds by default. CDP Holdtime on the other hand is the amount of time a router will hold CDP information received from a neighbor router before discarding it if the information is not updated by the neighbor. CDP Holdtime is set to 180 seconds by default.
You can use the global commands cdp timer and cdp holdtime to change the default time settings for the CDP Timer and Holdtime on your router as shown below:
Description | Command |
---|---|
Configure CDP Timer | HQ_Router(config)# cdp timer 100 |
Configure CDP Holdtime | HQ_Router(config)# cdp holdtime 200 |
Gathering Neighbor Information
In this section, we are going to learn how to gather information about directly connected devices. Here are all the commands we will use for this section:
Description | Command |
---|---|
Enter privileged EXEC mode (Enter your password if prompted) | HQ_Router>enable |
Display information about neighboring devices | HQ_Router#show cdp neighbors |
Display detailed information about neighboring devices | HQ_Router#show cdp neighbors detail |
Display detailed information about neighboring devices | HQ_Router# show cdp entry * |
Display IP addresses of each directly connected neighbor | HQ_Router#show cdp entry * protocols |
Display IOS version of each directly connected neighbor | HQ_Router# show cdp entry * version |
The following is the output the show cdp neighbor command used on our router:
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r – Repeater Device ID Local Intrfc Holdtime Capability Platform Port ID HQ_Switch Fas 0/1 180 T S CWS-C2950-12 Fas 0/0 LOS_Router Ser 0/1/0 190 R S I 2801 Ser 0/2/0 NYC_Router Ser 0/0/1 200 R S I 1841 Ser 0/0/1 HQ_Router#
From the output of the show cdp neighbors command above, you can see the neighboring devices (capability, i.e., router or switch), model number (platform), your port connecting to that device (local interface), and the port of the neighbor connecting to you (port ID). The table below is a summary of the information displayed by the show cdp neighbor command for each device.
Field | description |
---|---|
Device ID | The hostname of the device directly connected. |
Local Interface | The port or interface on the host router (HQ_Router) |
Holdtime | The amount of time the router will hold the information before discarding if no more CDP packets are received. |
Capability | The type of neighboring network devices such as the router, switch, or repeater. The capability codes are listed at the top of the command output. |
Platform | The model number of the device directly connected. |
Port ID | The neighbor device’s port or interface on which the CDP packets are multicast. |
The show cdp neighbors detail is another similar command we can use to gather more detailed information about directly connected devices. It can be run on both routers and switches, and it displays detailed information about each device. Here is the output after running the command on our router:
Device ID: HQ_Switch Entry address(es): 10.1.1.1 Platform: Cisco WS-C2950-12, Capabilities: Trans-Bridge Switch Interface: FastEthernet0/1, Port ID (outgoing port): FastEthernet0 Holdtime: 180 sec ------------------------- Device ID: LOS_Router Entry address(es): IP address: 10.2.2.1 Platform: Cisco 2801, Capabilities: Router Switch IGMP Interface: Serial0/1/0, Port ID (outgoing port): Serial0/2/0 Holdtime: 190 sec Version: Cisco IOS Software, 2801 Software (C2801-ADVENTERPRISEK9-M), Experimental Version 12.4(20050525:193634) [jezhao-ani 145] ------------------------- Device ID: NYC_Router Entry address(es): IP address: 10.3.3.1 Platform: Cisco 1841, Capabilities: Router Switch IGMP Interface: Serial0/0/1, Port ID (outgoing port): Serial0/0/1 Holdtime: 200 sec Version: Cisco IOS Software, 1841 Software (C1841-IPBASE-M), Version 12.4(1c), RELEASE SOFTWARE (fc1) ------------------------- [output cut] HQ_Router#
What extra information does the above output provide us? As you can see, it shows us the IP addresses of all directly connected devices and their IOS versions, in addition to all other information displayed by the show cdp neighbor command.
There isn’t much difference between the show cdp entry * and show cdp neighbors detail commands. They basically display the same information. However, the show cdp entry * command has two unique options: show cdp entry * protocols and show cdp entry * version.
The show cdp entry * protocols command shows you just the IP addresses of each directly connected neighbor, while the show cdp entry * version shows you only the IOS version of your directly connected neighbors.
Gathering Port and Interface Information
In order to display port and interface information, we use the cdp interface command as shown below.
Description | Command |
---|---|
Enter privileged EXEC mode (Enter your password if prompted) | HQ_Router>enable |
Display CDP status on router interfaces | HQ_Router#show cdp interface |
This command shows you the CDP status on router interfaces or switch ports. On a router, the show cdp interface command displays information about each interface using CDP, including the encapsulation on the line, the timer, and the holdtime for each interface. Here’s an example of this command’s output on our router:
HQ_Router#show cdp interface FastEthernet0/1 is up, line protocol is up Encapsulation ARPA Sending CDP packets every 100 seconds Holdtime is 180 seconds Serial0/1/0 is up, line protocol is up Encapsulation HDLC Sending CDP packets every 100 seconds Holdtime is 190 seconds Serial0/0/1 is up, line protocol is up Encapsulation HDLC Sending CDP packets every 100 seconds Holdtime is 200 seconds
The above output clearly shows us the CDP status on the router interfaces. Of course, you can always turn off CDP on any interface on the router using the no cdp enable command described earlier. When CDP is turned off, it will no longer show up on the router output when you run the show cdp interface command.
The above output clearly shows us the CDP status on the router interfaces. Of course, you can always turn off CDP on any interface on the router using the no cdp enable command described earlier. When CDP is turned off, it will no longer show up on the router output when you run the show cdp interface command.
Documenting a Network Topology Using CDP
Let’s assume you have just been hired as a Network Administrator for a TV station that cannot afford downtime. Your predecessor left unannounced, and so there was little or no information about the organization’s network topology to fall back on. All you have access to is the primary router at the head office. How can you document the network topology? CDP to the rescue! Now you can apply all the knowledge you have gained so far to document the network infrastructure. The basic parameters required to document a network is the target device type, port or interface type, and IP address of various interfaces. This you can easily determine using only Cisco Discovery Protocol commands and show running-config commands.
- The first thing you need to do is to logon to the primary router to determine the IP address of the interfaces using the show running-config command. Once this step is completed, you can now document the IP addresses of the primary router’s interfaces.
- Next, you need to determine the type of device on the other end of each of those interfaces using the show cdp neighbors command. This will reveal the network device types connected to each of the primary router’s links and all the interfaces, Port IDs, etc of the remote network device.
- Lastly, you need to determine the IP address for each of the remote network devices using the show cdp neighbors detail command. From all the information gathered using the show running-config, show cdp neighbors, and show cdp neighbors detail, you can now create the network topology of your organization and begin to assume responsibility for them.
CDP Security Issues
Although the Cisco Discovery Protocol is a very valuable protocol for Network Engineers, cybercriminals often take advantage of it to carry out cyber-attacks. Since this protocol does not implement any authentication, and packets are sent in clear text, anyone can listen in and steal information about your network devices and use it to identify IOS versions with known vulnerabilities to exploit it or launch further cyber-attacks. The CDP spoofing attack is one of the most common methods cybercriminals use to attack networks.
CDP spoofing is the creation of forged packets to impersonate other network devices. This attack is a type of Denial-of-Service (DoS) attack that is used to overwhelm connected devices using CDP. An attacker can exploit this vulnerability by sending thousands of spoofed CDP packets to the multicast MAC address 01:00:0C:CC:CC:CC to populate and flood neighbor tables in any device on the network that runs CDP. When this happens, legitimate traffic on the network may be dropped as the device no longer has the resources necessary to transmit it. The device’s command-line interface may also become unresponsive making it difficult to disable CDP during an ongoing attack.
To fully mitigate the threat of CDP Spoofing, experts recommend disabling CDP on the entire network device if it is not a necessity. But of course, this comes at the cost of not being able to benefit from CDP. The Secure CDP feature also provides security by allowing users to select the type, length, value (TLV) fields that are sent on an interface to filter the fields in CDP packets.
When an unusual Cisco Discovery Protocol traffic or unexpected CDP device is found in your network, investigate it immediately and check which MAC address the frames are coming from, and what kind of information they carry. The CDP Monitor application can be used to monitor CDP changes from Windows environments. It detects CDP changes on the network and notifies you via email or by popping up a message box and issuing a warning sound. It can also run a custom program upon change detection.
Cisco Discovery Protocol FAQs
What are the Cisco Discovery Protocol vulnerabilities?
In February 2020, five vulnerabilities were found in CDP. Four of the five vulnerabilities are remote code execution (RCE) vulnerabilities, while one is a Denial of Service (DoS) vulnerability. Affected devices include: Cisco IP phones 7800/8800 series, Cisco IP cameras 8000 series, Cisco NX-OS switches, Cisco Firepower firewalls, Cisco NCS systems, and Cisco IOS XR routers. Cisco has released patches for all five vulnerabilities, but most of the vulnerable devices don’t auto-update, and therefore require manual patching to receive protection.
Should I disable CDP?
It’s usually good security practice to disable anything that is not needed in a system, and CDP is no exception. This is especially important if you have considered the fact that the risks outweigh the benefits in your network environment.
Can CDP and LLDP coexist?
Yes. CDP and LLDP can coexist, or be used at the same time, especially if your network environment is made up of devices from different vendors. The majority of Cisco devices will also support LLDP, as this allows them to interoperate with other vendors. However, in those devices, LLDP is off by default.
How often are CDP packets sent?
CDP packets by default are often transmitted out of all active interfaces every 60 seconds. The amount of time a router will hold received CDP information before discarding it if it’s not updated by the neighbor is set to 180 seconds by default. However, these default settings can be changed during configuration.
“CDP timer is 90 seconds by default.”
“How often are CDP packets sent?
CDP packets by default are often transmitted out of all active interfaces every 90 seconds.”
These statements are incorrect, it is stated correctly at another point in the text. “CDP messages by default are generated every 60 seconds.”
It is frustrating as Google lists this as a top result and gives the short quick answer of 90 seconds which is incorrect. If you lookup CDP + 90 Seconds, this is the only coherent result along with Cisco stating you can set the Timer is 90 manually.
Thanks,