Learning Network With Cisco CDP
sh cdp entry * | i Device | Gig ! sh cdp entry * | i Device | Fast !
Cisco Discovery Protocol (CDP) is a Cisco proprietary protocol designed to facilitate the network management of Cisco devices by discovering hardware and protocol information about neighboring devices. By using CDP, Network Engineers can gather information about neighboring network devices, determining the type of hardware or equipment, software version, active interfaces the device is using (whether physical or VLAN), how they are configured, and other useful information. That is quite a bit of information, and this is useful for troubleshooting and documenting the network.
Cisco Discovery Protocol performs functions similar to several other proprietary network protocols such as Foundry Discovery Protocol (FDP), Nortel Discovery Protocol (NDP), Link Layer Topology Discovery (LLTD), and the vendor-neutral Link Layer Discovery Protocol (LLDP). The CDP is a very useful protocol for Cisco Network Engineers. You may not realize how important this protocol is until you find yourself responsible for a network infrastructure you know little or nothing about.
Imagine you just got hired into an organization as a Network Administrator. Your predecessor was recently fired and so there was little or no information about the network. All you were told was that the organization has a local and a wide area network (WAN) across three locations made up of mostly Cisco devices, and you were provided login details to the primary router at the head office. You are expected to ensure that business activities go on unimpeded. What do you do? Well, this is where CDP comes in handy for a Network Engineer who wants to discover and map out all interconnected network devices. CDP is quite useful for someone who may be new to a network and is trying to map it out to learn about neighboring devices, their parameters, and other configuration details.
How Cisco Discovery Protocol works
CDP is enabled by default on all supported devices such as Cisco routers, switches, etc. These devices can send and receive CDP messages or advertisements out of their interfaces to directly connected neighboring devices. Since CDP is a layer two (data link layer) compatible protocol, those messages are not forwarded or routed across the device. So that means you can only get CDP information about the directly connected devices, and if those directly connected neighbor devices are also Cisco devices running CDP, they can basically exchange information.
When a Cisco device such as a router running CDP receives a CDP packet, it begins to build a table that lists the neighboring devices. Once the devices are discovered, they intermittently send a packet of updated information to each other. These CDP packets contain various useful information about network devices such as:
Device type
Hardware platform
Hardware capabilities
IOS version number
Hostname
The interface that generates CDP message
IP address of the device
Port ID
Number of seconds for CDP advertisement is valid
CDP messages by default are generated every 60 seconds, and Holdtime (discussed below) for missing neighbors is 180 seconds. CDP messages are distributed as multicasts using the SNAP (Subnetwork Access Protocol) frame type. SNAP is only supported by these media types: Ethernet, Token Ring, Fiber Distributed Data Interface (FDDI), Asynchronous Transfer Mode (ATM), Point-to-Point Protocol (PPP), High- Level Data Link Control (HDLC), and Frame Relay. CDP is available in IOS from version 10.3 on Cisco routers, switches, and other supported devices. CDPV1 is the initial software version which is only capable of collecting device information at the other end. CDPV2 is the most recent release of the protocol and provides more intelligent device tracking features.
CDP will even list ports that are in block state by STP. In fact, a blocked port is allowed to send and receive any frames that will be processed by the switch without forwarding the further. Because such frames are never forwarded through a switch, they can not be caught in a switching loop. Think of protocols like CDP, LLDP, VTP, PAgP, LACP, UDLD, even STP. All these protocols can be both sent and received on a blocking port. It is in fact important that sending/receiving, for example, LACP frames is not prohibited on blocking port – otherwise, EtherChannels would cease working in this case.
Enabling/Disabling CDP on Cisco Devices
For this section, our router will have a hostname of HQ_Router, and it will have two serial connections to routers named LOS_Router and NYC_Router, and one FastEthernet connection to a switch with the hostname HQ_Switch as shown in the diagram below:
Router and Switch relationship diagram
As stated earlier, Cisco Discovery Protocol is enabled by default on all supported devices. If for whatever reason it’s not active, you can easily re-enable it. To enable or disable CDP, use the following command:
Description
Command
Enter privileged EXEC mode (Enter your password if prompted)
HQ_Router>enable
Enter global configuration mode
HQ_Router#config t
Enable CDP globally on a router
HQ_Router(config)# cdp run
Disable CDP globally on a router
HQ_Router(config) )# no cdp run
Enter interface configuration mode (for say int fa0/1)
HQ_Router(config)#int fa0/1
Enable CDP on an interface if CDP is enabled globally
HQ_Router(config-if)# cdp enable
Disable CDP on an interface
HQ_Router(config-if)# no cdp enable
Setting Cisco Discovery Protocol Timer and Holdtime
CDP Timer is the amount of time between CDP advertisements transmitted out of all router interfaces, by default. It basically describes how often CDP packets are transmitted out of all active interfaces. CDP timer is 90 seconds by default. CDP Holdtime on the other hand is the amount of time a router will hold CDP information received from a neighbor router before discarding it if the information is not updated by the neighbor. CDP Holdtime is set to 180 seconds by default.
You can use the global commands cdp timer and cdp holdtime to change the default time settings for the CDP Timer and Holdtime on your router as shown below:
Description
Command
Configure CDP Timer
HQ_Router(config)# cdp timer 100
Configure CDP Holdtime
HQ_Router(config)# cdp holdtime 200
Gathering Neighbor Information
In this section, we are going to learn how to gather information about directly connected devices. Here are all the commands we will use for this section:
Description
Command
Enter privileged EXEC mode (Enter your password if prompted)
HQ_Router>enable
Display information about neighboring devices
HQ_Router#show cdp neighbors
Display detailed information about neighboring devices
HQ_Router#show cdp neighbors detail
Display detailed information about neighboring devices
HQ_Router# show cdp entry *
Display IP addresses of each directly connected neighbor
HQ_Router#show cdp entry * protocols
Display IOS version of each directly connected neighbor
HQ_Router# show cdp entry * version
The following is the output the show cdp neighbor command used on our router:
Capability Codes: R – Router, T – Trans Bridge, B – Source Route Bridge S – Switch, H – Host, I – IGMP, r – Repeater
Device ID Local Intrfc Holdtime Capability Platform Port ID
HQ_Switch Fas 0/1 180 T S CWS-C2950-12 Fas 0/0
LOS_Router Ser 0/1/0 190 R S I 2801 Ser 0/2/0
NYC_Router Ser 0/0/1 200 R S I 1841 Ser 0/0/1
HQ_Router#
From the output of the show cdp neighbors command above, you can see the neighboring devices (capability, i.e., router or switch), model number (platform), your port connecting to that device (local interface), and the port of the neighbor connecting to you (port ID). The table below is a summary of the information displayed by the show cdp neighbor command for each device.
Field
description
Device ID
The hostname of the device directly connected.
Local Interface
The port or interface on the host router (HQ_Router)
Holdtime
The amount of time the router will hold the information before discarding
if no more CDP packets are received.
Capability
The type of neighboring network devices such as the router, switch, or repeater. The capability codes are listed at the top of the command output.
Platform
The model number of the device directly connected.
Port ID
The neighbor device’s port or interface on which the CDP packets
are multicast.
The show cdp neighbors detail is another similar command we can use to gather more detailed information about directly connected devices. It can be run on both routers and switches, and it displays detailed information about each device. Here is the output after running the command on our router:
Device ID: HQ_Switch
Entry address(es): 10.1.1.1
Platform: Cisco WS-C2950-12, Capabilities: Trans-Bridge Switch
Interface: FastEthernet0/1, Port ID (outgoing port): FastEthernet0
Holdtime: 180 sec
Device ID: LOS_Router
Entry address(es):
IP address: 10.2.2.1
Platform: Cisco 2801, Capabilities: Router Switch IGMP
Interface: Serial0/1/0, Port ID (outgoing port): Serial0/2/0
Holdtime: 190 sec
Version: Cisco IOS Software, 2801 Software (C2801-ADVENTERPRISEK9-M),
Experimental Version 12.4(20050525:193634) [jezhao-ani 145]
Device ID: NYC_Router
Entry address(es):
IP address: 10.3.3.1
Platform: Cisco 1841, Capabilities: Router Switch IGMP
Interface: Serial0/0/1, Port ID (outgoing port): Serial0/0/1
Holdtime: 200 sec
Version: Cisco IOS Software, 1841 Software (C1841-IPBASE-M), Version 12.4(1c),
RELEASE SOFTWARE (fc1)
[output cut]
HQ_Router#
What extra information does the above output provide us? As you can see, it shows us the IP addresses of all directly connected devices and their IOS versions, in addition to all other information displayed by the show cdp neighbor command.
There isn’t much difference between the show cdp entry * and show cdp neighbors detail commands. They basically display the same information. However, the show cdp entry * command has two unique options: show cdp entry * protocols and show cdp entry * version.
The show cdp entry * protocols command shows you just the IP addresses of each directly connected neighbor, while the show cdp entry * version shows you only the IOS version of your directly connected neighbors.
Gathering Port and Interface Information
In order to display port and interface information, we use the cdp interface command as shown below.
Description
Command
Enter privileged EXEC mode (Enter your password if prompted)
HQ_Router>enable
Display CDP status on router interfaces
HQ_Router#show cdp interface
This command shows you the CDP status on router interfaces or switch ports. On a router, the show cdp interface command displays information about each interface using CDP, including the encapsulation on the line, the timer, and the holdtime for each interface. Here’s an example of this command’s output on our router:
HQ_Router#show cdp interface
FastEthernet0/1 is up, line protocol is up
Encapsulation ARPA
Sending CDP packets every 100 seconds
Holdtime is 180 seconds
Serial0/1/0 is up, line protocol is up
Encapsulation HDLC
Sending CDP packets every 100 seconds
Holdtime is 190 seconds
Serial0/0/1 is up, line protocol is up
Encapsulation HDLC
Sending CDP packets every 100 seconds
Holdtime is 200 seconds
The above output clearly shows us the CDP status on the router interfaces. Of course, you can always turn off CDP on any interface on the router using the no cdp enable command described earlier. When CDP is turned off, it will no longer show up on the router output when you run the show cdp interface command.
The above output clearly shows us the CDP status on the router interfaces. Of course, you can always turn off CDP on any interface on the router using the no cdp enable command described earlier. When CDP is turned off, it will no longer show up on the router output when you run the show cdp interface command.
Documenting a Network Topology Using CDP
Let’s assume you have just been hired as a Network Administrator for a TV station that cannot afford downtime. Your predecessor left unannounced, and so there was little or no information about the organization’s network topology to fall back on. All you have access to is the primary router at the head office. How can you document the network topology? CDP to the rescue! Now you can apply all the knowledge you have gained so far to document the network infrastructure. The basic parameters required to document a network is the target device type, port or interface type, and IP address of various interfaces. This you can easily determine using only Cisco Discovery Protocol commands and show running-config commands.
The first thing you need to do is to logon to the primary router to determine the IP address of the interfaces using the show running-config command. Once this step is completed, you can now document the IP addresses of the primary router’s interfaces.
Next, you need to determine the type of device on the other end of each of those interfaces using the show cdp neighbors command. This will reveal the network device types connected to each of the primary router’s links and all the interfaces, Port IDs, etc of the remote network device.
Lastly, you need to determine the IP address for each of the remote network devices using the show cdp neighbors detail command. From all the information gathered using the show running-config, show cdp neighbors, and show cdp neighbors detail, you can now create the network topology of your organization and begin to assume responsibility for them.
CDP Security Issues
Although the Cisco Discovery Protocol is a very valuable protocol for Network Engineers, cybercriminals often take advantage of it to carry out cyber-attacks. Since this protocol does not implement any authentication, and packets are sent in clear text, anyone can listen in and steal information about your network devices and use it to identify IOS versions with known vulnerabilities to exploit it or launch further cyber-attacks. The CDP spoofing attack is one of the most common methods cybercriminals use to attack networks.
CDP spoofing is the creation of forged packets to impersonate other network devices. This attack is a type of Denial-of-Service (DoS) attack that is used to overwhelm connected devices using CDP. An attacker can exploit this vulnerability by sending thousands of spoofed CDP packets to the multicast MAC address 01:00:0C:CC:CC:CC to populate and flood neighbor tables in any device on the network that runs CDP. When this happens, legitimate traffic on the network may be dropped as the device no longer has the resources necessary to transmit it. The device’s command-line interface may also become unresponsive making it difficult to disable CDP during an ongoing attack.
To fully mitigate the threat of CDP Spoofing, experts recommend disabling CDP on the entire network device if it is not a necessity. But of course, this comes at the cost of not being able to benefit from CDP. The Secure CDP feature also provides security by allowing users to select the type, length, value (TLV) fields that are sent on an interface to filter the fields in CDP packets.
When an unusual Cisco Discovery Protocol traffic or unexpected CDP device is found in your network, investigate it immediately and check which MAC address the frames are coming from, and what kind of information they carry. The CDP Monitor application can be used to monitor CDP changes from Windows environments. It detects CDP changes on the network and notifies you via email or by popping up a message box and issuing a warning sound. It can also run a custom program upon change detection.
Should I disable CDP?
It’s usually good security practice to disable anything that is not needed in a system, and CDP is no exception. This is especially important if you have considered the fact that the risks outweigh the benefits in your network environment.
Can CDP and LLDP coexist?
Yes. CDP and LLDP can coexist, or be used at the same time, especially if your network environment is made up of devices from different vendors. The majority of Cisco devices will also support LLDP, as this allows them to interoperate with other vendors. However, in those devices, LLDP is off by default.
How often are CDP packets sent?
CDP packets by default are often transmitted out of all active interfaces every 90 seconds. The amount of time a router will hold received CDP information before discarding it if it’s not updated by the neighbor is set to 180 seconds by default. However, these default settings can be changed during configuration.
Leave a Reply