Understanding CDP (Cisco Discovery Protocol)
Cisco Discovery Protocol (CDP) is a Cisco proprietary protocol which is used to collect information about neighboring routers and switches. It operates at Layer2 (data link layer) and comes in two versions CDPv1 (initial release) available since IOS version 10.3 and CDPv2 available from IOS Version 12.0(3)T. CDP is very useful when you need to gather information about the network topology like IP addresses, device capabilities, platform and also offers a quick way for troubleshooting and documenting the network. CDP is enabled by default on all available interfaces. CDP traffic between devices is not encrypted so this can be a real security issue. As best practice is recommended that CDP should be disabled mainly on devices that connects to external networks.
Verifying CDP status
If you want to display the global information about CDP configuration, use the show cdp privileged EXEC command.
R1# show cdp Global CDP information: Sending CDP packets every 60 seconds Sending a holdtime value of 180 seconds Sending CDPv2 advertisements is enabled
From the above output we can observe that CDP is enabled with the default settings. CDP advertisements are sent every one minute, the CDP holdtime is set to three minutes and the device is enabled to transmit CDP Version 2 advertisements. These default values can be customized according to your needs using specific commands described later.
Enabling or disabling CDP
As I already said, CDP is enabled by default on the device, and on all interfaces. If for some reason it was previously disabled, and you want to re-enable it, you can use the cdp run command in global configuration mode:
R1(config)# cdp run
After running this command CDP will be re-enabled globally on the device. There are situations when you do not need to enable CDP globally. Cisco allows you to enable it at the interface level. For this use the cdp enable interface configuration command.
R1(config)# interface fastEthernet 0/1 R1(config-if)# cdp enable
In the above example CDP was enabled only on the fastEthernet 0/1 interface. If you need to disable CDP on a specific interface, use the no form of this command.
R1(config)# interface fastEthernet 0/1 R1(config-if)#no cdp enable
Note:! If CDP is disabled globally, you can not enable it on a per-interface basis using the cdp enable interface configuration mode command. If you try this the following message will pop-up on the device console:
% Cannot enable CDP on this interface, since CDP is not running
Gathering neighbor information
Assuming CDP is enabled on all your Cisco devices, you can display information about direct connected neighbors using the show cdp neighbors privileged EXEC command.
R1# show cdp neighbors Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater Device ID Local Intrfce Holdtme Capability Platform Port ID SW01 Fas 0/0 148 R S I 3745 Fas 1/0 R2 Fas 0/1 172 R 7206VXR Fas 0/1
From the output of this command we can see that the router R1 has 2 neighbors: a switch SW01 and another router R2. The meaning of each field from this output is detailed below:
- Device ID – indicates the hostname of the directly connected device
- Local Interface – indicates the port or interface on which you are receiving the CDP packet
- Holdtime – indicates the amount of time in seconds the device will hold the CDP advertisement before discarding it
- Capability – indicates the capability of the neighbor device, such as router, switch, etc. The list is displayed at the top of the command output.
- Platform – indicates the model and OS level running in the directly connected device
- Port ID – indicates the port or interface of the neighbor device on which the CDP packets are transmitted.
To display additional information about the neighboring devices you can use the “detail” keyword along with the show cdp neighbors command:
R1# show cdp neighbors detail ------------------------- Device ID: R2 Entry address(es): IP address: 192.168.2.2 Platform: Cisco 7206VXR, Capabilities: Router Interface: FastEthernet0/1, Port ID (outgoing port): FastEthernet0/1 Holdtime : 141 sec Version : Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 12.4(24)T, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2009 by Cisco Systems, Inc. Compiled Thu 26-Feb-09 00:31 by prod_rel_team advertisement version: 2 Duplex: full
In addition to the information displayed by the show cdp neighbors command, using the keyword “detail” you can see the IP address of the neighbor device, the IOS version and the version of the CDP advertisement packets. There is a similar command show cdp entry * which displays the same information as the show cdp neighbors detail command.
R1# show cdp entry *
Sometimes when you perform troubleshooting you may need to inspect if the CDP advertisement packets are sent properly. For this you can use the show cdp traffic privileged EXEC command to display the traffic between devices:
R1# show cdp traffic CDP counters : Total packets output: 49, Input: 42 Hdr syntax: 0, Chksum error: 0, Encaps failed: 0 No memory: 0, Invalid packet: 0, Fragmented: 0 CDP version 1 advertisements output: 0, Input: 0 CDP version 2 advertisements output: 49, Input: 42
From the output of this command you can see that there were no errors, and that only CDPv2 advertisement were sent
Configuring CDP holdtime, timer and version
As we saw from the show cdp output earlier, CDP messages have 2 parameters that can be configured: the holdtime and the timer.The “holdtime” parameter represents the amount of time that the receiving device will hold a CDP packet before discarding it. You can configure this using the cdp holdtime command in global configuration mode.
R1(config)# cdp holdtime 120
Here we changed the default value of 180 seconds to 120. This parameter can have any value between 10 and 255. The “timer” parameter is used to specify how often to send CDP updates to the remote devices. For this use the cdp timer command in global configuration mode.
R1(config)# cdp timer 90
Here we changed the default value of 60 seconds to 90. This parameter can have any value between 5 and 254. It is advisable that the CDP timers should be consistent among neighboring devices, otherwise their CDP table will be innacurate. By default, CDP Version 2 is enabled on all Cisco device with IOS versions 12.0(3)T and higher. If for some reason CDPv2 advertisements were manually disabled you can re-enable them by using the cdp advertise-v2 in global configuration mode.
R1(config)# cdp advertise-v2
Clearing CDP table and statistics
Cisco offers two commands to clear the information about the neighboring devices from the CDP table and to clear the traffic statistics. To delete all information from the CDP table of a Cisco device use the clear cdp table privileged EXEC command.
R1# clear cdp table
To reset all statistics regarding the number of CDP packets sent and received, the number of errors you can use the clear cdp counters privileged EXEC command.
R1# clear cdp counters
After running this command and typing show cdp traffic you will see all counters are reset to zero.
As we have seen CDP offers many benefits by easing the network administration tasks, but the security issues should be taken into account also mostly when when network is exposed to the outside world.