Cisco Discovery Protocol (CDP)

    Cisco Discovery Protocol (CDP)

     

    CDP is a Cisco proprietary protocol that is used for collecting directly connected neighbor device information like hardware, software, device name details and many more...

     

    CDP versions

    • CDPV1:- The initial version which is capable only to collect device information connected to next end.

     

    • CDPV2:- Is the most recent release of the protocol and provides more intelligent device tracking features like instances of mismatch native VLAN IDs on 802.1Q trunks, and mismatch in duplex states between connecting devices.

     

     

    How CDP Works


    All Cisco devices transmit CDP packets periodically (default time interval value is 60 seconds though this is adjustable). These packets advertise a time-to-live (TTL) value in seconds, which indicates the number of seconds that the packet must be retained before it can be discarded (default value is 180 seconds).

    • CDP packets are sent with a time-to-live value that is nonzero after an interface is enabled and
    • With a time-to-live value of zero immediately before an interface is down. This provides quick state discovery.

     

    All Cisco devices receive CDP packets, process them and cache the information in the packet. Cisco devices never forward a CDP packet. If any information changes from the last received packet, the new information is cached and the older information is discarded even if its time-to-live value has not yet expired.

     

     

    Notes for CDP

    • CDP only works on directly connected interfaces.
    • CDP messages are generated every 60 second, hold-down timer is 180 seconds.
    • Messages are destined to L2 multicast address 01:00:0C:CC:CC:CC
    • Device that receives CDP messages on an interface from other devices the information is stored in a table that can be viewed using the show cdp neighbors command.
    • CDP table information is refreshed each time an announcement is received from neighbor, and the holdtime for that entry is reinitialized.
    • The holdtime specifies the lifetime of an entry in the table - if no announcements are received from a device for a period in excess of the holdtime, the device information is discarded and wiped out.
    • CDP runs on all media that support Subnetwork Access Protocol (SNAP), including local-area network (LAN), Frame Relay, and Asynchronous Transfer Mode (ATM) physical media.
    • CDP runs over the data link layer only. Therefore, two systems that support different network-layer protocols can learn about each other.
    • CDP Version-2 (CDPv2) is the most recent release of the protocol and provides more intelligent device tracking features. These features include a reporting mechanism, which allows more rapid error tracking, thereby reduces costly downtime. Errors reported includes
      • Mismatched native VLAN IDs (IEEE 802.1Q) on connected ports and
      • Mismatched Port-duplex states between connected devices.
    • CDP can be enabled on GRE tunnel which is useful in DMVPN. A central hub can use "router odr" to insert a default route into the spoke so spoke can route via the hub. In addition odr can be redistributed to other routing protocols. Finally show cdp entry * pro can show all the IPs of connected devices. [Thanks to Conwyn for suggestions to include]. CDP support on GRE tunnel interfaces was integrated in 12.3(5) and 12.3(6)T via CSCec01500. [http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCec01500]
    • CDP is used in output power negotiations for POE capable devices; like IP Phones, AccessPoints etc. [Thanks to Conwyn for suggestions to include].

     

     

     

    CDP Frame Format

    CDP is assigned HDLC protocol type value 0x2000. A Cisco-proprietary SNAP value enumerates HDLC protocol type values so CDP can run on all media that support SNAP, such as LAN media, Frame Relay, and ATM.

    The SNAP format is as follows:

    • LLC—0xAAAA03
    • Org ID—0x00000C
    • HDLC protocol type—0x2000

     

     

    2.1.b (i) --CDP.jpgClick here for CDP packet capture.

     

     

     

    Field

    Description

    Version

    The version of CDP being used.

    Time-to-Live

    The amount of time, in seconds, that a receiver should retain the information contained in this packet. Default in 180 sec.

    Checksum

    The standard IP checksum.

    Type/Length/Value (TLV)

    Type

    Possible CDP type/length/value types.

    Length

    The total length in bytes of the type, length and value fields.

    Value

    Contains value/data of type.

     

                        Ref: - http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/cdp/configuration/15-mt/cdp-15-mt-book/nm-cdp-discover.html

     

     

    CDP Configuration:

    • CDP is enabled by default on Cisco Device.
    • Disabling CDP globally and enabling on an interface is not possible.
    • If on and interface CDP is disabled and then the encapsulation of the interface is changed, CDP is re-enabled automatically on that interface even if CDP was previously disabled.

     

    (config)# cdp run

    Enables CDP globally on device.

    (config)# no cdp run

    Disables CDP globally on device.

     

    (config-if)# cdp enable

    Enables CDP on an interface device if CDP is enabled globally.

    (config-if)# no cdp enable

    Disables CDP on an interface device.

     

    (config)# cdp timer <seconds>

    Specifies CDP packets transmission frequency. Default 60 sec.

    (config)# cdp holdtime <seconds>

    Specifies time limit for which a receiving device should hold information before discarding. Default 180 sec

     

     

     

     

     

     


     

     

     

    CDP Monitoring and Maintenance Commands

    • clear cdp counters
    • clear cdp table
    • show cdp
    • show cdp entry device-name [protocol | version]
    • show cdp interface [type number]
    • show cdp neighbors [type number] [detail]
    • show cdp traffic

     

     

    CDP Spoofing


    In CDP spoofing, an attacker sends packet with multicast mac-address (01:00:0c:cc:cc:cc) as destination and various spoofed or fake mac-addresses as source. When a Cisco Device receives these frames it starts to add the information in CDP table and the table will start to build larger because the attacker may sends thousands of CDP frames to the device. If the device is unable to handle this attack there is a probability that the device may crash after a few time that's why it is recommended to disable CDP on interfaces that connects non cisco devices , user station.

     

     

     

    ~~~~~ ***** ~~~~~

     

    Any suggestions to improve the content of this document are most most welcome ...

     

    Regard

    Deben Bhattarai

    BenStdyNet - The Quick PICK | Network All the Way