CDP – Cisco Discovery Protocol

CDP – Cisco Discovery Protocol is a powerful network monitoring and troubleshooting tool for Cisco devices. CDP is a tool used by network administrators to see information about directly connected Cisco devices. CDP is a tool that enables you to access a summary of protocol and see information about Cisco devices that are connected. Each Cisco device sends periodic messages. These are known as CDP advertisements. Cisco device is sending them to other directly connected Cisco devices. These advertisements contain information about the types of devices that are connected, IP configuration of devices on other side, interfaces they are connected to, the interfaces used to make the connections, and the model numbers of the devices.

If you are interested in industry-standard, vendor-neutral solution for CDP functionality check out LLDP:

If you are in the situation where you are administrating network that is made from Cisco devices they are all speaking CDP language between them. Information that you can receive from other devices can assist you in making network design decisions, troubleshooting, and making changes to equipment configuration. CDP can be used as a network discovery tool, helping you to build a logical topology when there is no other way to actually see the topology and documentation is missing.

Another thing that is important for CDP is that CDP operates at Layer 2 only. That means, CDP neighbors are Cisco devices that are directly connected physically and share the same segment – cable.

This is sometime confusing if you are newbee in CDP. You must notice the difference between Layer 2 and Layer 3 neighbors. Layer 3 neighbors are devices that share same address subnet that is not the case with Layer 2. The switches are not neighbors to the routers at Layer 3, because the switches are operating at Layer 2 only. However, the switches are Layer 2 neighbors to their directly connected routers.

CDP Operation

CDP runs at the Data Link layer connecting the physical media to the upper-layer protocols (ULPs). Because CDP operates at the Data Link layer, two or more Cisco network devices, such as routers that support different Network layer protocols (for example, IP and Novell IPX), can learn about each other. When a Cisco device boots up, CDP starts up by default. CDP automatically discovers neighboring Cisco devices running CDP, regardless of which protocol or suites are running. CDP exchanges hardware and software device information with its directly connected devices.

But how is this working? Cisco devices send CDP announcements to the multicast address: 01-00-0c-cc-cc-cc, on each network interface. Multicast packets may understand only Cisco switch and some other networking devices that support CDP. This multicast destination address is also used in other Cisco proprietary  protocols, for example VTP. CDP message is sent every 60 seconds on interfaces. Each Cisco device that supports CDP stores the information received from other devices and this information can bee seen using the show cdp neighbors command. The CDP table information is refreshed each time an announcement is received. Holdtime is the time that the entry will stay in the CDP table without new announcement. If no announcements are received from a device for a period of 180 seconds  the device information is discarded. Of course, holdtime can be modified.

CDP neighbors

CDP “knows” the following information about each CDP neighbor device:

  • Device identifiers – For example, the configured host name of a switch
  • Address list – Up to one Network layer address for each protocol supported
  • Port identifier – The name of the local and remote port-in the form of an ASCII character string such as ethernet0
  • Capabilities list – For example, whether this device is a router or a switch
  • Platform – The hardware platform of the device; for example, a Cisco 7200 series router


CDP security

CDP Security and configuration article:

By default, most Cisco routers and switches have CDP enabled. CDP information is sent in periodic broadcasts that are updated locally in each device’s CDP database. Because CDP is a Layer 2 protocol, it is not propagated by routers. CDP contains information about the device, such as the IP address, software version, platform, capabilities, and the native VLAN. When this information is available to an attacker, they can use it to find exploits to attack your network, typically in the form of a Denial of Service (DoS) attack. To learn more about CDP security and attacks that can exploit CDP vulnerability you can read our CDP security articles


Leave a Reply