Cisco Discovery Protocol (CDP)

When there is a problem with the network, time matters.  We need to be able to quickly move from device to device in order to identify and rectify the problem.  In order for this to occur, we have to know where to go to next, and how to get there.  A while back, I wrote about how important network diagrams are.  When done right, they allow us to instantly determine what the next device in the line is, and what the IP address for it is so we can remote into it.  If you have this (and keep it updated) then life is good, and you can probably skip the rest of this post but if you’re like most of the Net Techs that I have worked with, your network diagram is little more than a few lines connecting some JNNs and CPNs to a satellite.

So if that is the case, how do we know where to go next down the line when we’re troubleshooting?  Option 1 is to get up and physically move from device to device (assuming you’re actually there on the site) or option 2 is to use a hugely valuable tool that Cisco has already given us, Cisco Discovery Protocol (CDP).  On the off chance you have no idea what CDP is, it’s basically a layer 2 protocol that regularly advertises basic information (management IP address, operating system, etc.) to other directly connected devices.  Because it’s layer two, as long as the CAT5 or serial cable you have connecting the two devices works, CDP will work even if there is no routing.

What Did Cisco Discover?

So what exactly does CDP show us?  There are two commands we’ll talk about “Show CDP neighbor” and “show CDP neighbor detail”.  Show CDP neighbor is a very useful command for just getting a general idea of what exactly is connected to our device and some basic information about those devices.  Here is a look at what is currently hooked up to my switch in my lab.  As you can see on ports FastEthernet 0/9, 11, and 14 are three other switches.  Additionally, you see two IP phones and a couple of routers.  The “device ID” is the name of the device on the other side the wire.  The “capabilities” column tells us the basic type of device that we are connected to and what kind of functionality it has while the “platform” column tells us the model of the device attached to us.  Finally, the “port ID” column tells us what port the cable is plugged into on the other device.

Show CDP Neighbor
Show CDP Neighbor

The show CDP neighbor command is great when we finally decide to start putting together our network diagrams because they can show us on a single screen how all of our devices are connected off of this switch on both sides of the cable.  The one thing it doesn’t tell us though is how to connect to the device.  Using the “show CDP neighbor detail” command we are able to see a little bit more additional information.  Here we are looking at the details for the device connected to interface FastEthernet 0/9 (Switch2).  Again, we see the device name and the interfaces (both local and remote) that is connecting the two devices.  We see one other piece of important information though, the management IP address of the remote device.

Show CDP Neighbor Detail
Show CDP Neighbor Detail

But CDP Doesn’t Work on my System

So with all of the benefits that CDP offers us, especially when we’re running around trying to trace cables, why doesn’t everyone use it?  The short answer is because under the baseline configurations for WIN-T (at least Inc1 not sure about Inc2), CDP is either completely disabled or severely limited.  By default, all routers have CDP disabled using the “no CDP run” command which completely disables it on the device.  Additionally, if you look you’ll see the “no CDP enable” command placed on most of the interfaces.  On the switches, you’ll only see the no CDP enable command placed on all of the non-access ports.  The reason for this is because in order for the switch to assign IP phones to the voice VLAN when they get plugged in, CDP has to be working on the interface that the phone plugs into.

People say that CDP is supposed to be disabled due to STIG requirements, although that is obviously not true or else it wouldn’t be allowed on access ports.  Previous STIGs stated only that CDP should be disabled on external facing ports (ports connecting to devices outside of our control) such as your FDMA link or fiber connecting to a sister/parent unit.  The current STIG doesn’t even actually mention disabling CDP at all.

So what does this mean for us?  It means that you are perfectly ok with enabling CDP on your network, just do it smartly.  If you have an interface that connects to a device outside of your control, place the “no CDP enable” command on that interface to block it on that particular interface.  If the interface connects to a host or to your LAN, then by all means make your life a little easier when time matters and enable it.

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">