CDP and LLDP — Network Discovery
Walk into a data centre with no documentation and you face a practical problem: which cable connects to which device, and what is actually plugged in? CDP (Cisco Discovery Protocol) and LLDP (Link Layer Discovery Protocol) solve this by having every directly connected device announce itself every 60 seconds — broadcasting its hostname, platform, software version, IP address, and the local port it is sending from. In under a minute you can reconstruct the physical topology of an undocumented network without tracing a single cable. CDP is Cisco-proprietary and enabled by default on nearly every Cisco device; LLDP is the IEEE 802.1AB open standard equivalent, supported by all major vendors, and the right choice for multi-vendor environments. Both protocols operate at Layer 2 — they work even before IP addresses are configured, making them indispensable for initial device bring-up.
This lab covers CDP and LLDP discovery commands in depth, demonstrates topology mapping across a three-device network, and explains the security implications of leaving CDP enabled on access-facing interfaces — including exactly what information an attacker on a user-facing port can harvest from CDP announcements and how to disable the protocol selectively. For the IP addressing that CDP discovers, see Basic Interface Configuration. For VLAN information exposed in CDP frames, see VLAN Creation and Management. For securing management access alongside disabling CDP, see Login Security and Brute-Force Protection.
1. How CDP Works
CDP frames are sent as multicast at Layer 2 using a well-known multicast MAC address. They are never forwarded by a switch — they travel only one hop, between directly connected devices. This is both the strength (no configuration needed, works with zero IP addressing) and the limitation (cannot discover devices beyond the immediate neighbour) of the protocol:
CDP Frame — Layer 2 Multicast (01:00:0C:CC:CC:CC) ┌──────────────────────────────────────────────────────────────┐ │ Ethernet Header (dest: 01:00:0C:CC:CC:CC — CDP multicast) │ │ LLC/SNAP header │ ├──────────────────────────────────────────────────────────────┤ │ CDP Header (Version, TTL, Checksum) │ ├──────────────────────────────────────────────────────────────┤ │ TLV: Device ID → NetsTuts-SW1 │ │ TLV: Addresses → 192.168.10.2 (management IP) │ │ TLV: Port ID → GigabitEthernet1/0/1 │ │ TLV: Capabilities → Switch, IGMP │ │ TLV: Version → Cisco IOS 15.2(4)E9 │ │ TLV: Platform → cisco WS-C2960X-48FPD-L │ │ TLV: VTP Domain → NetsTuts-VTP │ │ TLV: Native VLAN → 1 │ │ TLV: Duplex → Full │ │ TLV: Power Available → 15400 mW (PoE if applicable) │ └──────────────────────────────────────────────────────────────┘ CDP is NOT forwarded — it stays between directly connected devices: R1 ──Gi0/0── SW1 ──Gi1/0/1── SW2 ──Gi1/0/1── R2 R1 sees: SW1 (directly connected) SW1 sees: R1 (on Gi0/0) AND SW2 (on Gi1/0/1) SW2 sees: SW1 AND R2 R1 CANNOT see SW2 or R2 via CDP
| CDP Parameter | Default Value | Configurable With |
|---|---|---|
| Advertisement interval | 60 seconds | cdp timer [seconds] |
| Holdtime | 180 seconds | cdp holdtime [seconds] |
| CDP version | CDPv2 | no cdp advertise-v2 to revert to v1 |
| Enabled globally | Yes (on by default on all Cisco IOS devices) | no cdp run to disable globally |
| Enabled per interface | Yes (on all interfaces by default) | no cdp enable under the interface |
Holdtime vs Timer. The holdtime (180 s) is
how long a neighbour entry remains in the CDP table after the
last advertisement is received. If a neighbour goes silent
(cable pulled, device crashed), its entry is removed after
holdtime expires. The timer (60 s) is how often advertisements
are sent. The holdtime is typically set to 3× the timer
to allow up to two missed advertisements before a neighbour
is considered lost.
2. How LLDP Works — IEEE 802.1AB
LLDP follows the same one-hop multicast principle as CDP but
uses a different multicast MAC and a standardised TLV format
defined by IEEE 802.1AB. Every major vendor — Cisco,
Juniper, HP, Aruba, Dell, Linux with lldpd —
implements LLDP, making it the correct choice whenever
non-Cisco devices are in the topology:
| Feature | CDP | LLDP |
|---|---|---|
| Standard | Cisco proprietary | IEEE 802.1AB — open standard |
| Multicast MAC | 01:00:0C:CC:CC:CC | 01:80:C2:00:00:0E |
| Layer | Layer 2 only (Data Link) | Layer 2 only (Data Link) |
| Vendor support | Cisco devices only | All major vendors including Linux, VMware, printers, IP phones |
| Default state on Cisco IOS | Enabled globally and per-interface | Disabled by default (must be enabled with lldp run) |
| Advertisement interval | 60 seconds (default) | 30 seconds (default) |
| Holdtime | 180 seconds (default) | 120 seconds (default) |
| Transmit / Receive control | Single enable/disable per interface | Separate TX and RX can be disabled independently per interface |
| TLV format | Cisco-defined TLVs (some proprietary) | Mandatory and optional TLVs defined by IEEE; Cisco adds org-specific TLVs |
| LLDP-MED | Not applicable | LLDP-MED (Media Endpoint Discovery) extension for VoIP — advertises voice VLAN, PoE details to IP phones |
LLDP TX vs RX separation. LLDP uniquely
allows transmit and receive to be independently controlled
per interface.
no lldp transmit stops the
interface from sending LLDP frames (the device stops
advertising itself on that port) but still receives and
processes LLDP frames from connected devices.
no lldp receive does the opposite. This
granularity is useful on access ports where you want to
discover what is plugged in (receive) without announcing
your own device details (no transmit).
3. Lab Topology
Three devices are used. NetsTuts-R1 is a router connected to NetsTuts-SW1 (a Cisco Catalyst 2960X) which connects to NetsTuts-SW2 (a Cisco Catalyst 3750). An IP phone and an admin PC are connected to SW1 access ports. LLDP is enabled on all devices to also discover the non-Cisco IP phone:
192.168.10.0/24 192.168.20.0/24
| |
Gi0/0 (.1) Gi0/0 (.1)
NetsTuts-R1 NetsTuts-R2
Gi0/1 (.254) Gi0/1 (.254)
| |
Gi1/0/1 (trunk) Gi1/0/2 (trunk)
| |
NetsTuts-SW1 ────── Gi1/0/24 ──── NetsTuts-SW2
(Cisco 2960X-48FPD-L) (trunk) (Cisco 3750-48TS)
Mgmt: 192.168.10.2 Mgmt: 192.168.10.3
|
┌─────────┴─────────┐
Gi1/0/5 Gi1/0/10
Admin PC IP Phone
192.168.10.5 VLAN 20
(Win / MIB browser) (Avaya 1140E)
| Device | Model | Management IP | Key Interfaces |
|---|---|---|---|
| NetsTuts-R1 | Cisco ISR 4321 | 192.168.10.1 | Gi0/0 → SW1 Gi1/0/1 |
| NetsTuts-SW1 | Cisco 2960X-48FPD-L | 192.168.10.2 (VLAN 10) | Gi1/0/1 → R1, Gi1/0/24 → SW2, Gi1/0/5 → Admin PC, Gi1/0/10 → IP Phone |
| NetsTuts-SW2 | Cisco 3750-48TS | 192.168.10.3 (VLAN 10) | Gi1/0/2 → R2, Gi1/0/24 → SW1 |
4. Step 1 — Verify and Tune CDP
CDP is enabled by default. Before using it for discovery, verify the global CDP state and optionally tune the timer and holdtime to match your monitoring interval:
! ── Verify global CDP status ────────────────────────────────────── NetsTuts-SW1#show cdp Global CDP information: Sending CDP packets every 60 seconds Sending a holdtime value of 180 seconds Sending CDPv2 advertisements is enabled ! ── Optional: tune timer and holdtime ──────────────────────────── ! Reduce timer to 30s for faster topology updates in lab environments NetsTuts-SW1(config)#cdp timer 30 NetsTuts-SW1(config)#cdp holdtime 90 ! ── Re-verify ───────────────────────────────────────────────────── NetsTuts-SW1#show cdp Global CDP information: Sending CDP packets every 30 seconds Sending a holdtime value of 90 seconds Sending CDPv2 advertisements is enabled
Reduce the timer only in lab or troubleshooting scenarios
where you need fast neighbour table updates. In production,
the default 60-second timer is appropriate — lowering
it increases the frequency of multicast frames on every
interface, adding a small amount of CPU and bandwidth overhead
on large networks. The holdtime should always be at least
2× the timer to tolerate one missed advertisement
without dropping the neighbour entry.
5. Step 2 — Enable LLDP Globally and Per-Interface
LLDP is disabled by default on Cisco IOS and must be explicitly enabled. Once enabled globally, it can be tuned per interface:
! ── Enable LLDP globally (required first) ─────────────────────────
NetsTuts-SW1(config)#lldp run
! ── Tune LLDP timer and holdtime ─────────────────────────────────
NetsTuts-SW1(config)#lldp timer 30
NetsTuts-SW1(config)#lldp holdtime 120
NetsTuts-SW1(config)#lldp reinit 2
! ── Verify LLDP global status ─────────────────────────────────────
NetsTuts-SW1#show lldp
Global LLDP Information:
Status: ACTIVE
LLDP advertisements are sent every 30 seconds
LLDP hold time advertised is 120 seconds
LLDP interface reinitialisation delay is 2 seconds
LLDP tlv-select Management Address : enabled
LLDP tlv-select System Description : enabled
LLDP tlv-select System Capabilities : enabled
LLDP tlv-select Port Description : enabled
! ── Per-interface control: disable LLDP transmit on access port ──
! Still RECEIVE LLDP from the phone — just do not advertise SW1's details
NetsTuts-SW1(config)#interface GigabitEthernet1/0/10
NetsTuts-SW1(config-if)#no lldp transmit
NetsTuts-SW1(config-if)#exit
! ── Disable both TX and RX on the admin PC port (no discovery needed)
NetsTuts-SW1(config)#interface GigabitEthernet1/0/5
NetsTuts-SW1(config-if)#no lldp transmit
NetsTuts-SW1(config-if)#no lldp receive
NetsTuts-SW1(config-if)#exit
! ── Verify per-interface LLDP state ──────────────────────────────
NetsTuts-SW1#show lldp interface GigabitEthernet1/0/10
GigabitEthernet1/0/10:
Tx: disabled
Rx: enabled
Tx state: IDLE
Rx state: WAIT FOR FRAME
lldp reinit [seconds] sets the delay before LLDP
starts transmitting on an interface after it initialises or
comes back up — this prevents a burst of LLDP frames
during link flaps. The default is 2 seconds. Per-interface
LLDP control is more granular than CDP: you can silence LLDP
transmissions on untrusted access ports while still listening
for LLDP-MED announcements from IP phones on those same ports.
6. Step 3 — CDP Discovery Commands
show cdp neighbors
The most commonly used CDP command. Shows a concise one-line summary per neighbour — enough to map the physical topology quickly. Run from NetsTuts-SW1:
NetsTuts-SW1#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay
Device ID Local Intrfce Holdtme Capability Platform Port ID
NetsTuts-R1 Gig 1/0/1 163 R S I ISR4321 Gig 0/0
NetsTuts-SW2 Gig 1/0/24 141 S I WS-C3750 Gig 1/0/24
| Column | Meaning | Key Use |
|---|---|---|
| Device ID | Hostname of the neighbour device (from hostname command on that device) |
Identify the device — matches what you would see in its CLI prompt |
| Local Intrfce | The interface on this device where the CDP frame was received | The local cable endpoint — tells you which port on the current device connects to the neighbour |
| Holdtme | Remaining seconds before this entry expires if no new CDP frame is received | Holdtime near 0 = neighbour is about to be removed — link or device issue |
| Capability | Device type codes: R=Router, S=Switch, I=IGMP, P=Phone, H=Host | Quickly identify device role without logging in |
| Platform | Hardware model of the neighbour | Identify model for troubleshooting, capacity planning, or EOL checks |
| Port ID | The interface on the neighbour device that connects to this device | The remote cable endpoint — tells you which port on the neighbour connects here |
show cdp neighbors detail
The detailed view adds IP addresses, IOS version, VTP domain, native VLAN, duplex, and power information — the full discovery dataset:
NetsTuts-SW1#show cdp neighbors detail ------------------------- Device ID: NetsTuts-R1 Entry address(es): IP address: 192.168.10.1 Platform: cisco ISR4321, Capabilities: Router Switch IGMP Interface: GigabitEthernet1/0/1, Port ID (outgoing port): GigabitEthernet0/0 Holdtime : 163 sec Version : Cisco IOS XE Software, Version 16.09.05 RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport advertisement version: 2 VTP Management Domain: '' Duplex: full Management address(es): IP address: 192.168.10.1 ------------------------- Device ID: NetsTuts-SW2 Entry address(es): IP address: 192.168.10.3 Platform: cisco WS-C3750-48TS, Capabilities: Switch IGMP Interface: GigabitEthernet1/0/24, Port ID (outgoing port): GigabitEthernet1/0/24 Holdtime : 141 sec Version : Cisco IOS Software, C3750 Software (C3750-IPBASE-M), Version 12.2(55)SE12 RELEASE SOFTWARE (fc2) advertisement version: 2 VTP Management Domain: 'NetsTuts-VTP' Native VLAN: 1 Duplex: full
The detailed output reveals the exact IOS version
of every neighbour — including the full version string
with patch level. This is precisely the information an attacker
needs to identify known vulnerabilities (CVEs) in neighbouring
devices from a single access port. The VTP domain
name, native VLAN, and management
IP are also exposed. This is the core of the CDP
security concern: CDP is an information goldmine on any
port that faces untrusted users or devices.
show cdp entry [device-id]
! ── Query a specific neighbour by hostname ───────────────────────── NetsTuts-SW1#show cdp entry NetsTuts-R1 ------------------------- Device ID: NetsTuts-R1 Entry address(es): IP address: 192.168.10.1 Platform: cisco ISR4321 Interface: GigabitEthernet1/0/1, Port ID (outgoing port): GigabitEthernet0/0 Holdtime : 158 sec Version : Cisco IOS XE Software, Version 16.09.05 Duplex: full Management address(es): IP address: 192.168.10.1
show cdp interface
NetsTuts-SW1#show cdp interface GigabitEthernet1/0/1 is up, line protocol is up Encapsulation ARPA Sending CDP packets every 30 seconds Holdtime is 90 seconds GigabitEthernet1/0/5 is up, line protocol is up Encapsulation ARPA CDP is not enabled on this interface GigabitEthernet1/0/10 is up, line protocol is up Encapsulation ARPA Sending CDP packets every 30 seconds Holdtime is 90 seconds GigabitEthernet1/0/24 is up, line protocol is up Encapsulation ARPA Sending CDP packets every 30 seconds Holdtime is 90 seconds
show cdp interface lists every interface and
whether CDP is active on it. The Gi1/0/5 entry shows
"CDP is not enabled on this interface" — confirming
that the earlier no cdp enable took effect.
This is the command to verify per-interface CDP state
without having to check the running-config line by line.
7. Step 4 — LLDP Discovery Commands
show lldp neighbors
NetsTuts-SW1#show lldp neighbors
Capability codes:
(R) Router, (B) Bridge, (T) Telephone, (C) DOCSIS Cable Device
(W) WLAN Access Point, (P) Repeater, (S) Station, (O) Other
Device ID Local Intf Hold-time Capability Port ID
NetsTuts-R1 Gi1/0/1 120 R Gi0/0
NetsTuts-SW2 Gi1/0/24 112 B Gi1/0/24
Avaya-1140E Gi1/0/10 108 T eth0
Total entries displayed: 3
The critical difference from CDP: the Avaya IP phone
(Avaya-1140E) appears in the LLDP neighbour
table as a Telephone (T) on Gi1/0/10. This device would
be invisible to CDP since it is not a Cisco device. LLDP
with LLDP-MED extensions allows the phone to also advertise
its required voice VLAN and PoE power class — enabling
the switch to automatically assign the correct voice VLAN
to the phone port without manual configuration.
show lldp neighbors detail
NetsTuts-SW1#show lldp neighbors detail
------------------------------------------------
Local Intf: Gi1/0/1
Chassis id: a0.e0.af.11.22.01
Port id: Gi0/0
Port Description: GigabitEthernet0/0
System Name: NetsTuts-R1
System Description:
Cisco IOS XE Software, Version 16.09.05, ISR4321/K9
Time remaining: 112 seconds
System Capabilities: B, R
Enabled Capabilities: R
Management Addresses - not advertised
Auto Negotiation - supported, enabled
Physical media capabilities:
1000baseT(FD)
100base-TX(FD)
100base-TX(HD)
Media Attachment Unit type: 30
Vlan ID: - not advertised
------------------------------------------------
Local Intf: Gi1/0/10
Chassis id: 00.1a.4b.55.66.77
Port id: eth0
Port Description: PC Port
System Name: Avaya-1140E
System Description:
Avaya IP Deskphone 1140E, Release 4.3.x
LLDP-MED Capabilities: LLDP-MED Capabilities, Network Policy, Extended Power via MDI-PD
Time remaining: 108 seconds
System Capabilities: T
Enabled Capabilities: T
MED Information:
MED Codes:
(NP) Network Policy, (LO) Location, (PS) PSE, (PD) PD,
(IN) Inventory
Media Class : Endpoint Class III
Network Policy(Voice): VLAN 20, Dscp: 46, Priority: 5, Tagged, yes
Power Type : PD device
Power Source : PSE
Power Priority : Critical
Power Value : 6100 mW
The LLDP-MED output from the Avaya phone reveals its requested
network policy: Voice VLAN 20, DSCP 46, Priority 5.
The switch can use this to automatically configure the voice
VLAN on Gi1/0/10. The power information (6100 mW
required, sourced from PSE) tells the switch's PoE subsystem
exactly how much power to budget for this port. This level of
automated negotiation is unique to LLDP-MED and is why LLDP
has become the standard for enterprise VoIP deployments.
show lldp entry [device-id]
NetsTuts-SW1#show lldp entry NetsTuts-R1 ------------------------------------------------ Local Intf: Gi1/0/1 Chassis id: a0.e0.af.11.22.01 Port id: Gi0/0 Port Description: GigabitEthernet0/0 System Name: NetsTuts-R1 System Description: Cisco IOS XE Software, Version 16.09.05 Time remaining: 105 seconds System Capabilities: B, R Enabled Capabilities: R
show lldp traffic
NetsTuts-SW1#show lldp traffic
LLDP traffic statistics:
Total frames out: 847
Total entries aged: 2
Total frames in: 1203
Total frames received in error: 0
Total frames discarded: 0
Total TLVs discarded: 0
Total TLVs unrecognized: 14
TLVs unrecognized: 14 indicates that the Avaya
phone is sending LLDP-MED TLVs that this IOS version recognises
but does not display — or vendor-specific TLVs outside
the standard set. This counter incrementing is normal in
multi-vendor environments. Total entries aged: 2
means two neighbour entries expired naturally (holdtime elapsed
without a new frame) — typical on ports where devices
were disconnected.
8. Step 5 — Mapping the Full Topology with CDP
Since CDP is one-hop only, mapping a multi-device topology
requires logging into each device in sequence and running
show cdp neighbors. The result builds the complete
Layer 2 topology map without any other tools. Starting from
NetsTuts-R1:
! ── Step 1: Run CDP from R1 ─────────────────────────────────────── NetsTuts-R1#show cdp neighbors Device ID Local Intrfce Holdtme Capability Platform Port ID NetsTuts-SW1 Gig 0/0 172 S I WS-C2960X Gig 1/0/1 ! R1 sees: SW1 on Gi0/0 (local) ↔ Gi1/0/1 (remote) ! Next: SSH to SW1 and repeat ! ── Step 2: Run CDP from SW1 ────────────────────────────────────── NetsTuts-SW1#show cdp neighbors Device ID Local Intrfce Holdtme Capability Platform Port ID NetsTuts-R1 Gig 1/0/1 163 R S I ISR4321 Gig 0/0 NetsTuts-SW2 Gig 1/0/24 141 S I WS-C3750 Gig 1/0/24 ! SW1 sees: R1 (upstream) AND SW2 (downstream) ! Next: SSH to SW2 and repeat ! ── Step 3: Run CDP from SW2 ────────────────────────────────────── NetsTuts-SW2#show cdp neighbors Device ID Local Intrfce Holdtme Capability Platform Port ID NetsTuts-SW1 Gig 1/0/24 155 S I WS-C2960X Gig 1/0/24 NetsTuts-R2 Gig 1/0/2 148 R S I ISR4321 Gig 0/1 ! SW2 sees: SW1 (upstream) AND R2 (downstream) ! Topology reconstruction complete.
Reconstructed Topology from CDP Data:
NetsTuts-R1 NetsTuts-R2
[ISR4321] [ISR4321]
Gi0/0 ◄──────────────► Gi1/0/1 Gi0/1 ◄──────────────► Gi1/0/2
NetsTuts-SW1 NetsTuts-SW2
[WS-C2960X-48FPD-L] [WS-C3750-48TS]
Gi1/0/24 ◄──────────────────► Gi1/0/24
CDP Discovery Path:
R1 → (sees SW1) → SSH to SW1 → (sees R1, SW2) → SSH to SW2 → (sees SW1, R2) → done
Physical cable map (confirmed by CDP Port ID column):
R1 Gi0/0 ←→ SW1 Gi1/0/1
SW1 Gi1/0/24 ←→ SW2 Gi1/0/24
SW2 Gi1/0/2 ←→ R2 Gi0/1
This systematic hop-by-hop discovery is exactly how network
engineers document undocumented networks. The
Local Intrfce and Port ID
columns together give you both ends of each physical cable.
Combining this with
show cdp neighbors detail
(for IP addresses) and show cdp entry * (for
all entries) produces a complete topology diagram in minutes.
Automated NMS tools like Cisco DNA Center, SolarWinds, and
LibreNMS use exactly this CDP/LLDP walk process to auto-discover
and draw topology maps. Use SSH
to hop between devices during the discovery walk.
9. Step 6 — CDP Security: What CDP Exposes and When to Disable It
What an Attacker Learns from a Single CDP Frame
A device connected to any CDP-enabled port — including a user workstation, a rogue device plugged into a lobby switch port, or a compromised endpoint — receives full CDP announcements every 60 seconds without any authentication. No password, no credentials, no acknowledgement required:
| Information in CDP Frame | What an Attacker Does With It | Attack Vector Enabled |
|---|---|---|
| IOS version string (exact, including patch level) | Cross-reference with NIST NVD or Cisco PSIRT advisories to identify known CVEs for that exact version | Targeted exploit selection — skip patched versions, focus on unpatched neighbours |
| Device model / platform | Identify hardware generation, module capabilities, and memory constraints. Determine if device supports 802.1X or NAC | Targeted denial-of-service or resource exhaustion against known model limitations |
| Management IP address | Direct SSH/Telnet/SNMP attack target — the management IP is immediately known without any scanning | Eliminates the reconnaissance phase of management plane attacks |
| VTP domain name | Required for VTP injection attacks — an attacker must know the VTP domain to send a crafted VTP summary advertisement that could delete all VLANs | VLAN database poisoning via VTP (if VTP version 1 or 2 with no authentication) |
| Native VLAN ID | Required for VLAN hopping attacks via double-tagging — attacker must know the native VLAN to craft the outer tag | Double-tagging VLAN hop: attacker on access VLAN crafts frame with native VLAN outer tag to reach trunk-only VLANs |
| Device hostname | Used in social engineering, targeted phishing, or brute-force login attempts that reference specific device names | Intelligence gathering for targeted attacks on management credentials. See Login Security and Brute-Force Protection |
Where to Disable CDP (and LLDP TX)
| Interface Type | CDP Recommendation | LLDP Recommendation | Rationale |
|---|---|---|---|
| Uplinks to trusted switches (trunk ports) | Enable — CDP essential for topology awareness and troubleshooting | Enable both TX and RX | Trusted infrastructure — discovery benefits outweigh risk. Both devices are managed and authenticated |
| Router-to-router links | Enable — CDP verifies correct cable connections and interface assignment | Enable | Both ends are managed Cisco/enterprise devices. Discovery is operationally valuable |
| Access ports to user PCs / workstations | Disable (no cdp enable) |
Disable TX (no lldp transmit), optionally keep RX |
Users have no operational need for CDP data. An endpoint on this port can passively read full CDP frames. Consider also Port Security and DHCP Snooping on these ports |
| Access ports to IP phones | Disable CDP transmit, consider enabling for voice VLAN auto-config (Cisco phones use CDP for VVID) | Keep LLDP RX enabled for LLDP-MED — disable LLDP TX | Cisco IP phones use CDP to learn the voice VLAN ID. Non-Cisco phones use LLDP-MED. Keep the relevant protocol, restrict the other. See Voice VLAN Configuration |
| Ports facing the internet / WAN / untrusted networks | Disable globally or per-interface | Disable globally or per-interface | Any untrusted device or circuit on the other end receives full device intelligence for free |
| Management ports / out-of-band management | Disable (dedicated OOB management does not benefit from CDP) | Disable | OOB management devices are typically fixed and known — no discovery benefit, potential information leakage |
Disabling CDP — Global and Per-Interface
NetsTuts-SW1(config)#end NetsTuts-SW1#conf t ! ── Option 1: Disable CDP globally on the device ───────────────── ! Stops ALL CDP — no more advertising or learning from any interface NetsTuts-SW1(config)#no cdp run ! ── Option 2 (recommended): Disable only on untrusted interfaces ─ ! Keep CDP on uplinks, disable on access ports facing users/internet ! Re-enable CDP globally first (if you disabled it above) NetsTuts-SW1(config)#cdp run ! Disable on access ports to workstations NetsTuts-SW1(config)#interface range GigabitEthernet1/0/5 - 9 NetsTuts-SW1(config-if-range)#no cdp enable NetsTuts-SW1(config-if-range)#exit ! Disable on the internet-facing uplink (if applicable) NetsTuts-SW1(config)#interface GigabitEthernet1/0/48 NetsTuts-SW1(config-if)#no cdp enable NetsTuts-SW1(config-if)#exit ! ── Disable LLDP TX on untrusted access ports ───────────────────── NetsTuts-SW1(config)#interface range GigabitEthernet1/0/5 - 9 NetsTuts-SW1(config-if-range)#no lldp transmit NetsTuts-SW1(config-if-range)#exit NetsTuts-SW1(config)#end NetsTuts-SW1#wr Building configuration... [OK]
The selective approach — disabling CDP on access ports
while keeping it on trunk/uplink ports — is the
recommended production posture. Complete global disabling with
no cdp run is appropriate on edge devices facing
untrusted networks (internet-facing routers, DMZ firewalls)
but would remove operational visibility on core/distribution
switches where neighbour discovery is actively used for
troubleshooting. For Cisco IP phones that rely on CDP to learn
the voice VLAN ID, disabling CDP on the phone port breaks
voice VLAN assignment — evaluate whether the phone uses
CDP (Cisco phones) or LLDP-MED (non-Cisco phones) before
disabling. See Voice VLAN Configuration for details.
10. Verification
Verification Command Summary
| Command | Protocol | What It Shows | Primary Use |
|---|---|---|---|
show cdp |
CDP | Global CDP status, timer, holdtime, CDPv2 state | Confirm CDP is enabled and running with expected timer values |
show cdp neighbors |
CDP | One-line summary per neighbour: device ID, local/remote port, capability, platform | Quick topology snapshot — first command to run when troubleshooting physical connectivity |
show cdp neighbors detail |
CDP | Full detail per neighbour: IP, IOS version, VTP domain, native VLAN, duplex | IP discovery without layer 3 reachability — get management IP before routing is configured |
show cdp entry [device-id] |
CDP | Full detail for one specific neighbour by hostname | Target a specific device when the topology is large and full detail output is cluttered |
show cdp interface |
CDP | Per-interface CDP state (enabled/disabled), timer, holdtime | Verify selective disable — confirm CDP is off on access ports and on for uplinks |
show lldp |
LLDP | Global LLDP status, timer, holdtime, reinit delay, TLV settings | Confirm LLDP is enabled after lldp run |
show lldp neighbors |
LLDP | One-line summary per LLDP neighbour including non-Cisco devices | Discover non-Cisco neighbours (phones, Linux hosts, other vendor switches) invisible to CDP |
show lldp neighbors detail |
LLDP | Full LLDP detail including LLDP-MED voice VLAN, PoE power class | Discover IP phone voice VLAN requirements and PoE budget needs |
show lldp interface [int] |
LLDP | Per-interface LLDP TX/RX state | Verify independent TX/RX disable on access ports |
show lldp traffic |
LLDP | Frame counters: sent, received, errors, aged entries | Diagnose LLDP communication issues — zero frames in/out after lldp run suggests a problem |
show cdp neighbors — Post-Security Configuration Verification
! ── Verify CDP disabled on access ports, active on uplinks ──────── NetsTuts-SW1#show cdp interface GigabitEthernet1/0/1 is up, line protocol is up Encapsulation ARPA Sending CDP packets every 30 seconds ← uplink to R1: CDP active Holdtime is 90 seconds GigabitEthernet1/0/5 is up, line protocol is up Encapsulation ARPA CDP is not enabled on this interface ← admin PC port: CDP disabled GigabitEthernet1/0/6 is up, line protocol is up Encapsulation ARPA CDP is not enabled on this interface ← user port: CDP disabled GigabitEthernet1/0/24 is up, line protocol is up Encapsulation ARPA Sending CDP packets every 30 seconds ← uplink to SW2: CDP active ! ── CDP neighbour table unchanged after disabling access ports ──── NetsTuts-SW1#show cdp neighbors Device ID Local Intrfce Holdtme Capability Platform Port ID NetsTuts-R1 Gig 1/0/1 163 R S I ISR4321 Gig 0/0 NetsTuts-SW2 Gig 1/0/24 141 S I WS-C3750 Gig 1/0/24
After disabling CDP on access ports (Gi1/0/5 through Gi1/0/9),
the CDP neighbour table is unchanged — R1 and SW2 are
still visible on the uplink ports. Devices on access ports
(admin PC, users) no longer receive CDP frames from SW1,
and SW1 no longer accepts CDP frames from those ports.
The uplink infrastructure still has full CDP visibility.
This is the correct production posture.
11. Troubleshooting CDP and LLDP Issues
| Problem | Symptom | Cause | Fix |
|---|---|---|---|
| Expected neighbour not in CDP table | show cdp neighbors does not show a device that is physically connected with a known-good cable |
CDP disabled on the interface of this device (no cdp enable), or CDP disabled on the neighbour's interface, or the link is down (check physical layer), or the holdtime expired (device recently crashed or was disconnected) |
Verify link is up: show interfaces [int] status — must show connected. Verify CDP is enabled on this interface: show cdp interface [int]. Log into the neighbour and verify show cdp interface on its side. Allow up to 60 seconds (one timer cycle) for the neighbour to appear after enabling CDP or connecting the cable. |
| CDP shows wrong port ID or unexpected neighbour | CDP neighbour table shows a device that should not be connected, or the port IDs do not match the expected cabling diagram | Incorrect cable patching — the physical cable is plugged into the wrong port. CDP is confirming what is physically connected, not what the documentation says should be connected | Trust CDP over the documentation. The Port ID columns in show cdp neighbors show the actual physical connection. Use this to correct the cable diagram. If the topology is genuinely wrong, re-patch accordingly and verify the neighbour table updates. |
LLDP not showing neighbours after lldp run |
show lldp neighbors shows no entries immediately after enabling LLDP globally |
LLDP needs up to one timer cycle (30 seconds default) to send its first advertisement and receive one from the neighbour. Alternatively, lldp run was entered but is not in the running-config (config not committed, or the device platform does not support LLDP) |
Wait 30–60 seconds after enabling LLDP. Verify it is in the running-config: show running-config | include lldp run. Check per-interface state: show lldp interface [int] — both TX and RX should show enabled. Verify the neighbour device also has LLDP enabled — LLDP is bidirectional; both ends must transmit for entries to appear. |
| Cisco IP phone loses voice VLAN after CDP disabled on port | Cisco IP phone connected to the access port is assigned to the data VLAN instead of the voice VLAN after CDP was disabled on that port | Cisco IP phones use CDP to receive the Voice VLAN ID (VVID) from the switch. When CDP is disabled on the switch port, the phone cannot learn the voice VLAN and falls back to using VLAN 1 or the data VLAN | For Cisco IP phones: re-enable CDP on the phone port (cdp enable under the interface) or configure the voice VLAN statically on the phone itself. Alternatively, migrate to LLDP-MED. See Voice VLAN Configuration and Assigning VLANs to Switch Ports for voice VLAN setup details. |
| CDP neighbour shows duplicate entry for the same device | show cdp neighbors shows the same hostname twice with different local interfaces — two entries for the same device |
Two physical links connect the same pair of devices (e.g., two cables between SW1 and SW2). Each cable is a separate CDP adjacency. This is correct behaviour when EtherChannel or redundant links are present | This is not a problem — verify that redundant links are intentional (EtherChannel, dual uplinks). If only one cable was intended, remove the extra cable. If EtherChannel is configured, the port-channel interface shows one CDP adjacency; physical member interfaces each show their own entry. Use show etherchannel summary to confirm bundled ports are operating correctly. |
Non-Cisco device not appearing in LLDP after enabling lldp run |
A Linux server or non-Cisco switch is directly connected but absent from show lldp neighbors |
The non-Cisco device has LLDP disabled or not installed (Linux requires lldpd service; Windows requires the optional LLDP driver). The interface on the Cisco device has LLDP RX disabled. Or the connected device transmits but uses a non-standard LLDP multicast MAC |
On Linux: verify systemctl status lldpd and lldpctl show neighbors. On Windows: check Device Manager for LLDP driver. Verify the Cisco interface has RX enabled: show lldp interface [int] must show "Rx: enabled". Check show lldp traffic — if "Total frames in" is not incrementing while the link is up, frames are not being received, suggesting the remote device is not transmitting LLDP. |
Key Points & Exam Tips
- CDP (Cisco Discovery Protocol) is Cisco-proprietary, enabled by default on all Cisco devices, and operates at Layer 2. It sends multicast frames every 60 seconds to the well-known MAC
01:00:0C:CC:CC:CC. CDP frames are never forwarded by switches — they are one-hop only. CDP can discover neighbours even before IP addressing is configured. - LLDP (IEEE 802.1AB) is the open standard equivalent, disabled by default on Cisco IOS, and supported by all major vendors. Enable globally with
lldp run. LLDP uniquely supports independent TX/RX control per interface and LLDP-MED extensions for VoIP and PoE discovery. - The two most important columns in
show cdp neighborsare Local Intrfce (which port on this device) and Port ID (which port on the neighbour). Together they identify both ends of the physical cable — the foundation of topology mapping. show cdp neighbors detailadditionally reveals the neighbour's management IP, IOS version, VTP domain, and native VLAN. This is the key command for getting a neighbour's IP address before Layer 3 is reachable.- CDP is a security risk on access ports. Any device on a CDP-enabled port receives the switch's IOS version (enabling targeted CVE exploitation), management IP (enabling direct management plane attacks), VTP domain (enabling VTP poisoning), and native VLAN ID (enabling VLAN hopping). Disable CDP on all access ports facing untrusted devices with
no cdp enableunder the interface. - To disable CDP on all user-facing ports while keeping it on infrastructure uplinks: use
interface rangeto applyno cdp enableto all access port groups. Verify withshow cdp interfacethat uplink ports show CDP active and access ports show "CDP is not enabled on this interface". Also consider Port Security and DHCP Snooping as complementary access port hardening measures. - LLDP-MED (Media Endpoint Discovery) is an extension of LLDP that allows IP phones to advertise their required voice VLAN and PoE power class to the switch. Cisco IP phones use CDP to learn the voice VLAN; non-Cisco phones use LLDP-MED. When disabling CDP on phone ports, verify whether the phone uses CDP or LLDP-MED before doing so. See Voice VLAN Configuration.
- CDP neighbour entries expire after the holdtime (default 180 seconds) if no new advertisement is received. A rapidly disappearing and reappearing neighbour (flapping) indicates an unstable physical link. Use
show cdp neighborscombined withshow interfaces [int] counters errorsto diagnose. - CDP can be used to verify cable patching: if a cable is plugged into the wrong port, the CDP Port ID column will show the actual interface on the remote device rather than the expected one. CDP is more reliable than manual cable tracing in dense patch environments.
- On the CCNA exam: know the difference between CDP and LLDP (proprietary vs open, default state, multicast MACs), the columns in
show cdp neighbors, the additional information inshow cdp neighbors detail, how to disable CDP globally (no cdp run) and per-interface (no cdp enable), and the security reason for disabling CDP on access ports.
Next Steps: With CDP and LLDP providing physical
topology visibility, the next layer of network awareness is
active monitoring. SNMP
v2c and v3 Configuration extends device visibility to
performance counters, interface statistics, and proactive trap
alerting. For the VLAN infrastructure that CDP reveals through
the VTP domain and native VLAN TLVs, see
VLAN Creation and
Management and Trunk
Port Configuration. For the interface IP information
exposed by CDP's management address TLV, see
Basic Interface
Configuration. For securing the management plane that
CDP's IP disclosure makes visible, see
Login
Security and Brute-Force Protection.