The illustration above points out the defaults you must know for exam day, but there is a lot more to both protocols, which will be covered in this post!
I will get right into it, as there is a lot of ground to cover with labbing / output examples.
CDPv1 and CDPv2
CDPv2 is run (and enabled) by default on all Catalyst switches you will see in the wild or in the exam room, but for the sake of clarity, I did want to mention CDPv1.
CDP’s default timers is 60 second Hello, 180 second Holdtime if no Hello is received!
CDP ALSO DOES NOT ENCRYPT A THING – ALL INFORMATION IS SENT IN PLAIN TEXT, WHICH MAY CAUSE A SECURITY ISSUE, AND MAY ONLY WANT TO BE RUN ON CERTAIN PORTS AND DISABLED ON OTHERS IT DOESN’T NEED TO RUN ON!
CDPv1 still exists for backwards compatibility (if someone plugs in an ancient switch), and it will support the same type of information sharing as CDP does:
- Software Version
- Hardware Platform
- IP Addresses
- Port ID’s
- Capapbilities (R S I codes)
So it covers a majority of the information we look for, however CDPv2 also supports the following dissemination of Switch info:
- PoE Settings
- VTP Domain info
- Duplex settings
- Native VLAN information
That is on top of what CDPv1 already offered, so that is some pretty profound improvements over CDPv1. For example:
CDP makes DTP possible (as DTP uses CDP) to negotiate the Dynamic Trunk, and identifies if their is a Native VLAN Mismatch:
SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#int fa1/0/6
SW1(config-if)#switchport trunk native vlan 10
SW1(config-if)#
SW1(config-if)#
*Mar 1 00:26:28.961: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet1/0/6 (10), with SW2 FastEthernet1/0/6 (1).
SW1(config-if)#
CDP is also used for negotiating PoE with devices, duplex / speed settings on interfaces set to Auto / Auto, and probably a lot more that I am not remember or finding.
Enabling and Disabling CDP on a Global and Interface level, verification, timers!
First to verify it is running, its simply “sh cdp” :
SW1(config)#do sh cdp
Global CDP information:
Sending CDP packets every 60 seconds
Sending a holdtime value of 180 seconds
Sending CDPv2 advertisements is enabled
SW1(config)#
When turned off, it will actually show it is disabled instead of blank output:
SW1(config)#
SW1(config)#no cdp run
SW1(config)#do sh cdp
% CDP is not enabled
SW1(config)#
So now lets hop over to neighbor SW2 to see how CDP looks from there while disabled:
SW2#sh cdp nei
Capability Codes: R – Router, T – Trans Bridge, B – Source Route Bridge
S – Switch, H – Host, I – IGMP, r – Repeater, P – Phone,
D – Remote, C – CVTA, M – Two-port Mac Relay
Device ID Local Intrfce Holdtme Capability Platform Port ID
SW1 Fas 1/0/6 14 S I WS-C3750V Fas 1/0/6
SW1 Gig 1/0/2 10 S I WS-C3750V Gig 1/0/2
SW1 Gig 1/0/1 10 S I WS-C3750V Gig 1/0/1
SW3 Fas 1/0/10 134 S I WS-C3750V Fas 1/0/8
SW2#
Also the Platform shows all 3750V switches, Gig1/0/1 is Host A and Gig1/0/2 is Host B attached to SW1 – So for example the SW3 entry it shows Local Int AND remote (Port ID).
This also demonstrates another point, these are all about 15 seconds away from disappearing from the CDP neighbor table on SW2:
SW2#sh cdp nei
Capability Codes: R – Router, T – Trans Bridge, B – Source Route Bridge
S – Switch, H – Host, I – IGMP, r – Repeater, P – Phone,
D – Remote, C – CVTA, M – Two-port Mac Relay
Device ID Local Intrfce Holdtme Capability Platform Port ID
SW3 Fas 1/0/10 173 S I WS-C3750V Fas 1/0/8
SW2#
As seen here the Holdtime is back up to 173, and it should refresh at or above the value of 120 if we are running default timers, because a Hello should be sent within 60 seconds which from a 180 total Holdtime of CDP information should not go below 120.
So if CDP Holdtime drops below its Hello interval, whether default or manually configured, that neighbor has CDP issues that need to be addressed!
While CDP is Disabled Globally, will it still pass info if Enabled on an Interface?
Good question, I was looking this up when I figured I’d just test it.
Enabling CDP on our Trunk Port, after I fixed our Native VLAN mismatch:
SW1(config-if)#cdp enable
% Cannot enable CDP on this interface, since CDP is not running
SW1(config-if)#
CDP CANNOT BE ENABLED ON INTERFACES IF DISABLED GLOBALLY, HOWEVER IT CAN BE DISABLED ON INTERFACES WHEN IT IS RUNNING GLOBALLY!
To demonstrate here beginning on SW1:
SW1(config-if)#exit
SW1(config)#cdp run
SW1(config)#int fa1/0/6
SW1(config-if)#no cdp enable
SW1(config-if)#
This is our only Trunk / Link at all to SW2, so I assume it is not going react too kindly to this change, but lets check it out:
SW2#sh cdp nei
Capability Codes: R – Router, T – Trans Bridge, B – Source Route Bridge
S – Switch, H – Host, I – IGMP, r – Repeater, P – Phone,
D – Remote, C – CVTA, M – Two-port Mac Relay
Device ID Local Intrfce Holdtme Capability Platform Port ID
SW1 Gig 1/0/2 158 S I WS-C3750V Gig 1/0/2
SW1 Gig 1/0/1 158 S I WS-C3750V Gig 1/0/1
SW1 Fas 1/0/6 38 S I WS-C3750V Fas 1/0/6
SW3 Fas 1/0/10 151 S I WS-C3750V Fas 1/0/8
SW2#
This output was surprising to me, as I thought it would have the same effect of disabling it globally, however it shows Host A and Host B sending Hellos and re-upping their Holdtimers just like SW3!
So this is saying you might not want to join the CDP Party to Fa1/0/6, but that doesn’t mean none of your attached friends can join the party either.
Fa1/0/6 does eventually Age out from the SW2 table, and the Routers and SW3 stay.
However, the moral of the story was, you can disable interfaces when globally enabled, but not the other way around!
Speaking of timers, a quick demonstration of how to change these timers if needed
SW1(config)#cdp ?
advertise-v2 CDP sends version-2 advertisements
holdtime Specify the holdtime (in sec) to be sent in packets
run Enable CDP
timer Specify the rate at which CDP packets are sent (in sec)
tlv Enable exchange of specific tlv information
SW1(config)#cdp timer ?
<5-254> Rate at which CDP packets are sent (in sec)
SW1(config)#cdp timer 5 ?
<cr>
SW1(config)#cdp holdtime ?
<10-255> Length of time (in sec) that receiver must keep this packet
SW1(config)#
Pretty straight forward, you don’t want to set this too fast as it will only speed up the age out process in the CDP Neighbor table, so the defaults should be fine to leave as is.
Couple things to note outside the “run” option to enable CDP if its disabled, is the “advertise-v2” making this switch NON-backward compatible with CDPv1, and the TLV (Type-Length-Value) field that is common to both CDP and LLDP Discovery Protocols!
We’ve all seen it, but a quick peek at “show cdp neighbor detail”
This output shown will be for Host B off SW1 Int Fa1/0/2:
SW2#sh cdp nei det
————————-
Device ID: SW1
Entry address(es):
IP address: 10.0.0.1
Platform: cisco WS-C3750V2-24PS, Capabilities: Switch IGMP
Interface: GigabitEthernet1/0/2, Port ID (outgoing port): GigabitEthernet1/0/2
Holdtime : 154 sec
Version :
Cisco IOS Software, C3750 Software (C3750-IPSERVICESK9-M), Version 15.0(2)SE9, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Tue 01-Dec-15 07:02 by prod_rel_team
advertisement version: 2
Protocol Hello: OUI=0x00000C, Protocol ID=0x0112; payload len=27, value=00000000FFFFFFFF010221FF0000000000001CE6C7C1C800FF0000
VTP Management Domain: ”
Native VLAN: 1
Duplex: full
Power Available TLV:
Power request id: 0, Power management id: 1, Power available: 0, Power management level: -1
Management address(es):
IP address: 10.0.0.1
I was hoping it would show that Host B is actually a 2800 Series Router from SW2, but apparently it only gives THOSE kind of details for directly connected hosts, from SW2 I am only going to get SW1’s information like Native VLAN # / Hardware Platform / Etc.
(Though it does show the Interface off SW1 that Host B is on in the output near the top!
However you also see values for VTP Domain, Native VLAN, Duplex, PoE, and all that fun stuff for the peripheral device so that is what we are really looking for.
To turn CDP back on Int Fa1/0/6, I issue “cdp enable” and life is good again!
The wonderful world of Vendor Neutral LLDP – Link Layer Discovery Protocol!
Not sure how far to go into this subject actually, so I’ll mention some facts and do a little labbing to round off this post on LLDP, the first being LLDP is defined by IEEE 802.1ab.
LLDP is the open industry standard for CDP, as CDP was (is?) considered Cisco Proprietary, however I do see it working on HP Switches on the job – But for exam day I would go with its Cisco Proprietary.
The primary use for LLDP with Cisco is for LLDP-MED (Media Endpoint Devices)!
LLDP-MED traffic communicates between non-Cisco Endpoints and the network, as to VOIP related features (QoS, PoE, etc), and the TLV’s also run Network Policy services.
LLDP TLV’s are all enabled to gather network information for non-Cisco devices / network policies by default, so all we need to do is enable it for it to do its job!
LLDP is Disabled by default on Cisco Routers and MLS Switches, however can be enabled the same as CDP:
SW1(config)#lldp ?
holdtime Specify the holdtime (in sec) to be sent in packets
reinit Delay (in sec) for LLDP initialization on any interface
run Enable LLDP
timer Specify the rate at which LLDP packets are sent (in sec)
tlv-select Selection of LLDP TLVs to send
SW1(config)#lldp run ?
<cr>
SW1(config)#lldp run
So we have basically the same options as CDP here, so now that it is running lets compare output of “show cdp” to “show lldp” to compare:
SW1(config)#do sh cdp
Global CDP information:
Sending CDP packets every 60 seconds
Sending a holdtime value of 180 seconds
Sending CDPv2 advertisements is enabled
SW1(config)#
SW1(config)#
SW1(config)#do sh lldp
Global LLDP Information:
Status: ACTIVE
LLDP advertisements are sent every 30 seconds
LLDP hold time advertised is 120 seconds
LLDP interface reinitialisation delay is 2 seconds
SW1(config)#
CDP Hello by default is 3 x the Holdtime, whereas LLDP Hello is 4 x the Hold time, with CDP Hellos being 60 seconds by default and LLDP being 30 seconds by default.
So lets enable LLDP on SW2 Trunk Int Fa1/0/6 and get this party started!
After enabling it on SW2, it took about 20 seconds for the output to fill in, I believe it had to receive a Hello from SW1 to populate its table.
However, populate its table it did, very similar to CDP:
SW2#sh lldp nei
Capability codes:
(R) Router, (B) Bridge, (T) Telephone, (C) DOCSIS Cable Device
WLAN Access Point, (P) Repeater, (S) Station, (O) Other
Device ID Local Intf Hold-time Capability Port ID
SW1 Gi1/0/1 119 B Gi1/0/1
SW1 Gi1/0/2 119 B Gi1/0/2
SW1 Fa1/0/6 119 B Fa1/0/6
Total entries displayed: 3
SW2#
One last command for exam day, the equivalent of “sh cdp nei det” in a different format, although it still only gives info of directly connected neighbors ONLY:
SW2#sh lldp ?
entry Information for specific neighbor entry
errors LLDP computational errors and overflows
interface LLDP interface status and configuration
neighbors LLDP neighbor entries
traffic LLDP statistics
| Output modifiers
<cr>
SW2#sh lldp entry ?
* all LLDP neighbor entries
WORD Name of LLDP neighbor entry
SW2#sh lldp entry * ?
| Output modifiers
<cr>
SW2#sh lldp entry *
So that was a bit odd to have a * as the <cr> of the command, however here is the output formatting much alike CDP:
Capability codes:
(R) Router, (B) Bridge, (T) Telephone, (C) DOCSIS Cable Device
WLAN Access Point, (P) Repeater, (S) Station, (O) Other
————————————————
Chassis id: 1ce6.c7c1.c800
Port id: Gi1/0/1
Port Description: GigabitEthernet1/0/1
System Name: SW1
System Description:
Cisco IOS Software, C3750 Software (C3750-IPSERVICESK9-M), Version 15.0(2)SE9, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Tue 01-Dec-15 07:02 by prod_rel_team
Time remaining: 95 seconds
System Capabilities: B,R
Enabled Capabilities: B
Management Addresses:
IP: 10.0.0.1
Auto Negotiation – not supported
Physical media capabilities:
1000baseX(FD)
Media Attachment Unit type: 26
Vlan ID: 1
So it contains SW1 mgmt IP, MAC, Hardware Platform, and every Media Type back to SW1 will be 1000mbps (because the Trunk is Gig to Gig link), and Negotiation is off because that Trunk is on Trunk ON mode.
That wraps up the CDP vs LLDP information I have for the SWITCH exam
Telnet vs SSH next to finish up Switch Security posts for now!
The DEVNET GRIND! 