CDP and show cdp neighbors – Cisco Device Discovery Protocol

1. What Is CDP?

CDP (Cisco Discovery Protocol) is a Cisco-proprietary Layer 2 protocol that enables Cisco devices — routers, switches, IP phones, access points — to automatically advertise themselves to directly connected neighbours. Because CDP operates at Layer 2, it works entirely independently of IP addressing: a Cisco device with no IP configured at all can still send and receive CDP advertisements, making it invaluable during initial device bring-up, cabling verification, and troubleshooting before routing is established.

CDP is enabled by default on all Cisco IOS devices. Devices send CDP updates as multicast frames every 60 seconds (the CDP advertisement timer) to the multicast MAC address 0100.0CCC.CCCC. Each advertisement carries a holdtime (default 180 seconds — three times the advertisement interval) that tells neighbours how long to keep the information before discarding it if no new advertisement arrives.

  CDP operation — Layer 2 only:

  [Switch A] ─────── CDP frame (tagged VLAN, L2 multicast) ────── [Switch B]
  [Switch A] ──────────────────────────────────────────────────── [Router R1]

  CDP works even if:
  - Interfaces have no IP addresses configured
  - Routing protocols are not running
  - The device has just been factory-reset
  CDP does NOT cross routers — only directly connected (one hop) devices appear.

2. show cdp neighbors — Output Field by Field

show cdp neighbors (run from privileged EXEC mode) produces a compact one-line-per-neighbour summary table. This is the command to reach for first when verifying physical connectivity or building a topology map.

  Switch# show cdp neighbors

  Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                    S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
                    D - Remote, C - CVTA, M - Two-port Mac Relay

  Device ID        Local Intrfce     Holdtme    Capability  Platform       Port ID
  SwitchB          Gig 0/1            122        S I         WS-C2960       Gig 0/2
  RouterA          Gig 0/2            132        R S I       ISR4331        Gig 0/0
  IPPhone1         Gig 0/3            170        P           CP-7960        Port 1

  │                │                 │          │           │              │
  Device ID        Local Interface   Holdtime   Capability  Platform       Port ID
  (neighbour       (MY port that     (seconds   (device     (hardware      (neighbour's
   hostname)        connects to       until      type)       model)         port facing
                    neighbour)        discarded)                            me)

Field	Description	Example	Notes
Device ID	The hostname of the neighbouring device as configured by its `hostname` command	`SwitchB`	If the neighbour has no hostname set, the MAC address may appear instead
Local Intrfce	The interface on your local device that the CDP advertisement arrived on — the port facing the neighbour	`Gig 0/1`	Abbreviated: Gig = GigabitEthernet, Fas = FastEthernet, Ser = Serial
Holdtme	Countdown timer in seconds — how long the entry will be kept if no new CDP advertisement arrives from that neighbour	`122`	Default starts at 180s (3× the 60s advertisement interval); a rapidly decrementing value may indicate a slow or unstable link
Capability	One or more letters indicating the type(s) of device the neighbour is configured as	`R S I`	R=Router, S=Switch, T=Trans Bridge, B=Source Route Bridge, H=Host, I=IGMP, r=Repeater, P=Phone, D=Remote, C=CVTA
Platform	The hardware model/platform string of the neighbour device as it identifies itself	`WS-C2960`	Useful for identifying exact hardware models; an attacker could also use this to target known vulnerabilities
Port ID	The interface on the neighbour device that connects to you — the remote end of the cable	`Gig 0/2`	Combined with Local Intrfce, this gives the complete cable mapping: my Gi0/1 ↔ SwitchB Gi0/2

3. show cdp neighbors detail — Extended Output

show cdp neighbors detail adds IP address, IOS version, serial number, duplex, and management VLAN information that does not appear in the basic command. This is the command to use when you need to build a complete inventory or remotely manage a device you cannot directly log into.

  Switch# show cdp neighbors detail

  -------------------------
  Device ID: SwitchB
  Entry address(es):
    IP address: 10.1.1.2         ← management IP (use this to SSH/Telnet in)
  Platform: cisco WS-C2960, Capabilities: Switch IGMP
  Interface: GigabitEthernet0/1,  Port ID (outgoing port): GigabitEthernet0/2
  Holdtime : 133 sec

  Version :
  Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 15.0(2)SE5
  ...                              ← exact IOS version (useful for patching)
  advertisement version: 2         ← running CDPv2
  VTP Management Domain: ''        ← VTP domain name
  Native VLAN: 1                   ← native VLAN on the trunk link
  Duplex: full                     ← duplex mismatch would appear here
  Management address(es):
    IP address: 10.1.1.2

  ! Field explanations:
  ! Entry address(es) / Management address → IP to reach this device
  ! Platform               → exact hardware model
  ! Version                → full IOS version string
  ! advertisement version  → CDPv1 or CDPv2
  ! VTP Management Domain  → VTP domain (useful for VTP troubleshooting)
  ! Native VLAN            → trunk native VLAN (mismatch causes issues)
  ! Duplex                 → speed/duplex (mismatch = slow/errors)

You can target a specific neighbour by name: show cdp entry SwitchB — displays the same detail output for only that device.

4. All CDP Commands — Reference Table

Command	Mode	Purpose	Key Information Shown
`show cdp neighbors`	Privileged EXEC	Summary list of all directly connected CDP neighbours	Device ID, Local Interface, Holdtime, Capability, Platform, Port ID
`show cdp neighbors detail`	Privileged EXEC	Full details on all neighbours	All summary fields plus IP address, IOS version, serial number, duplex, native VLAN, VTP domain, management address
`show cdp entry <device-id>`	Privileged EXEC	Full detail for one specific neighbour	Same as detail but filtered to one device
`show cdp`	Privileged EXEC	Global CDP status and timers	CDP enabled/disabled, advertisement interval (60s), holdtime (180s), CDPv2 advertisements enabled/disabled
`show cdp interface`	Privileged EXEC	CDP status on every interface	Which interfaces have CDP enabled/disabled; per-interface advertisement and holdtime timers
`show cdp traffic`	Privileged EXEC	CDP packet statistics	Total CDP packets sent, received, errors — useful for diagnosing CDP advertisement problems

5. CDPv1 vs CDPv2

Feature	CDPv1	CDPv2
Basic device discovery	Yes	Yes
Native VLAN information	No	Yes — detects native VLAN mismatches between trunk peers and logs a warning
Duplex information	No	Yes — detects duplex mismatches between neighbours
VLAN-Trunking Protocol (VTP) domain	No	Yes
Power over Ethernet (PoE)	No	Yes — carries power requirements for IP phones and access points
Default on modern Cisco IOS	No	Yes — CDPv2 is the default; use `no cdp advertise-v2` to revert to v1

6. Enabling and Disabling CDP

CDP must sometimes be disabled for security — particularly on access ports facing end users and on interfaces connected to the internet or third-party networks. CDP can be disabled at two levels: globally (across the entire device) or per-interface (selective control).

Global Enable / Disable

  ! Disable CDP on the entire device:
  Switch(config)# no cdp run

  ! Re-enable CDP globally:
  Switch(config)# cdp run

  ! Verify global CDP status:
  Switch# show cdp
  Global CDP information:
        Sending CDP packets every 60 seconds
        Sending a holdtime value of 180 seconds
        Sending CDPv2 advertisements is  enabled

Per-Interface Enable / Disable

  ! Disable CDP on a specific interface (access port to end user):
  Switch(config)# interface GigabitEthernet0/2
  Switch(config-if)# no cdp enable

  ! Re-enable CDP on that interface:
  Switch(config)# interface GigabitEthernet0/2
  Switch(config-if)# cdp enable

  ! View CDP status per interface:
  Switch# show cdp interface GigabitEthernet0/1
  GigabitEthernet0/1 is up, line protocol is up
    Encapsulation ARPA
    Sending CDP packets every 60 seconds
    Holdtime is 180 seconds

  ! Compare: an interface with CDP disabled:
  Switch# show cdp interface GigabitEthernet0/2
  % CDP is not enabled on GigabitEthernet0/2

Adjust CDP Timers (Advanced)

  ! Change the CDP advertisement interval (default 60 seconds):
  Switch(config)# cdp timer 30       ! send updates every 30 seconds

  ! Change the holdtime (default 180 seconds = 3× timer):
  Switch(config)# cdp holdtime 90    ! keep neighbour info for 90 seconds

  ! Note: holdtime should always be greater than the timer to prevent
  ! neighbours from disappearing between updates on slow links.

7. CDP vs LLDP

LLDP (Link Layer Discovery Protocol) is the IEEE 802.1AB vendor-neutral equivalent of CDP. While CDP only works between Cisco devices, LLDP works between any vendor's equipment that supports the standard — Cisco, HP, Juniper, Aruba, etc. In multi-vendor networks, LLDP is the correct tool.

Feature	CDP	LLDP
Standard	Cisco proprietary	IEEE 802.1AB (vendor-neutral)
OSI Layer	Layer 2	Layer 2
Enabled by default	Yes (all Cisco IOS devices)	No — must be enabled manually with `lldp run`
Device compatibility	Cisco devices only	Any IEEE 802.1AB-compliant device
Summary command	`show cdp neighbors`	`show lldp neighbors`
Detail command	`show cdp neighbors detail`	`show lldp neighbors detail`
Per-interface enable	`cdp enable` / `no cdp enable`	`lldp transmit` / `lldp receive` (separate TX/RX control)
Global enable/disable	`cdp run` / `no cdp run`	`lldp run` / `no lldp run`
Advertisement multicast MAC	0100.0CCC.CCCC	0180.C200.000E
Security risk	Topology and hardware info exposed to connected devices	Same — topology and hardware info exposed
Best used for	Cisco-only environments; labs; initial device bring-up and documentation	Multi-vendor production networks; environments with non-Cisco equipment

LLDP Configuration on Cisco IOS

  ! Enable LLDP globally (disabled by default):
  Switch(config)# lldp run

  ! LLDP per-interface granular control (separate TX and RX):
  Switch(config)# interface GigabitEthernet0/1
  Switch(config-if)# lldp transmit    ! send LLDP advertisements out
  Switch(config-if)# lldp receive     ! process received LLDP advertisements

  ! Disable LLDP on a specific interface:
  Switch(config-if)# no lldp transmit
  Switch(config-if)# no lldp receive

  ! Verify LLDP neighbours:
  Switch# show lldp neighbors
  Switch# show lldp neighbors detail

8. Security Considerations

CDP is a powerful troubleshooting tool — but it exposes significant information to anyone connected to a switch port. A CDP frame from a switch reveals: the switch's hostname, model number (Platform field), IOS version, management IP address, native VLAN, and the exact interface names. An attacker with physical access to a port or a compromised end-point can read all of this with a standard packet capture.

Risk	What CDP Reveals	Mitigation
Hardware reconnaissance	Platform field reveals exact model (e.g., WS-C2960X) — attackers can look up known vulnerabilities for that specific hardware/software combination	Disable CDP on all untrusted, user-facing, and internet-connected interfaces with `no cdp enable`
Topology mapping	Device ID and Port ID fields reveal the exact physical topology — which devices connect on which ports; an attacker can reconstruct the entire network map	Disable CDP on access ports; restrict physical access to switch ports; use 802.1X port authentication
Management IP exposure	`show cdp neighbors detail` output reveals the management IP — the address used to SSH/Telnet into the device; facilitates targeted management plane attacks	Apply management ACLs restricting who can reach the management IP; use access-class on VTY lines
IOS version disclosure	CDP detail output includes the exact IOS version string; known CVEs exist for specific IOS versions and attackers actively target unpatched devices	Keep IOS up to date; disable CDP on internet-facing and untrusted interfaces
Native VLAN information	CDPv2 advertises the native VLAN; this information can assist VLAN hopping attacks on trunk links	Change native VLAN from the default VLAN 1; disable CDP on trunk ports facing untrusted networks

Security Best Practice — CDP Policy

  Enable CDP on:
  ✓ Trunk links between trusted Cisco switches and routers
  ✓ Links between infrastructure devices (core–distribution–access)
  ✓ Links to trusted management segments

  Disable CDP on:
  ✗ Access ports connected to end users (PCs, workstations)
  ✗ Ports connected to servers (unless Cisco IP phones are inline)
  ✗ Any interface connected to the internet or DMZ
  ✗ Ports in public areas or connected to third-party equipment

  Example — disable CDP on all access ports in a range:
  Switch(config)# interface range GigabitEthernet0/1 - 24
  Switch(config-if-range)# no cdp enable

See: Named ACLs | Applying ACLs | ACL Overview

9. Troubleshooting with CDP

CDP is often the fastest way to identify cabling and connectivity problems in a Cisco network because it provides ground-truth physical connectivity information independent of IP configuration.

Symptom	CDP Diagnostic Approach	Likely Cause if CDP Confirms Issue
Expected neighbour does not appear in `show cdp neighbors`	Check physical link with `show interfaces status` — is the port connected and up? Check CDP status on both ends with `show cdp interface <int>`	Wrong cable or wrong port; CDP disabled on one end (`no cdp enable` or `no cdp run`); interface shutdown; neighbour is a non-Cisco device (CDP would not show it — use LLDP instead)
Neighbour shown but connectivity failing	Run `show cdp neighbors detail` — check native VLAN and duplex fields; compare against expected values	Native VLAN mismatch (CDPv2 will log a warning); duplex mismatch causing half-duplex collisions and slow performance
Holdtime counting down very quickly	Monitor `show cdp neighbors` over several seconds and watch the holdtime counter; compare with `show cdp traffic` for errors	Unstable physical link causing intermittent drops; advertisement interval or holdtime misconfigured; high CPU on the neighbour preventing CDP frame processing
Wrong device appearing on a port	Compare Device ID and Platform in CDP output against documentation; note the Local Interface and Port ID to trace the cable	Incorrect cable routing; wrong port used when patching; asset tag or documentation out of date
Duplicate Device ID in CDP table	`show cdp neighbors detail` — check if two entries have different IP addresses but same hostname; compare serial numbers if available	Two devices configured with the same hostname; a loop in the physical topology sending CDP from the same device on two paths

CDP-Based Topology Discovery Workflow

  Start on any Cisco device in the network.

  Step 1: run show cdp neighbors
  → Record: Device ID, Local Interface, Platform, Port ID for each neighbour

  Step 2: run show cdp neighbors detail
  → Record: Management IP, IOS version for each neighbour

  Step 3: SSH/Telnet to each neighbour's management IP
  → Repeat steps 1–3 on each newly discovered device

  Step 4: Build a topology diagram
  → Each "Local Interface ↔ Port ID" pair = one physical cable

  This recursive CDP walk will map the entire Cisco topology starting from
  a single access point — even without a pre-existing network diagram.

  Note: CDP only shows DIRECTLY connected neighbours (one hop).
  Devices two hops away do not appear — you must CDP-walk from each
  intermediate device to continue the discovery.

10. Using CDP for Network Documentation

CDP output is the authoritative source for physical connectivity in a Cisco network. The combination of Device ID, Local Interface, Port ID, and Platform from every device produces an accurate, cable-level topology map that reflects the current state of the network — not a potentially outdated CMDB or diagram.

  Example: Mapping a 3-switch network using CDP alone.

  Running "show cdp neighbors" on each switch:

  On SW1:
  Device ID   Local Intrfce  Holdtme  Cap  Platform   Port ID
  SW2         Gi 0/1          150      S I  WS-C3750   Gi 0/1
  SW3         Gi 0/2          140      S I  WS-C2960   Gi 0/1

  On SW2:
  Device ID   Local Intrfce  Holdtme  Cap  Platform   Port ID
  SW1         Gi 0/1          160      S I  WS-C3750   Gi 0/1
  R1          Gi 0/24         155      R    ISR4451    Gi 0/0

  Derived topology:
  SW1 Gi0/1 ────────── SW2 Gi0/1   (SW1–SW2 uplink)
  SW1 Gi0/2 ────────── SW3 Gi0/1   (SW1–SW3 access)
  SW2 Gi0/24 ─────────  R1 Gi0/0   (core uplink to router)

For large networks, Python scripts using Netmiko or NAPALM can automate the CDP walk — connecting to each device, running show cdp neighbors detail, and building a full topology graph automatically.

11. Exam Tips & Key Points

CDP is Cisco-proprietary and operates at Layer 2 — it does not require IP addresses and works even on unconfigured devices.
CDP is enabled by default on all Cisco IOS devices. It sends advertisements every 60 seconds; the default holdtime is 180 seconds.
Know all six fields in show cdp neighbors output: Device ID, Local Interface, Holdtime, Capability codes, Platform, Port ID. Know the most common Capability codes: R=Router, S=Switch, I=IGMP, P=Phone, H=Host.
show cdp neighbors detail adds: IP address, IOS version, serial number, duplex, native VLAN, VTP domain, and management address.
Disable CDP globally with no cdp run; disable per interface with no cdp enable (in interface config mode). Know the difference — a very common exam question.
CDPv2 (default) adds native VLAN, duplex, PoE, and VTP domain information compared to CDPv1.
CDP vs LLDP: CDP is Cisco-only; LLDP is IEEE 802.1AB multi-vendor standard. Both operate at Layer 2. LLDP is disabled by default — enable with lldp run.
CDP is a security risk — it exposes hardware model, IOS version, management IP, and topology to any device with physical port access. Always disable on user-facing, internet-facing, and DMZ ports.
CDP only shows directly connected neighbours (one hop). Devices two or more hops away do not appear.

12. Summary Reference Table

Topic	CDP Detail
Protocol type	Cisco proprietary, Layer 2
Default state	Enabled globally and per-interface on all Cisco IOS devices
Advertisement interval	60 seconds (configurable with `cdp timer`)
Holdtime	180 seconds (configurable with `cdp holdtime`)
Multicast MAC	`0100.0CCC.CCCC`
Summary command	`show cdp neighbors`
Detail command	`show cdp neighbors detail`
Disable globally	`no cdp run` (global config)
Disable per interface	`no cdp enable` (interface config)
Discovery scope	Directly connected neighbours only (one hop)
Multi-vendor equivalent	LLDP (IEEE 802.1AB) — `lldp run` to enable
Security risk	Exposes hostname, model, IOS version, management IP, native VLAN — disable on untrusted ports

CDP Quiz

1. At which OSI layer does CDP operate, and why does this allow it to work without IP addresses?

A. Layer 3 (Network) — it uses IP multicast to reach all devices on the subnet B. Layer 4 (Transport) — it uses UDP broadcasts to exchange device information C. Layer 2 (Data Link) — CDP frames are sent as Ethernet multicast frames to a fixed MAC address, requiring no IP stack; the device only needs an active Layer 2 interface D. Layer 1 (Physical) — it uses electrical signalling to exchange device capabilities before any protocol is loaded

Correct answer is C. CDP operates at OSI Layer 2 (the Data Link layer). CDP frames are encapsulated directly in Ethernet frames and sent to the multicast MAC address 0100.0CCC.CCCC. Because this is a Layer 2 multicast, the receiving device's NIC accepts the frame without any IP processing. This means CDP works on a Cisco device that has just been factory-reset with no IP configuration whatsoever — a capability invaluable for initial bring-up and physical connectivity verification. CDP does NOT cross router interfaces, since routers strip Layer 2 frames and rebuild them at each hop — so CDP neighbours are always directly connected (one physical link away).

2. Which command lists all directly connected Cisco neighbours in a concise summary table?

A. show interfaces — displays interface statistics and status but not neighbour information B. show cdp neighbors — shows a one-line-per-neighbour table with Device ID, Local Interface, Holdtime, Capability codes, Platform, and Port ID C. show ip route — displays the routing table; does not show physical neighbour discovery information D. show arp — displays the ARP cache mapping IP addresses to MAC addresses; no CDP neighbour data

Correct answer is B.

show cdp
                  neighbors

is the primary CDP discovery command. It produces a compact table with one row per directly connected CDP neighbour. Each row contains six fields: Device ID (hostname), Local Interface (my port connecting to them), Holdtime (seconds until entry expires), Capability codes (R=Router, S=Switch, P=Phone, etc.), Platform (hardware model), and Port ID (the neighbour's port facing me). This output is sufficient to verify physical cabling and build a topology diagram. For additional details — management IP, IOS version, serial number, duplex — use show cdp neighbors detail.

3. What does the Holdtime field in show cdp neighbors output represent, and what does a rapidly decreasing Holdtime suggest?

A. The time interval between CDP advertisement transmissions — a low value means CDP updates are sent more frequently B. How long CDP has been running on the local device since last reboot C. The time since the last CDP advertisement was received from this neighbour D. The countdown timer showing how many seconds remain before this neighbour's CDP entry is discarded if no new advertisement arrives — default 180 seconds; a rapidly decreasing value suggests intermittent connectivity or high CPU preventing CDP frame processing

Correct answer is D. The Holdtime is an aging timer that starts at 180 seconds (the default CDP holdtime) and counts down. Each time a new CDP advertisement arrives from the neighbour, the timer resets to 180 seconds. If no new advertisement arrives before the timer reaches 0, the neighbour entry is purged from the CDP table. In a healthy network with the default 60-second advertisement interval, the holdtime should oscillate between approximately 120s and 180s as it counts down and gets reset. A holdtime that consistently reads low values (under 60s) or that you watch reach 0 and disappear indicates an unstable physical link, a neighbour with high CPU that is dropping CDP frames, or a misconfigured CDP timer mismatch between the two devices.

4. Which of the following is NOT a standard Capability code in CDP output?

A. F (Firewall) — not a standard CDP capability code; Cisco ASA firewalls appear in CDP but use other codes B. R (Router) — standard code for a device acting as a router C. S (Switch) — standard code for a device acting as a switch D. I (IGMP) — standard code for a device that supports IGMP

Correct answer is A. The standard CDP Capability codes are: R (Router), T (Trans Bridge), B (Source Route Bridge), S (Switch), H (Host), I (IGMP), r (Repeater), P (Phone), D (Remote), C (CVTA — Cisco Virtual Topology Appliance), and M (Two-port Mac Relay). There is no "F" for Firewall. A Cisco ASA firewall that supports CDP will typically appear with capabilities like H (Host) or may not appear at all depending on the ASA software version and CDP configuration. Memorising the main codes for the CCNA exam: R=Router, S=Switch, I=IGMP supported, P=IP Phone — these are the most commonly seen in CDP output.

5. What are the two ways to disable CDP, and which command disables it on one specific interface only?

A. no cdp run — disables CDP on a specific interface; no cdp advertise — disables globally B. shutdown interface — disables CDP on the interface; no cdp run — disables globally C. no cdp enable (in interface config mode) — disables CDP on one specific interface while leaving it active on all others; no cdp run (in global config mode) — disables CDP on the entire device D. no cdp advertise — disables CDP on a specific interface; disable cdp — disables globally

Correct answer is C. CDP can be disabled at two levels. Globally: no cdp run in global configuration mode disables CDP on the entire device — no CDP advertisements are sent from any interface and no CDP information is processed from any interface. Per-interface: entering the interface configuration mode (interface GigabitEthernet0/2) and running no cdp enable disables CDP only on that specific interface while all other interfaces continue sending and receiving CDP normally. This distinction is a favourite CCNA exam question — know which command operates at global level (no cdp run) and which operates at interface level (no cdp enable).

6. What additional information does show cdp neighbors detail provide that the basic show cdp neighbors command does not?

A. show cdp neighbors detail shows less information — it filters the output to only the most important fields B. show cdp neighbors detail adds the neighbour's management IP address, IOS software version, native VLAN, duplex setting, VTP domain, serial number, and advertisement version — all absent from the basic command C. show cdp neighbors detail shows interface statistics like input/output packets and errors D. show version — this is the correct command to get IOS version; show cdp neighbors detail does not include version information

Correct answer is B.

show cdp
                  neighbors detail

extends the basic six-field summary with a wealth of additional information per neighbour: (1) Management IP address — critical for SSH/Telnet access to the device; (2) IOS software version — useful for patch management and compatibility checking; (3) Serial number — for asset tracking and TAC support calls; (4) Native VLAN — CDPv2 reports this and will log a warning if it mismatches between trunk peers; (5) Duplex — CDPv2 reports half/full; a mismatch causes severe performance degradation; (6) VTP Management Domain; (7) Advertisement version (1 or 2). The ability to obtain a neighbour's management IP without logging into it is particularly useful when building topology documentation from a single access point.

7. What specific security risks does CDP create, and which interfaces should always have CDP disabled?

A. CDP exposes passwords stored on the device — disable CDP on all interfaces including uplinks to other Cisco switches B. CDP enables unauthorised routing — attackers can inject routing updates through CDP frames to redirect traffic C. CDP enables DHCP spoofing — disable it on trunk links to prevent rogue DHCP servers from using CDP for discovery D. CDP exposes network topology (Device IDs, Port IDs), hardware models (Platform), IOS versions, and management IP addresses to any device connected to a port — always disable on user-facing access ports, internet-facing interfaces, and any port connecting to untrusted equipment

Correct answer is D. CDP creates an information disclosure risk rather than a direct intrusion mechanism. Anyone who can connect a device to a switch port — or who has compromised an end-point — can capture CDP frames and extract: the switch's hostname (useful for targeting); the exact hardware model and IOS version (used to identify known CVEs); management IP addresses (used to launch SSH/Telnet brute force or exploit attacks); and the physical topology (used to plan lateral movement). Disable CDP with no cdp enable on: all access ports facing end users and servers; any interface connected to the internet, a DMZ, or a third-party network; public-area ports; and any port where you cannot fully trust the connected device. CDP should remain enabled on trusted infrastructure links (switch-to-switch, switch-to-router uplinks) where the discovery benefits are needed.

8. How does CDP differ from LLDP, and when should LLDP be used instead of CDP?

A. CDP is Cisco-proprietary and only discovers Cisco devices; LLDP is the IEEE 802.1AB vendor-neutral standard that works between any manufacturer's equipment — use LLDP in multi-vendor networks containing non-Cisco switches, routers, or IP phones B. CDP uses Layer 3 IP multicast; LLDP uses Layer 2 Ethernet multicast — both require IP configuration to function C. CDP requires IP addresses to be configured on interfaces; LLDP works without IP and should therefore be used on all Cisco networks D. CDP is used in mixed-vendor environments; LLDP is a Cisco-only protocol used only in all-Cisco networks

Correct answer is A. CDP is Cisco-proprietary — it is only understood by Cisco equipment. In an all-Cisco environment, CDP is the correct and default choice. In any network containing non-Cisco equipment (HP ProCurve switches, Aruba access points, Juniper routers, etc.), LLDP (IEEE 802.1AB) should be used because it is an open standard supported by virtually all modern network equipment vendors. Both protocols operate at Layer 2, both require no IP configuration, and both carry similar topology information. On Cisco devices, LLDP must be explicitly enabled with lldp run (it is disabled by default, unlike CDP). Both protocols carry the same type of security risk — topology and hardware info exposure — so the same best practices apply to both.

9. Which command disables CDP globally on a Cisco switch, and how does this differ from no cdp enable?

A. no cdp enable — disables CDP globally on all interfaces simultaneously B. no cdp run (global config) — disables CDP on the entire device; no cdp enable (interface config) — disables CDP on one specific interface while leaving it running on all others C. disable cdp — not valid IOS syntax; the correct global command is no cdp protocol D. no cdp protocol — the correct global disable command; no cdp run only disables CDP on the management interface

Correct answer is B. The distinction between these two commands is a classic CCNA exam question. no cdp run is entered in global configuration mode (configure terminal) and shuts down CDP completely on the device — no advertisements are sent on any interface and no CDP information from any neighbour is processed. no cdp enable is entered in interface configuration mode (under a specific interface) and disables CDP only on that interface — all other interfaces continue to send and receive CDP normally. The practical use case: no cdp run is appropriate if you want to completely remove all CDP exposure from a device; no cdp enable is used when you want to keep CDP active on infrastructure uplinks but disable it on specific access ports facing end users.

10. An engineer notices that a directly connected switch appears in CDP output but VLAN traffic is not passing correctly between them. Which CDP detail field should be checked first and why?

A. The Device ID field — a mismatch in hostnames indicates the wrong switch is connected to this port B. The Platform field — different hardware models cannot pass VLAN traffic between them without additional configuration C. The Native VLAN field in show cdp neighbors detail — CDPv2 reports the native VLAN of each neighbour; a native VLAN mismatch causes CDP itself to log a warning and causes untagged VLAN frames to be misassigned, breaking traffic for that VLAN D. The IOS Version field — only devices running identical IOS versions can correctly exchange VLAN traffic over trunk links

Correct answer is C. When a neighbour is visible in CDP but VLAN traffic is misbehaving, the Native VLAN field reported by show cdp neighbors detail should be checked first. CDPv2 includes the native VLAN in its advertisements and the local device will log a syslog warning message if the native VLANs on the two ends of a trunk link do not match. A native VLAN mismatch means untagged frames (the native VLAN traffic) are being assigned to different VLANs on each end of the trunk — traffic sent as untagged (native) on one side is received and placed into a different VLAN on the other side. This can cause STP topology changes, hosts in the affected VLAN losing connectivity, and potential security issues. The fix is to match the native VLAN on both ends: switchport trunk native vlan <n> on both switches. The Duplex field should also be checked — a duplex mismatch causes collisions and poor performance even when CDP shows the neighbour.

← Back to Home