Saturday, October 3, 2009

Discovering Devices with CDP

I touched on CDP briefly in a previous post, but here I'll talk a little more about why CDP is so great and how it can be used to help map and manage your network.

CDP stands for Cisco Discovery Protocol and is basically where your switch or router broadcasts a packet out of every interface stating some information about itself. This information includes:

  • IP Address
  • Port number
  • Port type
  • Device name
  • Device hardware
  • IOS version
  • Port speed
  • Duplex settings
  • Vlan information

That's right, all this really useful information gets thrown out of every port every minute by default and most of us just ignore it. Well if your a Cisco device you don't. If your a Cisco device you'll take that information and keep it in memory and build up a neighbor database. And if your a geek like me you can use that information to help you map your network and have some CDP fun! Here's how.


Configuring CDP

Well there's not much to configure. It's on by default it just works.

Secure#show cdp
Global CDP information:
Sending CDP packets every 60 seconds
Sending a holdtime value of 180 seconds
Sending CDPv2 advertisements is enabled

I can see from the output above that CDP packets are sent every 60 seconds. If I wanted to send CDP packets every 30 seconds I could configure that using the following command:

Secure(config)#cdp timer 60

OK, lets see what information CDP gives us.

Secure#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater
Device ID Local Intrfce Holdtme Capability Platform Port ID
S1 Eth 0 151 S I WS-C2950-2Fas 0/17
S1 Eth 1 151 S I WS-C2950-2Fas 0/1


Here I can see that I have my routers port Ethernet 0 connected to port FastEthernet 0/17 on a 2950 switch and Ethernet 1 connected to port FastEthernet 0/1 on a 2950 also. I can also see that the Device ID is S1 which is the name of my switch. Wouldn't it be useful if I new the IP Address of the switch as well. Well here's how we find that out.

Secure#show cdp neighbors detail
-------------------------
Device ID: S1
Entry address(es):
IP address: 10.0.1.210
Platform: cisco WS-C2950-24, Capabilities: Switch IGMP
Interface: Ethernet0, Port ID (outgoing port): FastEthernet0/17
Holdtime : 158 sec

Version : Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(12c)EA1, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Sun 24-Nov-02 23:31 by antonino

advertisement version: 2
Protocol Hello: OUI=0x00000C, Protocol ID=0x0112; payload len=27, value=00000000F
VTP Management Domain: ''
Duplex: full
Power drawn: 4294967.294 Watts

-------------------------

Device ID: S1 Entry address(es):
IP address: 10.0.1.210
Platform: cisco WS-C2950-24, Capabilities: Switch IGMP
Interface: Ethernet1, Port ID (outgoing port): FastEthernet0/1
Holdtime : 158 sec

Version :
Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(12c)EA1, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Sun 24-Nov-02 23:31 by antonino

advertisement version: 2
Protocol Hello: OUI=0x00000C, Protocol ID=0x0112; payload len=27, value=00000000F VTP Management Domain: ''
Duplex: full
Power drawn: 4294967.294 Watts


So from here I can start to diagram my network by hopping from decice to device and adding in detailed information about connected devices that CDP knows about. I can see which ports are fastethernet and which are not, which are full duplex and so much more.

So by now were realising that this CDP information is great to an administrator but probably great to an attacker too so let's say we don't want CDP leaving my router on interface ethernet 1 for example. Here's how we do that.

Before I stop CDP on the router I check the switch and make sure it is working as expected.

S1#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater
Device ID Local Intrfce Holdtme Capability Platform Port ID
Secure Fas 0/17 129 R Cisco C831Eth 0
Secure Fas 0/1 129 R Cisco C831Eth 1

I can see that I have 2 CDP entries as expected. Now I go to my router and stop CDP on Ethernet 1.


Secure#conf t
Secure(config)#interface ethernet 1
Secure(config-if)#no cdp enable
Secure(config-if)#exit


I go back to my switch and see whats going on there.

S1#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater
Device ID Local Intrfce Holdtme Capability Platform Port ID
Secure Fas 0/17 179 R Cisco C831Eth 0
Secure Fas 0/1 119 R Cisco C831Eth 1

I can see the CDP entry is still there but the holddown timer for Eth1 is still expiring whilst Eth0 has refreshed after it recieved a packet at the 60 second period.

Finally after the 180 seconds has passed I can see the CDP entry for Eth1 drop out.

S1#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater
Device ID Local Intrfce Holdtme Capability Platform Port ID
Secure Fas 0/17 159 R Cisco C831Eth 0

And thats about it for CDP.

2 comments:

Mike and Tracy said...

The other thing I like about CDP is that all of that information is available via SNMP, so you don't even need device access to be able to collect and accumulate that info (assuming you have, or can get, SNMP read access)

SynJunkie said...

I never thought of hat. I'll definitely look into it. Cheers