Discovering a Cisco Network with CDP (Part 1)

If you have ever been dropped face first into an undocumented Cisco network with little Cisco experience you may have found yourself overwhelmed. Fortunately for admins who have no desire to tone cables or read long mac address tables there is a simple way to map out a network like this. The Cisco Discovery Protocol (CDP) is the answer. There are a few prerequisites but overall the process is fairly simple.

First, CDP must be enabled on all of the devices and ports you would like to discover. This typically is the case as CDP is enabled by default on most devices. CDP informational packets are emitted from each physical interface and can be read by directly attached devices. CDP offers a lot of information about the device so on edge ports it typically is a good idea to have it disabled for security reasons. I will get into that a bit later.

Second, you will need a user account that can access these devices. Large environments typically use RADIUS or TACACS for authentication. A previously departed admin may have also left user information for the devices.

The first step in discovery is to get access to a device. I typically look at the default gateway my PC is currently using and I SSH or Telnet to that device. Once logged in to a privileged prompt you can issue the “show cdp neighbors” command. A list of all attached devices will be listed as shown below:

rt-01#show cdp neighbors
Load for five secs: 0%/0%; one minute: 2%; five minutes: 2%
Time source is NTP, 11:28:44.801 EDT Thu Apr 19 2012
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone
Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
                 Gig 1/24          146            R      WS-C3560G Gig 0/26
                 Gig 1/12          130           S I      WS-C3560G Gig 0/26
                 Gig 1/20          171           S I      WS-C3750- Gig 3/0/1
wlc-02           Gig 1/9           173            H       AIR-WLC44 Gig 0/0/1

This neighbor view shows the interface of your local device as well as the interface label of the attached device. This allows you to then examine the specific interfaces to get a better understanding of what is configured on each of the links.

To get a better understanding of a specific attached device we can use the “show cdp entry” command in conjunction with “show cdp neighbors”. First, find a neighbor you would like to explore with the neighbors command. Next, issue “show cdp entry” followed by the name of that neighbor. “show cdp entry” for example. You would expect to get output similar to this:

rt-01#show cdp entry
Load for five secs: 1%/0%; one minute: 1%; five minutes: 2%
Time source is NTP, 11:38:19.536 EDT Thu Apr 19 2012
Device ID:
Entry address(es):
  IP address:
Platform: cisco WS-C3560G-24TS,  Capabilities: Switch IGMP
Interface: GigabitEthernet1/7,  Port ID (outgoing port): GigabitEthernet0/26
Holdtime : 127 sec
Version :
Cisco IOS Software, C3560 Software (C3560-IPBASEK9-M), Version 12.2(40)SE, RELEASE SOFTWARE (fc3)
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Fri 24-Aug-07 01:38 by myl
advertisement version: 2
Protocol Hello:  OUI=0x00000C, Protocol ID=0x0112; payload len=27, value=00000000FFFFFFFF010221FF000000000000001D46F5C000FF0000
VTP Management Domain: 'test'
Native VLAN: 1
Duplex: full
Management address(es):
  IP address:

Once you have a good idea of what is attached to the device you’re presently connected to you can remote into one of the attached devices you discovered and do the same thing until “show cdp neighbors” reports no new devices. Use Visio or a pen and paper to map out the physical connections as you go.

As I mentioned above CDP can be a bit of a security risk. As you can see in the information above there is a fair amount of information that can be gathered from CDP that could be useful to an attacker. Version numbers of software, IP addresses, VTP information, etc can all be key things a would-be attacker would find useful. If your network is properly configured otherwise the risk is minimal but again any information can help paint a picture for an attacker.

I hope you found this useful! In the second part of this series I will be examining the Layer 2 trace route feature that is useful for finding the interface devices such as PCs, printers and other devices are attached to.

This entry was posted in Networking and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.