networkingnetwork-plusIntermediate25 min read

What Is Link Layer Discovery Protocol in Networking?

Also known as: LLDP, Link Layer Discovery Protocol, network discovery protocol, CCNA LLDP, Network+ LLDP

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

LLDP lets network devices like switches, routers, and access points introduce themselves to each other. They share information like their name, what they can do, and which port they are using. This helps network administrators automatically discover and map the network without manual data entry.

Must Know for Exams

LLDP appears prominently in CompTIA Network+ and Cisco CCNA certification exams. In CompTIA Network+, the exam objectives under Domain 2 Network Implementation include understanding and comparing discovery protocols, specifically LLDP and CDP. Learners must know that LLDP is an IEEE standard protocol, while CDP is Cisco proprietary. The exam may ask which protocol is used for multi-vendor environments or which standard defines LLDP (IEEE 802.1AB). Questions might present a scenario where a network consists of switches from multiple vendors, and the correct answer is to use LLDP for automatic discovery.

In the CCNA 200-301 exam, LLDP is covered under the topic of Network Access. Cisco documentation explicitly lists LLDP as one of the configuration items candidates must understand. The exam expects learners to know the default LLDP settings, such as the transmission interval of 30 seconds and the hold time multiplier of 4. Candidates must be able to interpret the output of show lldp neighbors and show lldp neighbors detail commands. They also need to know how to enable and disable LLDP globally (lldp run and no lldp run) and per interface (lldp transmit and lldp receive).

Exam questions often test the difference between CDP and LLDP. For example, a question might describe a network with Cisco and HP switches and ask which protocol should be used to ensure all devices can share neighbor information. The correct answer is LLDP because it is open standard. Another question might provide the output of show lldp neighbors detail and ask the candidate to identify the chassis ID, port ID, or capabilities of the neighbor device.

CCNA exam objectives also include understanding LLDP-MED for VoIP. A question might present a scenario where IP phones must automatically receive a voice VLAN configuration. The candidate must know that LLDP-MED, an extension of LLDP, allows a switch to advertise the voice VLAN to an IP phone. This is often compared to Cisco's proprietary CDP with Voice VLAN advertisement.

Network+ exams may include troubleshooting questions. For instance, a technician discovers that a switch is not seeing its neighbor. The candidate must consider whether LLDP is enabled on both ends, whether the ports are in the correct VLAN, or whether the cable is faulty. Understanding that LLDP operates at Layer 2 and does not rely on IP can help in such questions. Also, the hold time concept may be tested: if a neighbor disappears from the table after 120 seconds, the candidate should identify that the hold time multiplier is 4 and the interval is 30 seconds.

Simple Meaning

Imagine your network is a busy office building with many rooms. Each room has a door, and each door has a sign that tells you the department name and the person who works there. LLDP is like a system where every door automatically sends its sign to the doors around it. A switch sends out a message saying, I am Switch A on port 3 and I can forward data at 1 Gigabit per second. The router next to it receives this message and learns that Switch A is its neighbor. This automatic sharing is the core of LLDP.

In a more detailed analogy, think of a neighborhood where every house has a mailbox. LLDP is like the postal service that every house uses to send a postcard to every other house on the street. The postcard says the house’s address, its owner’s name, and what kind of mail it can receive (like packages or letters). When all houses do this, everyone knows who lives nearby. You do not need to walk door to door and ask; the information just arrives.

The real magic is that LLDP is standard and works between devices from different manufacturers. So a Cisco switch can talk to a Juniper router using LLDP, even though they speak different internal languages. The messages are simple and honest. They include the device name, the port identifier, the type of device (switch, router, phone, etc.), and sometimes more detailed capabilities. The messages are sent regularly, so if a new device is plugged in, it quickly announces its presence. If a device leaves, its neighbors stop hearing its postcards and know it is gone.

LLDP operates at Layer 2 of the OSI model, which means it lives on the data link layer. It does not use IP addresses. It sends its messages directly to the special multicast MAC address 0180C200000E, which all LLDP-enabled devices listen to. Because it works on Layer 2, it can even operate on networks that have no IP routing or where IP addresses conflict. Every switch that supports LLDP sends these announcements out every port by default. The network does not become cluttered because the messages are small, and they are sent only once every 30 seconds by default. This makes LLDP a lightweight but incredibly useful tool for building a live map of your network.

The data collected from LLDP is often stored in a local database called the Management Information Base (MIB). Network management software can query this MIB to display the network topology visually. For example, a tool like SolarWinds or PRTG can draw a diagram showing how devices are connected, based solely on LLDP information. This saves time and reduces human error. When you are troubleshooting a connectivity issue, you can check the LLDP neighbor table on a switch and see exactly what device is on the other end of the cable. This is much faster than tracing cables physically.

Full Technical Definition

LLDP is defined in IEEE standard 802.1AB. It is a link-layer protocol that allows network devices to advertise their identity, capabilities, and neighbors to other devices on the same physical or logical segment. It operates entirely at Layer 2 of the OSI model, using the destination MAC address 0180C200000E for all LLDP Data Units (LLDPDUs). These LLDPDUs are transmitted periodically, typically every 30 seconds, with a hold time multiplier of 4, meaning that if a device does not receive an LLDPDU for 120 seconds, it considers the neighbor lost.

The LLDPDU structure consists of a sequence of Type-Length-Value (TLV) elements. Each TLV starts with a type field that identifies what kind of information is being sent, a length field that indicates the data size, and the value field that holds the actual data. Essential TLVs include Chassis ID (which can be the device MAC address or a text string), Port ID (the port identifier), Time To Live (how long the information is valid), and End of LLDPDU. Optional TLVs cover system name, system description, system capabilities, management address, port description, VLAN name, and many others depending on the device vendor.

In real IT environments, LLDP is configured on managed switches, routers, wireless access points, IP phones, and some printers. The protocol is enabled per interface, and by default it is often enabled globally on enterprise-class Cisco devices via the command lldp run, while on Juniper devices it is enabled using the protocol lldp configuration stanza. Administrators use show commands to view the LLDP neighbor table, such as show lldp neighbors on Cisco IOS or show lldp neighbors detail for more verbose information. This table lists remote devices, their ports, and capabilities.

A critical technical aspect is that LLDP is unidirectional. A device sends its own information, but it does not request information from neighbors. The neighbor table is built solely from the advertisements that are received. Because it is unidirectional, LLDP works even on simplex links or when one side of a link is disabled from sending but can receive. Another important detail is that LLDP messages are never forwarded by switches. The destination MAC address 0180C200000E is a reserved multicast address that is not forwarded across Layer 2 boundaries. This ensures that LLDP traffic stays local to a single broadcast domain, preventing network-wide flooding.

Implementation variations exist, such as Cisco's proprietary CDP (Cisco Discovery Protocol), which serves the same purpose but uses a different format and multicast address. However, LLDP is vendor-neutral, making it essential in multi-vendor environments. The IEEE 802.1AB standard also defines LLDP-MED (Media Endpoint Discovery), an extension specifically for VoIP devices. LLDP-MED adds TLVs for power over Ethernet (PoE) requirements, network policies for voice VLANs, and location information for emergency services (E911). This is widely used in enterprise VoIP deployments.

Security considerations exist. LLDP is plaintext and unauthenticated by default. An attacker on the same link could inject false LLDPDUs to impersonate a device, potentially causing misrouting of management traffic or denial of service. To mitigate this, some switches allow disabling LLDP on untrusted ports or using port security features. In sensitive environments, LLDP may be disabled on access ports facing end users.

Real-Life Example

Think of a large apartment building with many units. Each apartment has a doorbell and a nameplate. LLDP is like a system where every apartment automatically sends a card to every other apartment in the building. The card says: This is Apartment 3B. My owner is Jane Smith. I have a refrigerator and a washing machine. By receiving these cards, all residents know who lives upstairs, downstairs, and next door. They build a mental map of the building without ever knocking on doors.

Now map this to IT. The building is your physical network. Each apartment is a network device like a switch or router. The doorbell is the Ethernet port. The nameplate is the system name or description. The refrigerator and washing machine are the device capabilities (like switching, routing, or wireless). When you plug a new switch into the network, it sends out LLDP messages every 30 seconds. After just a minute, every other switch in the same broadcast domain knows that the new switch exists and which ports connect to it.

This analogy also covers the concept of a neighbor table. In the apartment building, you might keep a list of neighbors you receive cards from. In networking, the switch keeps an LLDP neighbor table with entries for every device that sent a card. If you are an IT technician troubleshooting a slow connection, you can log into a switch and type show lldp neighbors. The output tells you exactly what device is on the other end of the cable. This is like checking your list to see which neighbor just moved in.

Another part of the analogy is the hold time. In the building, if someone stops sending cards for a couple of months, you assume they moved out. In LLDP, if a device does not send an LLDPDU for 120 seconds, the neighbor entry times out and is deleted. This keeps the network map accurate. If a device is unplugged and moved to a different port, the old entry expires, and a new one is created automatically.

The analogy also helps explain LLDP-MED. Imagine a company installs a new coffee machine in the building lobby. The coffee machine needs a specific power outlet (like Power over Ethernet) and must be placed on the correct floor (like a voice VLAN). With LLDP-MED, the coffee machine sends a card that says, I need a special outlet. The switch reads this and provides the right power and configuration automatically. This is exactly how IP phones use LLDP-MED to get a voice VLAN assignment and PoE power from a switch.

Why This Term Matters

LLDP matters in real IT work because it directly reduces the time and effort required for network documentation and troubleshooting. Network administrators are responsible for knowing how every switch, router, and access point is physically connected. Without LLDP or a similar protocol, discovering the network topology is manual. You would have to trace cables, check labels, and update spreadsheets by hand. In a data center with hundreds of cables, that process is error-prone and extremely time-consuming. LLDP automates this discovery and keeps the topology information up to date in real time.

From a cybersecurity perspective, LLDP provides visibility into the network. If an unknown device suddenly appears in the LLDP neighbor table, it can be a sign of an unauthorized device plugged into the network. Security teams can configure alerting on new LLDP neighbors to detect rogue access points, unauthorized switches, or even malicious devices. On the other hand, because LLDP itself is unauthenticated, it can also be a vector for information leakage. A device might broadcast its hostname, management IP address, and software version. Attackers can use these details to plan targeted attacks. Therefore, knowing when to enable or disable LLDP on certain ports is a security best practice.

In system administration and cloud infrastructure, LLDP is less common in virtual environments, but it remains critical for physical network connections. In a hybrid environment with physical servers and virtual switches, LLDP can help administrators understand the mapping between physical ports and virtual networks. For example, VMware vSphere uses LLDP to discover physical switch information from virtual switches, helping to validate cabling and configuration.

LLDP also matters for network monitoring and automation. Network management platforms like Cisco Prime, SolarWinds, and LibreNMS use LLDP data to automatically generate network maps and diagrams. This is especially useful in large enterprise networks where manual mapping is impractical. Automated inventory systems can extract device model numbers and software versions from LLDP TLVs, keeping asset databases accurate without logging into each device.

Lastly, LLDP is a core component of network performance troubleshooting. When a link is slow or dropping packets, an engineer can check the LLDP neighbor table on both ends to confirm that each device sees the other correctly. If one side does not see the other, the problem could be a faulty cable, a disabled port, or a misconfigured VLAN. LLDP provides the first clue in many common network faults.

How It Appears in Exam Questions

LLDP appears in exam questions in several distinct patterns. First, there are definition-style questions. These ask directly about the protocol, such as: Which layer of the OSI model does LLDP operate at? (Answer: Layer 2). Or: Which IEEE standard defines LLDP? (Answer: 802.1AB). Or: Which protocol is vendor-neutral for neighbor discovery? (Answer: LLDP). These are straightforward but require memorization of key facts.

Second, there are comparison questions. The exam might present a table or a list of features and ask which protocol, CDP or LLDP, has a specific characteristic. For example: Which discovery protocol uses a multicast address of 0180C200000E? (Answer: LLDP). Or: Which discovery protocol is only available on Cisco devices? (Answer: CDP). These questions test the candidate's ability to distinguish between the two similar but different protocols.

Third, there are configuration and verification questions. A typical CCNA scenario question might read: You are troubleshooting a network and need to see what device is connected to interface GigabitEthernet0/1 on your switch. Which command would you use? The correct answer is show lldp neighbors gigabitEthernet 0/1 or show lldp neighbors detail. Another configuration question might ask: An administrator wants to enable LLDP globally on a Cisco switch. Which command should be entered? (Answer: lldp run). These questions test practical knowledge of command syntax.

Fourth, there are troubleshooting scenario questions. For example: After connecting a new switch to an existing network, the network administrator notices that the new switch does not appear in the LLDP neighbor table of the existing switch. What could be the problem? Possible answers include LLDP being disabled on the port, the cable being faulty, or the new switch not supporting LLDP. The candidate must reason through the likely causes. Another scenario might describe that LLDP neighbor entries are disappearing every two minutes. The candidate must correlate this with the hold time of 120 seconds and suggest checking the transmission interval or network stability.

Fifth, there are design and multi-vendor questions. A question may ask: A company has a network consisting of Cisco, Juniper, and Arista switches. Which discovery protocol should be used for consistency? (Answer: LLDP). Or: Which protocol allows a network management station to automatically discover the network topology without vendor lock-in? (Answer: LLDP). These test the candidate's understanding of why LLDP exists as an open standard.

Finally, advanced questions may involve LLDP-MED. For example: An IP phone is connected to a switch port. The phone needs to be placed in the voice VLAN. Which protocol allows the phone to learn the voice VLAN ID automatically? (Answer: LLDP-MED or CDP, depending on the vendor). The candidate must differentiate between the base LLDP standard and its extension for media endpoints.

Practise Link Layer Discovery Protocol Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

A medium-sized company, GreenTech Solutions, has just expanded its office to a new floor. The IT team installs two new switches and connects them to the existing core switch. The network administrator, Priya, wants to confirm that all three switches are properly connected and that she has an accurate map of the network. She does not want to walk across the building to trace cables.

Priya logs into the core switch and runs the command show lldp neighbors. The output shows two entries: one for Switch-A on port Gi0/1 and another for Switch-B on port Gi0/2. Each entry includes the neighbor device name, port identifier, and time to live. Priya can now confirm that both new switches are reachable and connected to the correct ports. She then logs into Switch-A and runs the same command to see that Switch-A sees the core switch as its neighbor on its own uplink port. This matches her expected topology.

Later, a user reports a connectivity issue on the new floor. Priya suspects a faulty cable between Switch-A and the core. She checks the LLDP neighbor table on the core switch. Switch-A still appears, so the cable is likely working. But she notices that the time to live for Switch-B is about to expire. This suggests that Switch-B might be intermittently losing connectivity. Priya investigates further and finds that the power supply for Switch-B was loose. After securing it, the LLDP neighbor entry stabilizes. The entire troubleshooting process took less than ten minutes because of the immediate visibility provided by LLDP.

Common Mistakes

Thinking LLDP relies on IP addresses to discover neighbors.

LLDP operates at Layer 2 and does not use IP addresses at all. It uses a multicast MAC address to send frames directly to all LLDP-enabled devices on the same broadcast domain.

Remember that LLDP is a Layer 2 protocol. It works even on a network with no IP configuration, like during initial setup of a switch before an IP address is assigned.

Believing that LLDP is a Cisco-proprietary protocol.

LLDP is an open IEEE standard (802.1AB). Cisco has its own proprietary protocol called CDP, but LLDP is vendor-neutral and supported by many manufacturers.

Associate LLDP with the phrase open standard or IEEE. Associate CDP with Cisco. If a question mentions a multi-vendor network, choose LLDP.

Assuming that LLDP messages are forwarded by switches to other parts of the network.

LLDP uses a special multicast MAC address (0180C200000E) that switches are designed not to forward. Each LLDP frame stays on the single link where it was sent.

Think of LLDP as a one-link conversation. It never leaves the immediate cable segment. Each switch learns only about its directly connected neighbors.

Confusing LLDP with SNMP or other network management protocols.

SNMP is used to query and manage devices remotely, often over IP. LLDP is purely a discovery protocol that sends advertisements without being queried. They serve different purposes.

LLDP is for automatic neighbor discovery, like a person introducing themselves. SNMP is for asking detailed questions after the introduction, like what is your CPU usage?

Thinking that LLDP provides information about devices two or more hops away.

LLDP only provides information about directly connected Layer 2 neighbors. A switch can only see devices plugged directly into its ports, not devices connected through another switch.

LLDP builds a one-hop view. To see the full network topology, you need to combine LLDP information from multiple devices, often using a management tool.

Exam Trap — Don't Get Fooled

An exam question shows the output of show lldp neighbors detail and asks: What is the IP address of the neighboring device? The output includes a Management Address TLV with an IP address, but the candidate might answer that LLDP does not use IP, and therefore the question is faulty. Understand the difference between how LLDP communicates (Layer 2 frames) and what information it can carry (including optional management IP addresses).

The protocol itself does not need IP to function, but it can include an IP address for convenience. When answering, look for the Management Address field in the LLDP output.

Commonly Confused With

Link Layer Discovery ProtocolvsCisco Discovery Protocol (CDP)

CDP is Cisco's proprietary discovery protocol, while LLDP is the open IEEE standard. CDP uses a different multicast address (0100.0CCC.CCCC) and carries Cisco-specific TLVs. LLDP is essential in multi-vendor networks, whereas CDP only works between Cisco devices.

A network with a Cisco switch and a Juniper router will not share CDP information, but both can use LLDP to see each other.

Link Layer Discovery ProtocolvsSNMP (Simple Network Management Protocol)

SNMP is a management protocol used to query and configure devices. It is pull-based, meaning a management station sends requests. LLDP is push-based; devices send advertisements automatically. They can work together: LLDP builds the neighbor table, and SNMP can read that table via MIBs.

LLDP tells you a neighbor exists. SNMP lets you ask that neighbor for its interface statistics.

Link Layer Discovery ProtocolvsARP (Address Resolution Protocol)

ARP maps an IP address to a MAC address for Layer 3 to Layer 2 communication. LLDP is only about discovering device identity and capabilities, not about address resolution. ARP is essential for sending packets to a specific IP on the same subnet.

LLDP announces who you are. ARP finds how to reach someone you already know the IP of.

Link Layer Discovery ProtocolvsSTP (Spanning Tree Protocol)

STP prevents loops in a switched network by blocking certain ports. LLDP does not affect data forwarding at all. Both operate at Layer 2, but their purposes are entirely different.

LLDP tells you the neighbor exists. STP tells you whether the path to that neighbor should be active or blocked to prevent loops.

Step-by-Step Breakdown

1

LLDP is enabled on a device interface

A network administrator enables LLDP globally or per interface. On a Cisco switch, this is done with the command lldp run for global enablement, and lldp transmit and lldp receive per interface. Once enabled, the device begins participating in neighbor discovery.

2

The device builds an LLDP Data Unit (LLDPDU)

The device collects its own identity and capabilities: chassis ID, port ID, system name, system description, supported capabilities, and management address. These are encoded into TLVs (Type-Length-Value) and assembled into an LLDPDU. The device also sets the Time To Live (TTL), usually 120 seconds.

3

The LLDPDU is transmitted onto the link

The device sends the LLDPDU as a Layer 2 frame with the destination MAC address 0180C200000E. This is a reserved multicast address for link-layer discovery. The frame is sent out all LLDP-enabled interfaces, typically every 30 seconds. The frame is not forwarded beyond the immediate link.

4

The neighbor receives and stores the information

A neighboring device with LLDP enabled listens for frames sent to the multicast address. When it receives an LLDPDU, it decodes the TLVs and stores the information in its local LLDP neighbor table. The table includes the remote chassis ID, port ID, TTL, and any optional data like system description.

5

The neighbor table is maintained with timers

The receiving device maintains a timer for each LLDP neighbor entry. The timer is set to the TTL value from the LLDPDU (default 120 seconds). If no new LLDPDU is received before the timer expires, the entry is removed. If a new LLDPDU arrives, the timer is refreshed.

6

The information is made available to network management

The LLDP neighbor table is stored in the device's Management Information Base (MIB). Network management tools can query this MIB via SNMP to collect neighbor information from all devices, building a complete network topology map without manual data entry.

Practical Mini-Lesson

LLDP is one of the first tools a network engineer uses when entering an unfamiliar network. Before touching anything, a good practice is to log into a core switch and run show lldp neighbors. This command gives you an immediate snapshot of the directly connected devices. It tells you the device names, the ports they are connected to, and sometimes even the device model numbers. In a few minutes, you can understand the physical layout of the network without needing a physical walkthrough.

To configure LLDP on a Cisco IOS device, you first enter global configuration mode. The command lldp run enables LLDP globally. Some devices have it enabled by default. You can then verify with show lldp, which displays the global status, the transmission interval (default 30 seconds), and the hold time multiplier (default 4). To disable LLDP on a specific interface, you enter interface configuration mode and issue no lldp transmit and no lldp receive. This is useful on ports that connect to end-user devices to prevent unnecessary traffic and potential information leakage.

On Juniper JunOS, the configuration is similar but uses different syntax. Under the [edit protocol lldp] hierarchy, you set interface all to enable it on all interfaces. You can also set the advertisement interval with the advertisement-interval command. Juniper also supports LLDP-MED through the [edit protocol lldp-med] hierarchy.

In practice, common issues with LLDP include the neighbor table not showing an expected device. Troubleshooting steps include pinging the device (if it has an IP), checking physical layer connectivity (cables, LEDs), verifying that LLDP is enabled on both the local and remote interface, checking that the interface is not in an err-disable state, and confirming that the remote device actually supports LLDP. Some devices like simple unmanaged switches do not support LLDP.

Security is an important consideration. By default, LLDP sends out system name and description, which can reveal software versions and hostnames. In a high-security environment, you may want to disable LLDP on user-facing ports. Alternatively, you can configure LLDP to only receive (lldp receive) without transmitting (no lldp transmit) on certain ports. This allows the switch to learn about neighbors without advertising its own details.

LLDP is also crucial for Power over Ethernet (PoE) management. When an IP phone or an access point is connected, LLDP-MED TLVs allow the switch and the powered device to negotiate power requirements. This ensures the device gets exactly the power it needs without exceeding the switch's budget. It also allows the switch to prioritize power delivery to critical devices.

Finally, LLDP is not just for wired networks. Some wireless bridges and access points use variations of LLDP to discover neighbor access points and coordinate channel selection. Understanding LLDP gives you a foundational tool for both wired and wireless discovery.

Memory Tip

LLDP is the open standard for Link Layer Discovery. Think of the two Ls: Link Layer and LLDP. The P stands for Protocol, and it always plays nicely with devices from any vendor.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Frequently Asked Questions

What is the main purpose of LLDP?

LLDP allows network devices to automatically discover each other and share information about their identity and capabilities over a local link.

Is LLDP the same as CDP?

No, CDP is Cisco's proprietary protocol, while LLDP is an open IEEE standard. Both serve the same purpose but are not interchangeable.

Does LLDP work between switches from different vendors?

Yes, because LLDP is a vendor-neutral standard, devices from different manufacturers can exchange neighbor information using LLDP.

Can LLDP be used to send information across a router?

No, LLDP operates at Layer 2 and its frames are not forwarded by routers or switches beyond the immediate link.

How often does a device send LLDP advertisements?

By default, LLDP packets are sent every 30 seconds.

Does LLDP require IP configuration?

No, LLDP operates entirely at Layer 2 and does not need an IP address to function.

What is LLDP-MED?

LLDP-MED is an extension of LLDP for media endpoints like IP phones. It allows devices to advertise PoE requirements and voice VLAN information.

Summary

Link Layer Discovery Protocol (LLDP) is a foundational networking tool that simplifies how devices discover each other on a local network. It operates at Layer 2, sending small frames that advertise a device's identity, capabilities, and directly connected neighbors. LLDP is vendor-neutral, making it essential in multi-vendor environments, and it is examined in both CompTIA Network+ and Cisco CCNA certifications.

The protocol helps network administrators automatically map topologies, troubleshoot connectivity issues, and integrate with management systems. Key points to remember for exams include its IEEE 802.1AB standard, the multicast destination MAC 0180C200000E, the default timer settings of 30 seconds with a hold time of 120 seconds, and the distinction from Cisco's CDP.

In practice, LLDP saves hours of manual cabling verification and provides critical visibility for security and performance monitoring. Whether you are studying for an exam or working in the field, understanding LLDP gives you a direct window into the physical structure of any network.