Courseiva
CDP / LLDPCCNA 200-301

CDP Leaking Network Topology to Untrusted Segment — Security Risk

Presenting Symptom

A network engineer notices that a switch connected to an untrusted segment (e.g., a guest network or external partner) is sending Cisco Discovery Protocol (CDP) advertisements, potentially leaking sensitive network topology information.

Network Context

This scenario occurs in a small branch office where a Cisco Catalyst 2960 switch (running IOS 15.0) connects to both the internal corporate LAN and an untrusted guest network via a separate VLAN. The switch has CDP enabled globally by default. An external attacker or unauthorized user on the guest network could capture CDP packets to discover neighboring Cisco devices, IP addresses, and IOS versions, posing a security risk.

Diagnostic Steps

1

Check if CDP is enabled globally on the switch

show cdp
Global CDP information:
    Sending CDP packets every 60 seconds
    Sending a holdtime value of 180 seconds

If CDP is enabled globally, the switch will send CDP advertisements out all interfaces (including untrusted ones). If disabled, the output will indicate 'CDP is not enabled'.

2

Identify which interfaces have CDP enabled

show cdp interface
GigabitEthernet0/1 is up, line protocol is up
  Encapsulation ARPA
  Sending CDP packets every 60 seconds
  Holdtime is 180 seconds
GigabitEthernet0/2 is up, line protocol is up
  Encapsulation ARPA
  Sending CDP packets every 60 seconds
  Holdtime is 180 seconds

All interfaces with CDP enabled will be listed. Look for interfaces connected to untrusted segments (e.g., guest VLAN, internet-facing). If an untrusted interface shows CDP enabled, it is leaking topology info.

3

Verify CDP neighbors discovered via the untrusted interface

show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone
Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
Router1          Gig 0/1           172         R          ISR4331   Gig 0/0/0
Switch2          Gig 0/2           150         S          WS-C2960  Gig 0/1

If the untrusted interface (e.g., Gig0/2) shows CDP neighbors, it confirms that topology information is being shared with untrusted devices. In a secure design, no CDP neighbors should appear on untrusted interfaces.

4

Check CDP traffic on the untrusted interface using a packet capture or debug

debug cdp packets
CDP-PA: packet sent via GigabitEthernet0/2, length 123
  CDP ver 2, ttl 180s, checksum 0x1234
  Device-ID: Switch-Branch
  Version: Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 15.0(2)SE
  Platform: cisco WS-C2960-24TT-L
  Capabilities: Switch
  Interface: GigabitEthernet0/2, Port-ID (outgoing): GigabitEthernet0/2
  VTP Domain: Corporate
  Native VLAN: 1
  Duplex: Full
  System Name: Switch-Branch

The debug output shows detailed CDP information being sent out the untrusted interface, including device ID, IOS version, platform, VTP domain, and native VLAN. This confirms the security risk.

Root Cause

CDP is enabled globally on the switch, and no per-interface disabling has been applied on the interface connected to the untrusted segment. By default, CDP sends advertisements out all interfaces, leaking sensitive network topology information to unauthorized users.

Resolution

Disable CDP on the untrusted interface (e.g., GigabitEthernet0/2) using the following commands: Switch(config)# interface GigabitEthernet0/2 Switch(config-if)# no cdp enable Switch(config-if)# end Alternatively, if the entire switch should not run CDP, disable it globally: Switch(config)# no cdp run Explanation: The 'no cdp enable' command disables CDP on a specific interface, preventing CDP advertisements from being sent or received on that interface. This stops the leakage of topology information to the untrusted segment.

Verification

Run 'show cdp interface GigabitEthernet0/2' to confirm CDP is disabled on that interface: GigabitEthernet0/2 is up, line protocol is up Encapsulation ARPA CDP is not enabled on this interface Also run 'show cdp neighbors' to ensure no neighbors are discovered via that interface.

Prevention

["Disable CDP on all interfaces that connect to untrusted networks (e.g., guest VLANs, internet-facing links, external partner connections).","Use the 'no cdp enable' command on a per-interface basis rather than disabling CDP globally, as CDP is useful for internal network discovery and troubleshooting.","Implement network segmentation and access control lists to limit exposure of management protocols."]

CCNA Exam Relevance

On the CCNA 200-301 exam, this scenario may appear as a multiple-choice question or a drag-and-drop troubleshooting task. The exam tests knowledge of CDP security implications and the command to disable CDP on an interface. A key fact: CDP is enabled by default on Cisco devices and can leak sensitive information; candidates must know how to disable it per interface using 'no cdp enable'.

Exam Tips

1.

Remember that CDP is a Layer 2 protocol and is enabled by default; always disable it on interfaces facing untrusted networks.

2.

The command 'no cdp enable' is interface-specific; 'no cdp run' disables it globally. The exam may test the difference.

3.

Be able to identify CDP information in a 'show cdp neighbors' output, such as Device ID, Platform, and Port ID.

Commands Used in This Scenario

show cdp neighbors

Displays information about directly connected Cisco devices discovered via CDP, used to verify neighbor relationships and gather device details.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions