LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

What is CDP reconnaissance, why is it dangerous, and how do you mitigate it?

CDP (Cisco Discovery Protocol) broadcasts device information (IP (Internet Protocol), IOS (Internetwork Operating System) version, platform, native VLAN (Virtual Local Area Network)) in cleartext on all CDP-enabled ports. An attacker can passively collect this to map the network. Disable CDP on ports facing untrusted devices.

CDP broadcasts IP, IOS version, model, native VLAN in cleartext to a passive attacker.

* CDP leaks device details in cleartext. *

What CDP reveals:

  • Device IP address — allows targeted attacks
  • IOS software version — attacker can look up known vulnerabilities for that version
  • Platform/model — reveals hardware capabilities and potential weaknesses
  • Native VLAN — useful for VLAN hopping attacks
  • Capabilities — router, switch, phone, etc.

Why it's dangerous:

  • CDP is enabled by default on all Cisco interfaces
  • CDP messages are sent as periodic, unencrypted broadcasts — no authentication
  • Any device on the network can passively collect all CDP information
  • This is a reconnaissance gold mine — the attacker learns your network topology, device types, software versions, and IP addresses without sending a single suspicious packet

Mitigation:

! Disable CDP globally (nuclear option):
Switch(config)# no cdp run

! Disable CDP per-interface (recommended — disable on edge/access ports):
Switch(config-if)# no cdp enable

! Re-enable if needed:
Switch(config-if)# cdp enable

LLDP (Link Layer Discovery Protocol) is the open-standard equivalent of CDP and has the same vulnerability:

Switch(config)# no lldp run                    ! Disable globally
Switch(config-if)# no lldp transmit            ! Disable sending per-port
Switch(config-if)# no lldp receive             ! Disable receiving per-port

Best practice: Disable CDP/LLDP on all ports connected to untrusted devices (user access ports, guest ports). Keep it enabled on inter-switch links and ports connecting to IP phones (phones use CDP/LLDP for VLAN and PoE (Power over Ethernet) negotiation).

Go deeper:

From Quiz: NETW2 / LAN Security Concepts | Updated: Jul 05, 2026