What is CDP reconnaissance, why is it dangerous, and how do you mitigate it?
CDP (Cisco Discovery Protocol) broadcasts device information (IP (Internet Protocol), IOS (Internetwork Operating System) version, platform, native VLAN (Virtual Local Area Network)) in cleartext on all CDP-enabled ports. An attacker can passively collect this to map the network. Disable CDP on ports facing untrusted devices.
* CDP leaks device details in cleartext. *
What CDP reveals:
- Device IP address — allows targeted attacks
- IOS software version — attacker can look up known vulnerabilities for that version
- Platform/model — reveals hardware capabilities and potential weaknesses
- Native VLAN — useful for VLAN hopping attacks
- Capabilities — router, switch, phone, etc.
Why it's dangerous:
- CDP is enabled by default on all Cisco interfaces
- CDP messages are sent as periodic, unencrypted broadcasts — no authentication
- Any device on the network can passively collect all CDP information
- This is a reconnaissance gold mine — the attacker learns your network topology, device types, software versions, and IP addresses without sending a single suspicious packet
Mitigation:
! Disable CDP globally (nuclear option):
Switch(config)# no cdp run
! Disable CDP per-interface (recommended — disable on edge/access ports):
Switch(config-if)# no cdp enable
! Re-enable if needed:
Switch(config-if)# cdp enable
LLDP (Link Layer Discovery Protocol) is the open-standard equivalent of CDP and has the same vulnerability:
Switch(config)# no lldp run ! Disable globally
Switch(config-if)# no lldp transmit ! Disable sending per-port
Switch(config-if)# no lldp receive ! Disable receiving per-port
Best practice: Disable CDP/LLDP on all ports connected to untrusted devices (user access ports, guest ports). Keep it enabled on inter-switch links and ports connecting to IP phones (phones use CDP/LLDP for VLAN and PoE (Power over Ethernet) negotiation).
Go deeper:
Cisco Discovery Protocol (Wikipedia) — lists exactly what CDP leaks (IOS version, IP, model, native VLAN…), showing the recon value and why you disable it on edge ports.