1 00:00:00,000 --> 00:00:03,000 So once again in this example 2 00:00:03,000 --> 00:00:07,000 we can see that the device connected to router 3 3 00:00:07,000 --> 00:00:13,000 is a Cisco 3750 switch with this IP address. 4 00:00:13,000 --> 00:00:17,000 This is the platform and this is the version of software 5 00:00:17,000 --> 00:00:19,000 that the switch is running. 6 00:00:19,000 --> 00:00:22,000 So from a security point of view 7 00:00:22,000 --> 00:00:27,000 what you may wanna do is type no cdp run 8 00:00:27,000 --> 00:00:34,000 which disables CDP on the entire router or switch. 9 00:00:34,000 --> 00:00:41,000 Now when I type sh cdp neighbors notice CDP is not enabled on the device. 10 00:00:41,000 --> 00:00:45,000 On switch 2 sh cdp neighbors 11 00:00:45,000 --> 00:00:51,000 still shows router 3 in the list because of the timers. 12 00:00:51,000 --> 00:00:55,000 If I type sh cdp enter 13 00:00:55,000 --> 00:01:00,000 I can see that CDP is sending updates every 60 seconds 14 00:01:00,000 --> 00:01:03,000 and we have a whole timer of a 180 seconds 15 00:01:03,000 --> 00:01:07,000 so there are 2 things that you need to remember here 16 00:01:07,000 --> 00:01:10,000 when you start up a device for the first time 17 00:01:10,000 --> 00:01:15,000 it may take 60 seconds before the device appears in the list of neighbors. 18 00:01:15,000 --> 00:01:19,000 So don’t make the mistake that others have made 19 00:01:19,000 --> 00:01:22,000 where they enabled an interface on a switch or a router 20 00:01:22,000 --> 00:01:26,000 and then use CDP to check if the neighboring devices connected 21 00:01:26,000 --> 00:01:30,000 and they see nothing and assume that there’s a problem on the link. 22 00:01:30,000 --> 00:01:35,000 Wait at least 60 seconds for the CDP updates to be sent 23 00:01:35,000 --> 00:01:37,000 before you assume that there’s a problem. 24 00:01:37,000 --> 00:01:42,000 It can take 60 seconds for a device appear in the list 25 00:01:42,000 --> 00:01:45,000 when you use the command sh cdp neighbors 26 00:01:45,000 --> 00:01:50,000 It can also take 180 seconds for entries to disappear. 27 00:01:50,000 --> 00:01:53,000 So we’ve disabled CDP on router 3 28 00:01:53,000 --> 00:01:56,000 but it's showing up in the list 29 00:01:56,000 --> 00:02:00,000 because it takes a while for these entries to be removed. 30 00:02:00,000 --> 00:02:05,000 Notice at the moment, that the whole time is 46 seconds 31 00:02:05,000 --> 00:02:13,000 now 38, now 35 and that’s decrementing down from 180. 32 00:02:13,000 --> 00:02:18,000 If we type sh cdp once again, notice the holdtime is 180 seconds. 33 00:02:18,000 --> 00:02:27,000 this other values are being reset constantly through the CDP updates 34 00:02:27,000 --> 00:02:33,000 but router 3 entry is decrementing 35 00:02:33,000 --> 00:02:37,000 and will now timeout in a few seconds 36 00:02:37,000 --> 00:02:40,000 because of the 180 second timer 37 00:02:40,000 --> 00:02:45,000 so there’s 1 second, there’s 0 seconds 38 00:02:45,000 --> 00:02:52,000 and now after while that entry will be removed from the local switch. 39 00:02:52,000 --> 00:02:57,000 Where other entries are constantly being reset. 40 00:02:57,000 --> 00:03:03,000 So notice switch 4 was a 139 seconds but is now 175 seconds. 41 00:03:03,000 --> 00:03:07,000 But router 3 has now been removed from the table 42 00:03:07,000 --> 00:03:11,000 we've shown previously but it’s now not available in the CDP table. 43 00:03:11,000 --> 00:03:21,000 So the commands no cdp run disable CDP globally on a device. 44 00:03:21,000 --> 00:03:24,000 cdp run enables it 45 00:03:24,000 --> 00:03:26,000 sh cdp neighbors 46 00:03:26,000 --> 00:03:29,000 allows the device to start discovering neighbors 47 00:03:29,000 --> 00:03:35,000 and notice now we have router 3 back again on switch 2. 48 00:03:35,000 --> 00:03:40,000 On router 3 we might want to keep CDP enabled globally . 49 00:03:40,000 --> 00:03:42,000 but then disable it 50 00:03:42,000 --> 00:03:44,000 on the Internet facing interface. 51 00:03:44,000 --> 00:03:48,000 So now we can type no cdp enable 52 00:03:48,000 --> 00:03:51,000 Previously, we were seeing the 3750 switch 53 00:03:51,000 --> 00:03:57,000 connected on FatEthernet 0/1 and the switch was using FatEthernet 1/1 54 00:03:57,000 --> 00:04:02,000 s cdp neighbor now still shows that entry 55 00:04:02,000 --> 00:04:07,000 but our router is not advertising itself to that neighbor. 56 00:04:07,000 --> 00:04:13,000 So let’s look at details and telnet to the switch. 57 00:04:13,000 --> 00:04:19,000 I'll login shows cdp neighbors 58 00:04:19,000 --> 00:04:24,000 notice it sees various physical Cisco routers 59 00:04:24,000 --> 00:04:27,000 and it also sees router 3 60 00:04:27,000 --> 00:04:33,000 and what you’ll notice here is the whole time is also decrementing 61 00:04:33,000 --> 00:04:35,000 and will eventually time out 62 00:04:35,000 --> 00:04:42,000 because router 3 is not advertising itself to the Cisco switch. 63 00:04:42,000 --> 00:04:46,000 I’ll use CTRL shift 6X to jump back to router 3 64 00:04:46,000 --> 00:04:48,000 sh cdp neighbor 65 00:04:48,000 --> 00:04:55,000 Notice the core 3750, timeout is also decrementing. 66 00:04:55,000 --> 00:04:59,000 So eventually, I won't bore you by making you wait 67 00:04:59,000 --> 00:05:01,000 this amount of time, I'll speed up the video 68 00:05:01,000 --> 00:05:05,000 but eventually, those 2 entries will disappear. 69 00:05:05,000 --> 00:05:10,000 In other words, router 3 will no longer see the Cisco switch 70 00:05:10,000 --> 00:05:17,000 and the Cisco switch will no longer see router 3 in the list. 71 00:05:17,000 --> 00:05:20,000 So sh cdp neighbors 72 00:05:20,000 --> 00:05:22,000 notice we have 5 seconds now 73 00:05:22,000 --> 00:05:26,000 on router 3 as shown on the Cisco switch 74 00:05:26,000 --> 00:05:34,000 now it's set 0 second and now router 3 is no longer shown 75 00:05:34,000 --> 00:05:37,000 in the list of available devices on the 3750 76 00:05:37,000 --> 00:05:41,000 I’ll jump back to router 3, sh cdp neighbors 77 00:05:41,000 --> 00:05:44,000 Notice router 3 sees switch 2 78 00:05:44,000 --> 00:05:53,000 but no longer sees the Cisco 3750 switch on F0/1 79 00:05:53,000 --> 00:05:58,000 and once again that’s because I disabled CDP on that interface 80 00:05:58,000 --> 00:06:03,000 so I'll enable it again by typing cdp enable 81 00:06:03,000 --> 00:06:09,000 I have to do that on the interface so cdp enable 82 00:06:09,000 --> 00:06:15,000 sh cdp neighbor I’ve just enabled CDP. 83 00:06:15,000 --> 00:06:24,000 I’m starting to see other devices I can now see the 3750 switch on F0/1. 84 00:06:24,000 --> 00:06:26,000 Now the router is seeing itself 85 00:06:26,000 --> 00:06:32,000 and that’s because other switches in the topology that are non-Cisco switches 86 00:06:32,000 --> 00:06:35,000 which are allowing CDP through. 87 00:06:35,000 --> 00:06:39,000 So CDP is the Cisco propriety protocol 88 00:06:39,000 --> 00:06:44,000 and maybe forwarded through other devices and hence the router can see itself. 89 00:06:44,000 --> 00:06:49,000 So what about non-Cisco devices? Let's now discuss LLDP.