Layer 2 Discovery Protocols
From a very practical perspective, the layer 2 discovery protocols have been invaluable to me as a network engineer. There are a lot of times when you will come into a situation, depending upon what kind of position that you have and where you work, you may come into a situation where you don’t know what the topology is or how it’s connected at all. You may have some basic information but you may not have a detailed and up-to-date network diagram to know how the network is connected. Usually this means you’ll need to do some investigative work to work out the topology.
Cisco Discovery Protocol
This is where the layer 2 discovery protocols really come in, is that they give you a lot of information about your directly connected devices when these protocols are running. So let’s first jump into CDP. This is the Cisco Discovery Protocol. It is a proprietary discovery protocol by Cisco. Like many of the proprietary protocols, CDP was implemented by Cisco prior to the release of the similar industry standard protocol, LLDP. Cisco being the innovative company that they are, thought it would be a really great idea to be able to identify other directly connected Cisco devices. CDP exchanges a lot of information, it allows us to see what kind of device is connected, what software it’s running, what interface it’s connected on ,what the management IP address is, and a whole lot more.

Another vendor out there, HP, did support CDP for a little while, though not anymore. CDP advertisement are sent using a layer 2 multicast destination address 01:00:0C:CC:CC:CC. It’s a multicast layer 2 frame that is sent out, although it’s only intended to go to one directly connected device, however if you’re running a hub you may see multiple CDP neighbors. The default advertising interval is 60 seconds with a default hold time of three times that, 180 seconds. So what does that mean? Say you have 2 switches that are connected, as soon as the interfaces come up, they will go ahead and send out a CDP frame to each other so that they will discover each other. It will not send another CDP frame for another 60 seconds.

Let’s say one of the switches crash, so that the physical interface is still up, and it may even still be forwarding traffic but just any CPU tasks, like generating CDP frames or participating in Spanning Tree Protocol aren’t working. After 180 seconds where the connected has not received a CDP frame, the neighbor will be removed from the neighbors list.
The actual information that is shared over CDP does vary by the device and OS version. As time has gone on, Cisco has updated CDP and allowed it to include more information. A lot of that ability to include more information comes from its TLV format.

Here we have the CDP header, and then just these TLV fields, these Type Length Value fields. The Type field is a 2 byte field which describes the type of information in the Value field. The Length field is also 2 bytes, and describes the length of the data in the Value field. The Value field contains the actual data of the TLV. This could be the management address of the device, the hostname, or any other information included in the CDP advertisement. It can add as many of these TLVs as they see fit, which is very extensible. Because of that, as software revisions have occurred and gone on, Cisco has included and removed some information here or there and been able to really customize this as they see fit.

CDP must be enabled globally, and can be enabled or disabled on a per-interface basis. CDP is enabled with the cdp run command. Similar it can be disabled with no cdp run. This is done at global configuration mode for the global enable or disable. The same commands are used at the interface configuration mode to enable or disable on a per-interface basis.
Link Layer Discovery Protocol
LLDP is the industry standard, IEEE, response to CDP. It does a whole lot of the same stuff, and it operates in very much the same manner. It’s defined in the standard 802.1ab. The timers are a little different, here with LLDP we have a default advertising interval of 30 seconds, and a default hold time interval of four times that 120 seconds.

LLDP is formatted very similarly to CDP, using TLVs to describe the advertised data. Only the Chassis ID and Port ID have their own dedicated fields. Let’s take a look at the output of show lldp neighbor and show lldp entry.

The output of show lldp neighbor is very similar to the output of the show cdp neighbor command. Being that these protocols perform very similar functions, this is not unexpected. Similarly the show lldp entry command has a very similarly formatted output.

Being that LLDP is an industry standard protocol, the exact output can vary pretty significantly from vendor to vendor. Additionally the information that each vendor chooses to advertise and expose via LLDP can vary significantly. However, it can still be a lifesaver when performing discovery on a network, to be able to map out the topology without having to physically trace cables. Finally, let’s take a look at a packet capture of an LLDP frame, showing the TLVs contained.
