LLDP, what is it good for?

Unanswered Question
Feb 17th, 2009

Hey all,

In an attempt to make my network as secure as possible. I wanted to disable LLDP. When is it right to disable LLDP and when do you need it. I know it is for interoperability but currently we have all Cisco switches in our network.

Thanks all!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
samjaco Tue, 02/17/2009 - 09:54

You might need LLDP , which is the standardized equivalent of CDP, when you need interoperability btwn non-Cisco boxes and also when you have IP-Phones connected to to access switches. Newer Ip-Phones use LLDP-MED.

andrew.butterworth Tue, 02/17/2009 - 09:55

LLDP, like CDP is a discovery protocol used by devices to identify themselves. By default Cisco switches & routers send CDP packets out on all interfaces (that are Up) every 60-seconds. The contents of the CDP packet will contain the device type, hostname, Interface type/number and IP address, IOS version and on switches VTP information. Additionally Cisco IP Phones signal via CDP their PoE power requirements. LLDP is essentially the same but a standardised version. Depending on what IOS version you are running it might ben enabled by default or not. It is an incredibly useful feature when troubleshooting.

Security people see the information sent via CDP or LLDP as a security risk as it potentially allows hackers to get vital information about the device to launch an attack.

It is up to you whether you think you should disable it or not (either CDP, LLDP or both). If you have applied other measures to mitigate attacks (VTY/HTTP ACL's, control-plane policing etc) then I personally don't see it as a big risk and see the troubleshooting ability as a bigger benefit.

If you have IP Phones (Cisco or others) then CDP and or LLDP might be required to support these.

HTH

Andy

Actions

This Discussion