Solved: cdp neighbor

jsheriony · ‎01-19-2010

We have 2 physical telco lines connected into the same sw. it should be configured not to allow the traffic from one to another.

However, it seems like it does which shouldn't be the case. Telco vendor confirmed that it is.

Here is what our router shows when we do “show cdp neighbor” on our Cisco router. You can see that the it can see the same devices via port 1/44 and 1/14. They should only be able to route via circuit on Gi1/14 .

appreciate any comment or suggestion?

A_End_Router1>sh cdp neighbors gigabitEthernet 1/44
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID            Local Intrfce         Holdtme   Capability    Platform   Port ID
B_End_Router1
                    Gig 1/44              163           R S I     2811      Fas 0/1
B_End_Router2
                    Gig 1/44              153           R S I     2811      Fas 0/1
B_End_Router3
                    Gig 1/44              155           R S I     2811      Fas 0/1
B_End_Router4
                    Gig 1/44              173           R S I     2811      Fas 0/1
B_End_Router5
                    Gig 1/44              120           R S I     2811      Fas 0/1
B_End_Router6
                    Gig 1/44              150           R S I     2811      Fas 0/1
B_End_Router7
                    Gig 1/44              156           R S I     2811      Fas 0/1
B_End_Router8
                    Gig 1/44              178           R S I     2811      Fas 0/1
A_End_Router1
                    Gig 1/44              175           R S I     WS-C4948 Gig 1/14

A_End_Router1>sh cdp neighbors gigabitEthernet 1/14
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID            Local Intrfce         Holdtme   Capability    Platform   Port ID
B_End_Router1
                    Gig 1/14              145           R S I     2811      Fas 0/1
B_End_Router2
                    Gig 1/14              135           R S I     2811      Fas 0/1
B_End_Router3
                    Gig 1/14              137           R S I     2811      Fas 0/1
B_End_Router4
                    Gig 1/14              154           R S I     2811      Fas 0/1
B_End_Router5
                    Gig 1/14              162           R S I     2811      Fas 0/1
B_End_Router6
                    Gig 1/14              132           R S I     2811      Fas 0/1
B_End_Router7
                    Gig 1/14              138           R S I     2811      Fas 0/1
B_End_Router8
                    Gig 1/14              160           R S I     2811      Fas 0/1
A_End_Router1
                    Gig 1/14              171           R S I     WS-C4948 Gig 1/44

Collin Clark · ‎01-20-2010

How are you blocking traffic on the second port? CDP is a layer 2 protocl and a layer 3 ACL will not block the traffic. Are you looking to also block layer 2 protocols?

View solution in original post

Collin Clark · ‎01-20-2010

How are you blocking traffic on the second port? CDP is a layer 2 protocl and a layer 3 ACL will not block the traffic. Are you looking to also block layer 2 protocols?

jsheriony · ‎01-20-2010

Thanks Collin.

actually I don't kno

we for i don't have a direct access to the router.

we are 2 telco providers with 2 ckts each.both interface above are connected to telco#1, but different ckt.

The other 2 ports(the same router) that are both connected to the other 2 circuits of telco#2 doesn't show the same output.

I assumed it was with the telco, but it doesn't look like it.

I am assuming it has something to do with the router setting etc, or anything that we could change from other side which of course would not affect the performance of the cisco box. we have 6 pipes connected to it overall.

Collin Clark · ‎01-20-2010

Is the telco saying that traffic is flowing across both or are you just concerned that you see a CDP neighbor across both links?

jsheriony · ‎01-20-2010

basically, just concerned that we see the same neighbor output from both links

Collin Clark · ‎01-20-2010

As I stated before you will see both links because CDP is a layer two protocol and is not being blocked. You can always turn off CDP on devices that connect to carriers which is a good security practice.

Turn off CDP on the entire device

router(config)# no cdp run

Turn off CDP on a specific interface

router(config)# interface fa0/44

router(config-if)# no cdp enable

Hope that helps

Michel Hegeraat · ‎01-20-2010

A switch will not use CDP to decide on what port it will send traffic.

It uses the destination mac address

If you expect to see traffic on only the "active" port then your idea is wrong.

The normal outgoing traffic will got out of the port Gi1/14 .

Any broadcast, multicast or unknown destinations however will go out of both ports.

If the active router sends out multicast or broadcasts it is likely that the other router on port GI 1/44 will see this traffic too.

Cheers,

Michel

jsheriony · ‎01-20-2010

Thanks Michel.

in short, you mean to say it is a normal behavior, right?

we actually have another router(for dual) and we don't see the same output. That is why I am wondering if there's anything wrong or missing with our config.

Michel Hegeraat · ‎01-20-2010

I think if there is something that needs to be fixed, it is not on the switch.

You may have some issue on the routers that send traffic to the telco's.

Cheers,

Michel

s.marino · ‎01-20-2010

jsheriony,

For the other router (for dual) you don't see the same output is because the router has CDP disabled.

You can also disable CDP on the switch or per port as stated earlier.

Regards,

Sal

Michel Hegeraat · ‎01-20-2010

I think normaly CDP packets from the routers will be absobed by the switch.

If they are somehow forwarded to other ports turning of CDP wont resolve ths

cheers,

Michel