Cisco Support Community
Community Member

LLDP, what is it good for?

Hey all,

In an attempt to make my network as secure as possible. I wanted to disable LLDP. When is it right to disable LLDP and when do you need it. I know it is for interoperability but currently we have all Cisco switches in our network.

Thanks all!

Community Member

Re: LLDP, what is it good for?

You might need LLDP , which is the standardized equivalent of CDP, when you need interoperability btwn non-Cisco boxes and also when you have IP-Phones connected to to access switches. Newer Ip-Phones use LLDP-MED.

Re: LLDP, what is it good for?

LLDP, like CDP is a discovery protocol used by devices to identify themselves. By default Cisco switches & routers send CDP packets out on all interfaces (that are Up) every 60-seconds. The contents of the CDP packet will contain the device type, hostname, Interface type/number and IP address, IOS version and on switches VTP information. Additionally Cisco IP Phones signal via CDP their PoE power requirements. LLDP is essentially the same but a standardised version. Depending on what IOS version you are running it might ben enabled by default or not. It is an incredibly useful feature when troubleshooting.

Security people see the information sent via CDP or LLDP as a security risk as it potentially allows hackers to get vital information about the device to launch an attack.

It is up to you whether you think you should disable it or not (either CDP, LLDP or both). If you have applied other measures to mitigate attacks (VTY/HTTP ACL's, control-plane policing etc) then I personally don't see it as a big risk and see the troubleshooting ability as a bigger benefit.

If you have IP Phones (Cisco or others) then CDP and or LLDP might be required to support these.



CreatePlease to create content