Regarding CDP

Hi Everyone,

                    In my work environment, we are using Cisco 2960(POE SW) and CE500 POE Switch. And all phones (7940, 7906,8945) are registered in call manager and they got vlan information from POE. But i disabled CDP as per our Company Policy in SW, then all Video Phones (8945) are  affected , but others are  not affected. 

                  My company is insisting me to disable CDP in POE .  As per my knowledge CDP is necessary to give VLAN information to the Phones. Is there any other way to make Phones to work properly (disabling CDP)? Is it possiblefor all phones to work normally without CDP in POE?

And also Please give suggestion that why only video phones are  affected in my Testing not others ?





  • I would suggest discovering the reason/source of the policy. Once you have discovered what risks are being mitigated, then you can present the option to your management the design of CDP, and it's intended use. 

    and just FYI,  you can disable CDP on the PC port of the Cisco phones from the UCM, you can also specifiy the ports to be trunks, and limit the VLANs that are permitted across the trunks, and hand out the appropriate VLAN via DHCP.

    There are a number of security enhancements that can be used to protect the ports (that have CDP or not) (note: these are prolly not available on that CE500)

    1) power off ports that are unused

    2) power-wise off ports that are outside of specific time frames

    3) Sticky MAC to only allow X number of MAC addresses

    4) dot1x security on interface

    These are just SOME examples.

    I would discuss the policy, and find out if an exception can be made in this case.


  • My company is insisting me to disable CDP in POE

    The key issue with CDP is that is it a great network reconnaissance tool.  Clearly it's usefully for providing information to IP handsets about voice VLAN etc.  This protocol can be enabled globally on a switch and then disabled on a per switch port basis on vulnerable ports.  Also I suppose you could get around this by using LLDP instead :-)

Sign In or Register to comment.