3.4.1 Configure LLDP

Information

LLDP is a discovery protocol that transmits information about the capabilities and current status of a device and its interfaces. LLDP devices use the protocol to solicit information only from other LLDP devices. You can use LLDP to discover and view information about many devices that are directly attached to the switch.

In many situations LLDP is required for normal operation (for instance for auto-provisioning, or for network configuration of VOIP handsets or Wireless Access Points).

LLDP advertises potentially sensitive information, including the current version of NX-OS. For this reason it is recommended that LLDP be disabled or restricted to receive-only on any link that links to equipment not owned by your organization.

In more sensitive environments, in particular in carrier or cloud services environments (where the majority of the endpoints are customer controlled hosts), it is recommended to disable LLDP entirely.

Rationale:

To permit the discovery of non-Cisco devices, the switch also supports the Link Layer Discovery Protocol (LLDP), a vendor-neutral device discovery protocol that is defined in the IEEE 802.1ab standard. LLDP allows network devices to advertise information about themselves to other devices on the network. This protocol runs over the data-link layer, which allows two systems running different network layer protocols to learn about each other.

LLDP advertises potentially sensitive information, including the current version of NX-OS and exposed IP addresses. This information can be used by a malicious actor to identify which vulnerabilities exist on the device, and from there which exploits might be most effective to compromise it. For this reason, enabling LLDP is generally not recommended except for troubleshooting or network discovery purposes. In particular, any ports connected to service provider gear, or any system not owned by your organization should have LLDP explicitly disabled.

In more sensitive environments, disable LLDP globally.

Solution

To enable the LLDP feature, then enable LLDP:

switch(config)# feature lldp

To disable LLDP globally:

switch(config)# no feature lldp

To disable LLDP on a specific interface - note that transmit and receive capabilities are controlled independently. While in many cases LLDP is not required at all, often only LLDP receive is needed for correct operation.:

switch(config)# int Ethernet x/y
switch(config-if)# no lldp transmit
switch(config-if)# no lldp receive

Default Value:

LLDP is not enabled by default. If the LLDP feature is enabled, the protocol is enabled for both send and receive on all interfaces by default.

See Also

https://workbench.cisecurity.org/benchmarks/6524

Item Details

Category: SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|CA-9, 800-53|CM-7, 800-53|CP-6, 800-53|CP-7, 800-53|PL-8, 800-53|PM-7, 800-53|SA-8, 800-53|SC-7, 800-53|SI-4, 800-53|SI-4(4), CSCv7|11

Plugin: Cisco

Control ID: 74052de4b1d080c40d26dec9faf66f9c6fc7cc884462979b28fa4edd6bf1c292