3.4.2 Configure CDP

Information

The Cisco Discovery Protocol (CDP) is a media-independent and protocol-independent protocol that runs on all Cisco-manufactured equipment including routers, bridges, access and communication servers, and switches. You can use CDP to discover and view information about all the Cisco devices that are directly attached to the device.

Each device that you configure for CDP sends periodic advertisements to a multicast address. Each device advertises at least one address at which it can receive SNMP messages. The advertisements also contain hold-time information, which indicates the length of time that a receiving device should hold CDP information before removing it. You can configure the advertisement or refresh timer and the hold timer.

CDP advertises potentially sensitive information, including the current version of NX-OS. For this reason it is recommended that CDP be disabled on any link that links to equipment not owned by your organization. In more sensitive environments, in particular in carrier or cloud services environments (where the majority of the endpoints are customer controlled hosts), it is recommended to disable CDP entirely

Rationale:

CDP advertises potentially sensitive information, including the current version of NX-OS. This information can be used by a malicious actor to identify which vulnerabilities exist on the device, and from there which exploits might be most effective to compromise it. For this reason, enabling CDP is generally not recommended except for troubleshooting or network discovery purposes. In particular, any ports connected to service provider gear, or any system not owned by your organization should have CDP explicitly disabled.

In more sensitive environments, disable CDP globally.

Solution

Enabling CDP Globally

switch(config)# cdp enable

Enabling on one interface

switch(config)# int Ethernet x/y
switch(config-if)# cdp enable

To disable CDP globally:

switch(config-if)# no cdp enable

To disable CDP on one interface only:

switch(config)# int Ethernet x/y
switch(config-if)# no cdp enable

Default Value:

CDP is enabled by default, and is enabled on all interfaces by default.

See Also

https://workbench.cisecurity.org/benchmarks/6524

Item Details

Category: CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CM-7, 800-53|CP-6, 800-53|CP-7, 800-53|PL-8, 800-53|PM-7, 800-53|SA-8, 800-53|SC-7, CSCv7|11

Plugin: Cisco

Control ID: bfcdedf18e6ed471df4da9fd338aeb21989a37fd7ee4f30d63aaf3812dd361db