CISC-RT-000370 - The Cisco perimeter switch must be configured to have Cisco Discovery Protocol (CDP) disabled on all external interfaces.

Information

CDP is a Cisco proprietary neighbor discovery protocol used to advertise device capabilities, configuration information, and device identity. CDP is media-and-protocol-independent as it runs over layer 2; therefore, two network nodes that support different layer 3 protocols can still learn about each other. Allowing CDP messages to reach external network nodes provides an attacker a method to obtain information of the network infrastructure that can be useful to plan an attack.

Solution

Disable CDP on all external interfaces via no cdp enable interface command or disable CDP globally via no cdp enable command.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_NX-OS_Switch_Y24M10_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(11), CAT|III, CCI|CCI-002403, Rule-ID|SV-221097r999706_rule, STIG-ID|CISC-RT-000370, STIG-Legacy|SV-111013, STIG-Legacy|V-101909, Vuln-ID|V-221097

Plugin: Cisco

Control ID: b89c42eb25cb9bc1fbc2faecdf4f112705522094f9ab4544635de24727c03518