Disabling the Cisco Discovery Protocol

Problem

You don't want to allow adjacent devices to gain information about this router for security reasons.

Solution

You can disable CDP on a single interface by using the command no cdp enable interface configuration command:

Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#cdp run Router1(config)#interface FastEthernet0/0 Router1(config-if)#no cdp enable Router1(config-if)#end Router1#

And you can disable all CDP on the router with the global configuration command, no cdp run:

Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#no cdp run Router1(config)#end Router1#

 

Discussion

CDP can be an extremely useful feature because it tells you so much information about all of your neighboring devices. However, this can also represent a serious security problem. CDP packets are not encrypted in any way, so if somebody can just capture the CDP packets from a network segment as they pass between the routers, they can easily deduce a lot about your network architecture. And if they can get access to the router either via Telnet or SNMP, they can use the CDP tables to discover the entire topology of your network at Layer 2 and 3, including all IOS levels, router and switch model types, and IP addressing. If somebody was armed with this information and a Cisco bug list, they could launch a very effective attack against your network.

For this reason, many network engineers choose to disable CDP throughout their networks. In general, if you need to disable CDP for security reasons, you should probably disable it globally on the whole router, rather than on individual interfaces. If you disable CDP on a single interface, you will only prevent people from intercepting the CDP advertisement packets. But the CDP table information is easily accessible through Telnet and SNMP, so valuable topology information is still vulnerable to probing.

We would like to clarify that the security risk is that somebody will launch a deliberate and focused attack against your network either from the inside or from a directly connected network. We strongly recommend disabling CDP on any routers that connect to external networks, particularly the public Internet. However, for purely internal networks, it is important to remember that you would be protecting yourself against people who are already physically connected to the network in some way. At this point, you must balance the obvious usefulness of CDP against the risk of attack from people who probably have legitimate access to the network. Whether you disable CDP or not in this situation depends on how much you can trust your legitimate users not to launch a deliberate internal attack.

See Also

Recipe 2.5

Категории