One of the things you have to really watch out for in life (and the CCENT exam) is ensuring that you are not sending CDP information to devices that you do not trust. The last thing you want to do is advertise to potential hackers of your network exactly what Cisco devices you are running and what Layer 3 addressing they possess.

Turning off CDP in certain areas of your network is referred to as trimming CDP. Understand that whenever we eliminate security problems with our management protocols we typically reduce the effectiveness of our ability to manage the network.  For example, trimming CDP for security reasons might impact your ability to manage the network with CiscoWorks. Fortunately, there tend to be workarounds available, especially with Cisco generated network management applications.

The first (and most common) form of trimming CDP involves turning the protocol off for a particular interface. Perhaps you have an interface that faces the public Internet on a border router in your network. This interface is a prime candidate for having CDP turned off. In the exam environment, how to do this is going to require some memorization, unless you get lucky and have a simulation where you can lean on the use of context-sensitive help. Here is the procedure for turning off CDP on an interface:

RouterA# configure terminal
RouterA(config)# interface serial 0/0
RouterA(config-if)# no cdp enable

You are going to need to memorize this against how you turn off CDP globally on the entire device. This will of course disable CDP on all interfaces on the device. This procedure is as follows:

RouterA# configure terminal
RouterA(config)# no cdp run

I am sure some of our faithful readers out there have an easy way to memorize which command is needed when…be sure to comment if you do! I remember this just by thinking the whole router will no longer RUN CDP with the second command.

You can leave a response, or trackback from your own site.

4 Responses to “CCENT: Trimming Cisco Discovery Protocol (CDP)”

  1. Ben says:

    … turning off CDP is a poor trade – you gain very little in security and lose a lot in management / troubleshooting. If someone has access to the link to sniff CDP, they can also see all the other traffic that will expose addressing. As for router/switch version info, well if you’re running an IOS release with a known vulnerability then it’s probably best to update. Any attacker will likely try them all anyhow. Turning off CDP is merely security-by-obscurity…

    Disabling CDP is far more useful in situations where it simply gets in the way (e.g. QinQ).

  2. Thanks for the comment Ben!

    Cisco’s latest AutoSecure feature disables CDP globally on the device. The reason Cisco states this is done is to prevent Denial of Service attacks using CDP against the device. Perhaps this is truly the best real-world reason to disable it.

    Thanks again for the comment and reading our blog.

  3. Hi –

    I’d usually turn off CDP at points where my network interconnects with other people’s networks (e.g. a service provider) and maybe on LAN interfaces. I’d leave it on core links and uplinks for the reasons that Ben mentions.

    Turning CDP off isn’t just “security by obscurity” really. CDP is a layer-2 control-plane protocol, and as such, exposes the control plane of the device to messages from the network. If a weakness were found in CDP that could be exploited, then having it turned off is a good measure: the switch or router’s CPU wouldn’t even see the CDP packets because the port ASICs aren’t programmed to forward the packet to the control plane.

    (In much the same way, if I had a LAN switch interconnecting with another company’s LAN switch, I would make certain that spanning-tree were turned off – not to hide my topology particularly, but to prevent them messing with my loop prevention protocol)

    That said, CDP is a link-local protocol I believe, so any attacker would have to be directly connected (or via an L2 protocol tunnel port) I guess. So I suppose the risk is fairly small!


  4. Jose Urena says:

    I have a cisco catalyst 3750 and I have some Access points Cisco Aironet 1200 connected on it but for some reason is not showing me the devices by the CDP command.

    I have others switches connected on the Gigabit ports and some Cisco IP Phones and I am able to see them.

    I went to the Aironet config and I can see the switch with the CDP command (CDP is enable).

    Why I cannot see the Aironets from my switch then?


Leave a Reply


CCIE Bloggers