Cisco Discovery Protocol (CDP) must be disabled on all external facing interfaces.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-3077 | NET0710 | SV-3077r2_rule | ECSC-1 | Low |
| Description |
|---|
| CDP is primarily used to obtain protocol addresses of neighboring devices and discover platform capabilities of those devices. Use of SNMP with the CDP Management Information Base (MIB) allows network management applications to learn the device type and the SNMP agent address of neighboring devices; thereby, enabling the application to send SNMP queries to those devices. CDP is also media- and protocol-independent as it runs over the data link layer; therefore, two systems that support different network-layer protocols can still learn about each other. Allowing CDP messages to reach external network nodes is dangerous as it provides an attacker a method to obtain information of the network infrastructure that can be useful to plan an attack. |
| STIG | Date |
|---|---|
| Perimeter L3 Switch Security Technical Implementation Guide - Cisco | 2015-04-06 |
Details
| Check Text ( C-3550r4_chk ) |
|---|
| Review all Cisco router configurations to ensure that "no cdp run" is included in the global configuration or "no cdp enable" is included for each active external interface. If CDP is found configured on any external facing interfaces, this is a finding. |
| Fix Text (F-3102r2_fix) |
|---|
| Configure the device so "no cdp run" is included in the global configuration or "no cdp enable" is included for each active external interface. |