The Cisco perimeter switch must be configured to have Cisco Discovery Protocol (CDP) disabled on all external interfaces.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-221017 | CISC-RT-000370 | SV-221017r856412_rule | CCI-002403 | low |
| Description | ||||
| CDP is a Cisco proprietary neighbor discovery protocol used to advertise device capabilities, configuration information, and device identity. CDP is media-and-protocol-independent as it runs over layer 2; therefore, two network nodes that support different layer 3 protocols can still learn about each other. Allowing CDP messages to reach external network nodes provides an attacker a method to obtain information of the network infrastructure that can be useful to plan an attack. | ||||
| STIG | Date | |||
| Cisco IOS XE Switch RTR Security Technical Implementation Guide | 2025-05-20 | |||
Related Frameworks
2 paths across 2 frameworks
Related Frameworks
NIST 800-531 mapping
SC-7(11)
1.00
- DISA · 3 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
CCI1 mapping
CCI-002403
1.00
- DISA · 3 · disa_xccdf · related
Details
Check Text (C-221017r856412_chk)
Step 1: Verify if CDP is enabled globally as shown below:
cdp run
By default, CDP is not enabled globally or on any interface. If CDP is enabled globally, proceed to Step 2.
Step 2: Verify CDP is not enabled on any external interface as shown in the example below:
interface GigabitEthernet2
ip address z.1.24.4 255.255.255.252
…
…
…
cdp enable
If CDP is enabled on any external interface, this is a finding.
Fix Text (F-22721r408846_fix)
Disable CDP on all external interfaces via no cdp enable command or disable CDP globally via no cdp run command.