The Cisco perimeter switch must be configured to have Cisco Discovery Protocol (CDP) disabled on all external interfaces.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-221097 | CISC-RT-000370 | SV-221097r999706_rule | CCI-002403 | low |
| Description | ||||
| CDP is a Cisco proprietary neighbor discovery protocol used to advertise device capabilities, configuration information, and device identity. CDP is media-and-protocol-independent as it runs over layer 2; therefore, two network nodes that support different layer 3 protocols can still learn about each other. Allowing CDP messages to reach external network nodes provides an attacker a method to obtain information of the network infrastructure that can be useful to plan an attack. | ||||
| STIG | Date | |||
| Cisco NX OS Switch RTR Security Technical Implementation Guide | 2024-12-20 | |||
Related Frameworks
2 paths across 2 frameworks
Related Frameworks
NIST 800-531 mapping
SC-7(11)
1.00
- DISA · 3 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
CCI1 mapping
CCI-002403
1.00
- DISA · 3 · disa_xccdf · related
Details
Check Text (C-221097r999706_chk)
Step 1: Verify CDP is not enabled globally via the command no cdp enable
By default CDP is enabled globally; hence, the command cdp enable will not be shown in the configuration. If CDP is enabled, proceed to Step 2.
Step 2: Verify CDP is not enabled on any external interface as shown in the example below:
interface Ethernet2/2
description link to DISN
no switchport
no cdp enable
Note: By default CDP is enabled on all interfaces if CDP is enabled globally.
If CDP is enabled on any external interface, this is a finding.
Fix Text (F-22801r409781_fix)
Disable CDP on all external interfaces via no cdp enable interface command or disable CDP globally via no cdp enable command.