Here again with more security considerations in your Switched environment. I have started to deep dive into certain technologies with reasons behind why I use them the way I do. CDP will be the first one of these. You may find this blog elsewhere.
This handy feature consists of a plethora of information about a device and it’s connected neighbors. Hello-based and using an ethernet multicast address of 01-00-0C-CC-CC-CC, this protocol includes information such as hostname, management IP, local and remote interfaces, IOS version, platform, and VTP domain.
The information contained here within is cached until refreshed or flushed. CDP can reveal a lot of information regarding devices. IOS version is in my opinion the biggest as an attacker could exploit known vulnerabilities in the code. Though another post I have written defends this point. It states that if an attacker is using the CDP information to attack your network you have a serious problem in other security layers.
The message interval between CDP messages is 60 seconds and the hold time before flushing is 180 seconds. By default it is enabled upon all ports. Dangerous!
The following commands demonstrate the ability to disable CDP on a global level and on a per interface level. I recommend disabling them on all interfaces except trunks, APs, VOIP phones, and WLCs.
2960(config)# no cdp run 2960(config-if)# no cdp enable
Below are the following show options for CDP. Handy as all get out! One is a basic output the other is more details. Have a look at the difference.
2960#show cdp neighbors Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater Device ID Local Intrfce Holdtme Capability Platform Port ID lab-7206 Eth 0 157 R 7206VXR Fas 0/0/0 lab-as5300-1 Eth 0 163 R AS5300 Fas 03640#show cdp neighbors detail ------------------------- Device ID: 3640 Entry address(es): IP address: 10.2.2.3 Platform: Cisco 3640, Capabilities: Router Switch IGMP Interface: FastEthernet1/0, Port ID (outgoing port): FastEthernet0/0 Holdtime : 125 sec Version : Cisco IOS Software, 3600 Software (C3640-JK9S-M), Version 12.4(16), RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Wed 20-Jun-07 11:43 by prod_rel_team advertisement version: 2 VTP Management Domain: pandom.ciscoinferno.net Duplex: full
As you can see there is a massive amount of information regarding the IOS, Switch platform, and network topology. Use wisely!