Cisco Discovery Protocol. Many of us out here have a love/hate relationship with it. I for one and I fear I could be in the minority that like it. Security, Overhead, and Multi-vendor Environments are generally the biggest downsides to CDP. I can agree with the third point but I can defend the first and second.

Allow me to paint a picture which inspired these words. A standard afternoon in Melbourne, Australia. Four seasons in one day styled weather; Sunny and twenty-six degrees one minute and sub-ten degrees and raining the next. The office room was full of discussions regarding best practice and security discussions. Mainly observing how these creatures were interacting for control of the meeting, I chimed in with a statement when LAN security came up. “You will be enabling CDP across your switches?” The comment was chuckled at in unison with some raised eyebrows. “Of course not” was the reply. With the following points I defended my argument with and in my belief the reasons I like this protocol.

Per-Interface/Chassis enablement
By default, most people leave CDP running. CDP contains juicy information regarding hostname, management IP, local and remote interfaces, IOS version, platform and VTP domain. Rather informative for a ‘ne’er-do-wells’ attempting to get in.

Well it is possible to control this information. There are two ways to do this.

switch(config)# no cdp run

This global command disables the CDP protocol being generated by the switch. Unless the device has all interfaces facing the internet there is no real need to disable across the entire platform. You can disable CDP being sent from the switch on a per interface level.

switch(config)# int gi0/10
switch(config-if)# no cdp enable

This is where my argument for CDP begins. This deployment was an enterprise refresh and included many points of entry. Being in higher education I have found kids like to practice what is preached in class. With that I proposed the first of a few suggestions. By disabling CDP packets from these interfaces the attached devices cannot sniff/read these packets.

Disabled on

  • WAN Interfaces
  • Desktop Access Ports
  • Internet facing interfaces
Enabled on
  • Interconnects
  • Lightweight AP’s
  • IP Phones
  • WLC
Security Practices
The networks that I have designed haven’t been the biggest or the most complex but I have emphasised the importance of security at each level. My belief is that if someone is levereging your CDP data to launch an attack against your system you have bigger issues already. How does he have access? Why hasn’t the firewall, ACL’s, physical Cabinet, IPS/IDS got him? My mindset to security is there is no “perfect technology”. There isn’t anything like skynet out there yet. It requires a well thought out and defined application of multiple security practices that align to business requirements which form a tiered defense. Sheesh, I sound like a marketing flog.
In conjunction with CDP which may NOT be the most secure, Management VLAN ACL’s, SSH and switch based lock downs such as mac-address sticky/err-disable combos on the physical interfaces.

By restricting the interfaces and where CDP is sent from, you in turn reduce the overhead on you links. With 1 gig standard these days and 10, 40, and 100 gig Ethernet floating around, if bandwidth is a concern then I think you have important issues to address.

Network Mapping
Whilst I am in my junior years, (which I am not afraid to admit) I may still be naive enough to find this tool invaluable. Too many times in my job I walk on site and ask for documentation and I am baulked at. “What connects off this core switch?” and the response I get is the audible afternoon crickets. I have sat down and gleen what information Ican from IT staff and used my own knack and managed to find my way around. Handy!
Needless to say it ended up that CDP was enabled as per my request, it was very hard to break in and get to a situation that allowed CDP information leaked. I had earned a little respect that day for the Junior had argued his case and admitted the flaws but emphasised end to end security wouldn’t be compromised with just CDP.
My Opinion
End to End security doesn’t hinge on CDP. Breaking down the doors into an enterprise requires either a ram-raid or a multi-tiered assault on security systems. When applied correctly and with a planned out methodology it can serve to benefit us. In some respects this post starts to address the mind set that with a bad name a decent technology can be tarnished and overlooked.

Leave a Reply

Your email address will not be published. Required fields are marked *