Cisco Discovery Protocol. Many of us out here have a love/hate relationship with it. I for one and I fear I could be in the minority that like it. Security, Overhead, and Multi-vendor Environments are generally the biggest downsides to CDP. I can agree with the third point but I can defend the first and second.
Allow me to paint a picture which inspired these words. A standard afternoon in Melbourne, Australia. Four seasons in one day styled weather; Sunny and twenty-six degrees one minute and sub-ten degrees and raining the next. The office room was full of discussions regarding best practice and security discussions. Mainly observing how these creatures were interacting for control of the meeting, I chimed in with a statement when LAN security came up. “You will be enabling CDP across your switches?” The comment was chuckled at in unison with some raised eyebrows. “Of course not” was the reply. With the following points I defended my argument with and in my belief the reasons I like this protocol.
Per-Interface/Chassis enablement
By default, most people leave CDP running. CDP contains juicy information regarding hostname, management IP, local and remote interfaces, IOS version, platform and VTP domain. Rather informative for a ‘ne’er-do-wells’ attempting to get in.
Well it is possible to control this information. There are two ways to do this.
switch(config)# no cdp run
This global command disables the CDP protocol being generated by the switch. Unless the device has all interfaces facing the internet there is no real need to disable across the entire platform. You can disable CDP being sent from the switch on a per interface level.
switch(config)# int gi0/10 switch(config-if)# no cdp enable
This is where my argument for CDP begins. This deployment was an enterprise refresh and included many points of entry. Being in higher education I have found kids like to practice what is preached in class. With that I proposed the first of a few suggestions. By disabling CDP packets from these interfaces the attached devices cannot sniff/read these packets.
Disabled on
- WAN Interfaces
- Desktop Access Ports
- Internet facing interfaces
- Interconnects
- Lightweight AP’s
- IP Phones
- WLC
Overhead
By restricting the interfaces and where CDP is sent from, you in turn reduce the overhead on you links. With 1 gig standard these days and 10, 40, and 100 gig Ethernet floating around, if bandwidth is a concern then I think you have important issues to address.