Previous section   Next section

Recipe 2.5 Disabling the Cisco Discovery Protocol

2.5.1 Problem

You don't want to allow adjacent devices to gain information about this router for security reasons.

2.5.2 Solution

You can disable CDP on a single interface using the no cdp enable interface configuration command:

Router1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#cdp run
Router1(config)#interface FastEthernet0/0
Router1(config-if)#no cdp enable
Router1(config-if)#end
Router1#

You can disable all CDP on the router with the no cdp run global configuration command:

Router1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#no cdp run
Router1(config)#end
Router1#

2.5.3 Discussion

CDP can be an extremely useful feature because it tells you so much about all of your neighboring devices. However, this can also represent a serious security problem. CDP packets are not encrypted, so someone who captures the CDP packets from a network segment as they pass between the routers can easily deduce a lot about your network architecture. If they can get access to the router either via Telnet or SNMP, they can use the CDP tables to discover the entire topology of your network at Layer 2 and 3, including all IOS levels, router and switch model types, and IP addressing. If somebody was armed with this information and a Cisco bug list, they could launch a very effective attack against your network.

For this reason, many network engineers choose to disable CDP throughout their networks. In general, if you need to disable CDP for security reasons, you should probably disable it globally on the whole router rather than on individual interfaces. If you disable CDP on a single interface, you will only prevent people from intercepting the CDP advertisement packets. But the CDP table information is easily accessible through Telnet and SNMP, so valuable topology information is still vulnerable to probing.

We would like to clarify that the security risk is that somebody will launch a deliberate and focused attack against your network either from the inside or from a directly connected network. We strongly recommend disabling CDP on any routers that connect to external networks, particularly the public Internet. However, for purely internal networks, it is important to remember that you would be protecting yourself against people who are already physically connected to the network in some way. At this point you must balance the obvious usefulness of CDP against the risk of attack from people who probably have legitimate access to the network. Whether you disable CDP or not in this situation depends on how much you can trust your legitimate users not to launch a deliberate internal attack.

2.5.4 See Also

Recipe 2.4


  Previous section   Next section
Top