A cool new feature in IOS-XE 3.11S is the ability to filter CDP info. CDP is very handy, but also exposes too much information especially between us an a carrier or another enterprise. With Secure CDP we can remove certain information from the CDP packet. Lets take a look at an example.
First lets take a look at normal operating CDP information.
WAN-EDGE-1# sh cdp nei det
-------------------------
Device ID: WAN-EDGE-2.lab.network
Entry address(es):
IP address: 10.10.10.2
Platform: cisco ASR1001, Capabilities: Router IGMP
Interface: GigabitEthernet0/2/3, Port ID (outgoing port): GigabitEthernet0/2/3
Holdtime : 179 sec
Version :
Cisco IOS Software, ASR1000 Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.4(1)S, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Tue 19-Nov-13 20:45 by mcpre
advertisement version: 2
Duplex: full
Management address(es):
IP address: 10.10.10.2
-------------------------
Device ID: WAN-EDGE-2.lab.network
Entry address(es):
IP address: 10.10.10.2
Platform: cisco ASR1001, Capabilities: Router IGMP
Interface: GigabitEthernet0/2/2, Port ID (outgoing port): GigabitEthernet0/2/2
Holdtime : 179 sec
Version :
Cisco IOS Software, ASR1000 Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.4(1)S, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Tue 19-Nov-13 20:45 by mcpre
advertisement version: 2
Duplex: full
Management address(es):
IP address: 10.10.10.2
Total cdp entries displayed : 2
WAN-EDGE-1#
As we expected there is a lot of information there. Let's filter out everything except the Ports information and the Duplex info. Note that in the config we enter what we want filtered out not what we want allowed out.
WAN-EDGE-1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
WAN-EDGE-1(config)# cdp tlv-list MINIMAL-CDP-INFO
WAN-EDGE-1(config-tlv-list)# address
WAN-EDGE-1(config-tlv-list)# capability
WAN-EDGE-1(config-tlv-list)# version
WAN-EDGE-1(config-tlv-list)# platform
WAN-EDGE-1(config-tlv-list)# vtp-mgmt-domain
WAN-EDGE-1(config-tlv-list)# native-vlan
WAN-EDGE-1(config-tlv-list)# vvid
WAN-EDGE-1(config-tlv-list)# trust
WAN-EDGE-1(config-tlv-list)# cos
WAN-EDGE-1(config-tlv-list)# mgmt-address
WAN-EDGE-1(config-tlv-list)# power-available
WAN-EDGE-1(config-tlv-list)# powernet
WAN-EDGE-1(config-tlv-list)# unidirectional-mode
WAN-EDGE-1(config-tlv-list)# spare-pair-poe
WAN-EDGE-1(config-tlv-list)# hello-protocol
WAN-EDGE-1(config-tlv-list)# ip-prefix
WAN-EDGE-1(config-tlv-list)# exit
Next we apply it to specific interfaces.
WAN-EDGE-1(config)# int range gi0/2/2-3
WAN-EDGE-1(config-if-range)# cdp filter-tlv-list MINIMAL-CDP-INFO
WAN-EDGE-1(config-if-range)# end
Now let's jump into the other router and see if it's being filtered.
WAN-EDGE-2# sh cdp nei det
-------------------------
Device ID: WAN-EDGE-1.lab.network
Entry address(es):
Interface: GigabitEthernet0/2/2, Port ID (outgoing port): GigabitEthernet0/2/2
Holdtime : 176 sec
advertisement version: 2
Duplex: full
-------------------------
Device ID: WAN-EDGE-1.lab.network
Entry address(es):
Interface: GigabitEthernet0/2/3, Port ID (outgoing port): GigabitEthernet0/2/3
Holdtime : 178 sec
advertisement version: 2
Duplex: full
Excellent, we're only seeing the Port and Duplex information. You can get more info here.