Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2244
Views
0
Helpful
3
Replies

Catalyst Block/Filtering CDP on ports

Go to solution
David Kondicz
Level 1
Level 1

‎05-16-2016 08:09 AM - edited ‎03-08-2019 05:46 AM

Hi all,

is there any way to filter cdp throught acces ports on catalyst switches? We have virus on site which is searching for other devices throught CDP protocol or Mikrotic neighbour.

If i block - MAC Protocol 800 ,packet type Boadcast in mikrotik Bridge, i can stop the UBIQUITY Virus.

Bud how to stop them throught catalyst switches on FTTA - fiber to the antenna sites?

We are using catalyst 3560x,2960s.... Lan BASE

Thank you

dave

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Mark Malone
VIP Alumni
VIP Alumni

‎05-16-2016 08:21 AM

Hi

Can you not turn off cdp per port basis or globally no cdp enable/  no cdp run  until you remove thevirus

it uses 4224 TCP as well

View solution in original post

0 Helpful

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to David Kondicz

‎05-17-2016 01:07 AM

To be honest never tried to block it like that , I seen the port on couple of websites as TCP 4224 bit it seems unofficial

Did you see this

if your device are Cisco switch you can apply mac access-list which will drop outgoing CDP packets , and because CDP use ARPA code 0x200 , mac access-list will contain : access-list 10 deny 0x2000

http://networkengineering.stackexchange.com/questions/8040/listen-only-stealth-cdp-on-ios

known port assignments and vulnerabilities

threat/application/port search:
 search
Port(s) Protocol Service Details Source
4224 tcp,udp applications A remote overflow exists in Xtell. The Xtelld daemon fails to perform proper bounds checking resulting in a buffer overflow. With a specially crafted request to port 4224, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.
References: [BID-4193], [CVE-2002-0332]		 SG
4224 tcp

Cisco CDP Cisco discovery Protocol (unofficial)

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Mark Malone
VIP Alumni
VIP Alumni

‎05-16-2016 08:21 AM

Hi

Can you not turn off cdp per port basis or globally no cdp enable/  no cdp run  until you remove thevirus

it uses 4224 TCP as well

0 Helpful

Go to solution
David Kondicz
Level 1
Level 1
In response to Mark Malone

‎05-16-2016 11:23 AM

Hi Mark,

i dont think that is tcp.

I dont want to disable cdp on port i want to filted and deny it throught port fog eg with acl in catalyst.

linke filter rule in Mikrotik : MAC Protocol 800 ,packet type Boadcast - Drop


Dave

0 Helpful

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to David Kondicz

‎05-17-2016 01:07 AM

To be honest never tried to block it like that , I seen the port on couple of websites as TCP 4224 bit it seems unofficial

Did you see this

if your device are Cisco switch you can apply mac access-list which will drop outgoing CDP packets , and because CDP use ARPA code 0x200 , mac access-list will contain : access-list 10 deny 0x2000

http://networkengineering.stackexchange.com/questions/8040/listen-only-stealth-cdp-on-ios

known port assignments and vulnerabilities

threat/application/port search:
 search
Port(s) Protocol Service Details Source
4224 tcp,udp applications A remote overflow exists in Xtell. The Xtelld daemon fails to perform proper bounds checking resulting in a buffer overflow. With a specially crafted request to port 4224, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.
References: [BID-4193], [CVE-2002-0332]		 SG
4224 tcp

Cisco CDP Cisco discovery Protocol (unofficial)
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card