cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14432
Views
5
Helpful
10
Replies

Is there any reason for CDP to be disabled in the Network?

Thiyagu VG
Level 1
Level 1

Dear All,

In a Production Network, is there any specific reason for disabling the CDP Neighbor ?

I've joined a New Company and while going thru their Network Infrastructure, noticed in few 3560 Switches, the CDP is Disabled. I'm not very much sure about the reason behind this. Unfortunately I can't even ask anyone around me as I'm the only one who takes care of this client Network.

Please kinldy advise.

Thank You,

ThiyaguVG.

1 Accepted Solution

Accepted Solutions

hobbe
Level 7
Level 7

Yes

it is a good practice to shutdown anything that is not needed in the system.

less risks for different types of attacks and less risks for bugs.

cdp will send out information that gives the attacker an edge such as the version number of the operating system and what port you are on what type of hardware it is and so on.

so it is a goldmine for anyone getting ready to attack your system.

when they know the ios they can findout what bugs it has and so on.

CDP is powerfull when it comes to different things like asking the switches for information and stuffs.

The bad part is that a lot of software/features need cdp to work and disabeling cdp will break those programs.

Good luck

HTH

View solution in original post

10 Replies 10

garapoglou
Level 3
Level 3

Hi,

When you don't need CDP anymore, it's better to disable it for security reasons.

There's no need for CDP to run if the network is not being changed all the time.

If you need my opinion, enable CDP, write down all valuable information, create diagrams and stuff and when done, disable it.

Best regards,

Giorgos

N W
Level 1
Level 1

main reason would be for security purposes. hence ASA's dont have CDP enabled.

Mohamed Sobair
Level 7
Level 7

Hi,

You Normally enable CDP for Internal Network or inside your Network Domain, and you disable CDP on the devices connected to external devices out of your Network for Security reasons.

With CDP, you get an overview of the neighboring devices information with thier IP addresses IOS version, Platform type and the Port IDs, which could be a securty concern for some companies based on thier security policy.

Regards,

Mohamed

hobbe
Level 7
Level 7

Yes

it is a good practice to shutdown anything that is not needed in the system.

less risks for different types of attacks and less risks for bugs.

cdp will send out information that gives the attacker an edge such as the version number of the operating system and what port you are on what type of hardware it is and so on.

so it is a goldmine for anyone getting ready to attack your system.

when they know the ios they can findout what bugs it has and so on.

CDP is powerfull when it comes to different things like asking the switches for information and stuffs.

The bad part is that a lot of software/features need cdp to work and disabeling cdp will break those programs.

Good luck

HTH

Thanks a lot for all of your responses.

My New company hasn't have a proper Network Diagram so far. When I try to draw one, first I think about CDP to get more details about the exact connetivity. But I'm not able to grab all of the conneted devices details as CDP is Disabled.

Now, I'm going to enable CDP in our Internal Network. Hope this will not affect the production.

Again Thank you so much.

Ever Frindly,

ThiyaguVG.

I wouldn't mind about CDP affecting the production.

Good luck,


Giorgos

Thank you for the rating.

If you want to know what can be passively seen, take a computer with wireshark on it and just plug it in and listen to what is going on in the network and check the cdp packets.

That will give you a first hand view of what it looks like.

I think it is a very good thing to do.

Enabeling or disableing cdp is just a choise.

if you are not using it then it is a good thing to disable it, however if you fx have the 3750 family switches and want to do fx traceroute mac ip wich is a layer 2 traceroute that will tell you wich port a certain mac or ip address is attached to then you need to have it enabled.

its all about making educated choises.

There are some pros and some cons with most of the network protocols. the trick is to know why it is on or why it is off.

Good luck

HTH

Interestingly, do you believe what CDP is telling you? Check out the 'CDP Prank tutorial' here:

http://www.og150.com/tutorials.php

CDP is easily spoofed and can be considered a security risk. The demo uses the OG150 network security drop box.....

DJ

Joseph W. Doherty
Hall of Fame
Hall of Fame

Disclaimer

The   Author of this posting offers the information contained within this   posting without consideration and with the reader's understanding that   there's no implied or expressed suitability or fitness for any purpose.   Information provided is for informational purposes only and should not   be construed as rendering professional advice of any kind. Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In   no event shall Author be liable for any damages whatsoever (including,   without limitation, damages for loss of use, data or profit) arising  out  of the use or inability to use the posting's information even if  Author  has been advised of the possibility of such damage.

Posting

There are several reasons why CDP might be disabled.  As CDP is a proprietary protocol of Cisco's, if you have mixed vendor hardware, you might not obtain its intended benefit.

CDP will complain about issues that are intentional but CDP sees as a possible error.  For example, VLAN and/or duplex mismatches.  (For these, you might see CDP just disabled on an interface, not globally.)

CDP is considered a "security" risk, for the reasons noted in the other posts.  I.e. it can reveal information about your topology that might be useful to an attacker.

Of course, to "security" folk, any feature that might assist an attacker is a security concern.  That's true, but many security folk don't do an actual risk analysis nor consider whether other techniques might be employed to mitigate the risk.

Security nuts will tell you yes.....It can give an attacker a map of your network. From a networking perspective I could not bare to disable it. It is a life saver at moments in my job.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: