04-20-2011 03:07 AM - edited 03-06-2019 04:42 PM
Dear All,
In a Production Network, is there any specific reason for disabling the CDP Neighbor ?
I've joined a New Company and while going thru their Network Infrastructure, noticed in few 3560 Switches, the CDP is Disabled. I'm not very much sure about the reason behind this. Unfortunately I can't even ask anyone around me as I'm the only one who takes care of this client Network.
Please kinldy advise.
Thank You,
ThiyaguVG.
Solved! Go to Solution.
04-20-2011 03:20 AM
Yes
it is a good practice to shutdown anything that is not needed in the system.
less risks for different types of attacks and less risks for bugs.
cdp will send out information that gives the attacker an edge such as the version number of the operating system and what port you are on what type of hardware it is and so on.
so it is a goldmine for anyone getting ready to attack your system.
when they know the ios they can findout what bugs it has and so on.
CDP is powerfull when it comes to different things like asking the switches for information and stuffs.
The bad part is that a lot of software/features need cdp to work and disabeling cdp will break those programs.
Good luck
HTH
04-20-2011 03:14 AM
Hi,
When you don't need CDP anymore, it's better to disable it for security reasons.
There's no need for CDP to run if the network is not being changed all the time.
If you need my opinion, enable CDP, write down all valuable information, create diagrams and stuff and when done, disable it.
Best regards,
Giorgos
04-20-2011 03:14 AM
main reason would be for security purposes. hence ASA's dont have CDP enabled.
04-20-2011 03:16 AM
Hi,
You Normally enable CDP for Internal Network or inside your Network Domain, and you disable CDP on the devices connected to external devices out of your Network for Security reasons.
With CDP, you get an overview of the neighboring devices information with thier IP addresses IOS version, Platform type and the Port IDs, which could be a securty concern for some companies based on thier security policy.
Regards,
Mohamed
04-20-2011 03:20 AM
Yes
it is a good practice to shutdown anything that is not needed in the system.
less risks for different types of attacks and less risks for bugs.
cdp will send out information that gives the attacker an edge such as the version number of the operating system and what port you are on what type of hardware it is and so on.
so it is a goldmine for anyone getting ready to attack your system.
when they know the ios they can findout what bugs it has and so on.
CDP is powerfull when it comes to different things like asking the switches for information and stuffs.
The bad part is that a lot of software/features need cdp to work and disabeling cdp will break those programs.
Good luck
HTH
04-20-2011 03:26 AM
Thanks a lot for all of your responses.
My New company hasn't have a proper Network Diagram so far. When I try to draw one, first I think about CDP to get more details about the exact connetivity. But I'm not able to grab all of the conneted devices details as CDP is Disabled.
Now, I'm going to enable CDP in our Internal Network. Hope this will not affect the production.
Again Thank you so much.
Ever Frindly,
ThiyaguVG.
04-20-2011 03:35 AM
I wouldn't mind about CDP affecting the production.
Good luck,
Giorgos
04-20-2011 04:04 AM
Thank you for the rating.
If you want to know what can be passively seen, take a computer with wireshark on it and just plug it in and listen to what is going on in the network and check the cdp packets.
That will give you a first hand view of what it looks like.
I think it is a very good thing to do.
Enabeling or disableing cdp is just a choise.
if you are not using it then it is a good thing to disable it, however if you fx have the 3750 family switches and want to do fx traceroute mac ip wich is a layer 2 traceroute that will tell you wich port a certain mac or ip address is attached to then you need to have it enabled.
its all about making educated choises.
There are some pros and some cons with most of the network protocols. the trick is to know why it is on or why it is off.
Good luck
HTH
03-22-2013 09:06 PM
Interestingly, do you believe what CDP is telling you? Check out the 'CDP Prank tutorial' here:
http://www.og150.com/tutorials.php
CDP is easily spoofed and can be considered a security risk. The demo uses the OG150 network security drop box.....
DJ
03-23-2013 04:59 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
There are several reasons why CDP might be disabled. As CDP is a proprietary protocol of Cisco's, if you have mixed vendor hardware, you might not obtain its intended benefit.
CDP will complain about issues that are intentional but CDP sees as a possible error. For example, VLAN and/or duplex mismatches. (For these, you might see CDP just disabled on an interface, not globally.)
CDP is considered a "security" risk, for the reasons noted in the other posts. I.e. it can reveal information about your topology that might be useful to an attacker.
Of course, to "security" folk, any feature that might assist an attacker is a security concern. That's true, but many security folk don't do an actual risk analysis nor consider whether other techniques might be employed to mitigate the risk.
03-23-2013 07:05 AM
Security nuts will tell you yes.....It can give an attacker a map of your network. From a networking perspective I could not bare to disable it. It is a life saver at moments in my job.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide