Can you setup VoIP in a Cisco environment without CDP enabled?

Bart Brown · ‎05-07-2010

All,

I have a quick question...can you setup VoIP in a Cisco environment without CDP enabled? Some background, because of where I work, CDP is disabled for security reasons. We are now in the beginning stages of setting up a Call Manager and implementing VoIP on our network. When it comes time to install our phones, will we have an issue if we are not using CDP?

Any assistance in this matter would be greatly appreciated.

Thanks,

Bart

David Hailey · ‎05-07-2010

The answer is - it depends. An alternative to CDP is LLDP-MED. Take a look here to get details and comparison of the two: http://www.cisco.com/en/US/technologies/tk652/tk701/technologies_white_paper0900aecd804cd46d.html

It's must easier with CDP, but take a look and let us know your follow-up questions.

Hailey

Please rate helpful posts!

paolo bevilacqua · ‎05-07-2010

Yes, you will have an huge issue.

Disable CDP because of security reasons is a bug mistake.

Have a senior Se from your local Cisco office hace a chat with the person in charge and chances are that such a policy will be witdrawn.

Jonathan Schulenberg · ‎05-08-2010

I disagree; CDP is a legitimate security concern and is frequently disabled in federal or military networks. It is relatively trivial to spoof CDP packets on to an access port and get into the voice VLAN. To my knowledge, there is no security mechanism in LLDP-MED that resolves this concern.

If you have this type environment, I would suggest using 802.1x and a mixed-mode CUCM cluster with Cisco ACS so the phone will use a certificate to authenticate itself. The general order of events goes: A new phone out of the box uses its manufacturing certificate for 802.1x. ACS sees has this approved for a quarantine VLAN that allows limited access to CUCM for CAPF enrollment. The phone receives it's local certificate (and configuration) which is trusted for voice VLAN access by ACS. When it restarts after enrollment, it then passes 802.1x and is allowed into the voice VLAN.

If you do not do this, I'm not sure how "huge" of an issue this will be. You will still be able to receive PoE to the phones (this is not exclusively dependant upon CDP or LLDP-MED). All you will loose is the automatic switch port conversion to an 802.1q trunk port with the voice VLAN allowed. There are also some QoS implications to this but nothing insurmountable. Every other VoIP PBX managed just fine for years without LLDP-MED, it just requires additional manual labor.

paolo bevilacqua · ‎05-09-2010

I disagree; CDP is a legitimate security concern and is frequently disabled in federal or military networks.

I did not said CDP has no potential security issue (like pratically anything else). I did said that disabling in is a wrong decision.

It is relatively trivial to spoof CDP packets on to an access port and get into the voice VLAN.

The thing is that if one has security concerns, but leaves access ports unsecured, thinking that disabling CDP is enough, that one should find another job because networking is not for him. Typical shortsighted attitude of "security" inepts that not knowing better, raise obstacles everywhere, just to justify their salary.