When would you turn of CDP?

Deathmage

Hey guys,

I noticed a part in the book that says you can turn off CDP on edge routers.

Why would you need to do this?

xnx

This would be stop any devices connected to it from gathering details which could help in an exploit such as Cisco IOS version...

theodoxa

^^^ There is a lot of information in a CDP Packet (Model, IOS, Port on Each End of Link, etc...) that you wouldn't want just anyone to have access to. You don't even need a Cisco device to utilize the information coming from CDP. You can capture them using Wireshark or any device that generates PCAP files. The contents are plain text.

xnx

I've attached some pictures of a quick ethernet tapping method I put together, it only works one way but it gives you an example of capturing CDP packets - you can't see the packets in this particular example though but it would look similar...

OfWolfAndMan

Alright so situation one: you're an exploiter and are trying to capture some packets. What do you do? First you'd figure out where a switch is. Next, assuming this port hasn't been configured yet (Which just doesn't happen on a complex corporate network, but idiots do exist), you ensure when connecting, your switch becomes the root bridge of STP. Boom. Packets for days. Not only would you be able to find the model of the switch and the IP address, but you'd also find what native Vlan the distant trunk is using.

Deathmage

OfWolfAndMan wrote: »

Alright so situation one: you're an exploiter and are trying to capture some packets. What do you do? First you'd figure out where a switch is. Next, assuming this port hasn't been configured yet (Which just doesn't happen on a complex corporate network, but idiots do exist), you ensure when connecting, your switch becomes the root bridge of STP. Boom. Packets for days. Not only would you be able to find the model of the switch and the IP address, but you'd also find what native Vlan the distant trunk is using.

I guess this would be an example of why you would set a native vlan to 900 or something high and not use it at all?

OfWolfAndMan

I guess this would be an example of why you would set a native vlan to 900 or something high and not use it at all?

No, you should just not set the native VLAN to 1 as that is the default and easily guessed. In this situation, you would already know the native VLAN of the other side. You want to see what's in a CDP packet? Here's a capture:

CDP - The Wireshark Wiki

Also, here's a little explanation about the Native VLAN configs. You still seem to be a little hazy on it.

VLAN hopping - Wikipedia, the free encyclopedia

You could do a LOT of things with CDP, but in the situation where it's required to be kept on for inventory, here's what you would do on each port not connecting to one of your switches:

#switchport mode access
#switchport access vlan [vlan #] (Vlan should not be the same as the native VLAN and should be set as a "Dead" VLAN not used by any users)
#switchport voice vlan [vlan #]
#switchport nonegotiate
#switchport port-security
#switchport port-security mac-address sticky
#switchport port-security maximum 2 (Only if you are running a phone and a computer on the same line via PoE)
#shutdown (Until you KNOW there's an authorized user there)
#no mdix auto
#description [description]

Best base config for now. Also, you need to make sure of a few other things:
1. Native VLAN is not mismatched on each side
2. You use the #suspend command under your native vlan config to prevent passing of any traffic under the native vlan
3. Use a "Dead" VLAN for all ports that aren't connected to anything and suspend traffic on that VLAN as well.

Iristheangel

I was watching IPexpert youtube videos for fun today and found this gem: https://www.youtube.com/watch?v=gPbrIyUQWg8&list=UUKfNWxQnLgKiOSbukZXxoLQ

I guess you learn something new every day. I think keeping CDP but filtering insecure information is a great way to keep it on for administrative ease while reducing your security risk.

xnx

Wow, I never knew this was possible and i'm sure it's the same with many others on here

powmia

Selecting TLVs is a nice trick, but if all it takes for someone to pwn your devices is knowledge of the info displayed in standard CDP output... you're in trouble. I am personally a fan of just letting CDP run (troubleshooting ease) with the defaults (no commands in devices that aren't accepted across all platforms) and focusing on the real underlying issues... such as... if an infected PC attached to a VoIP phone flips on a pcap and can get that info.... why does it matter? Why the heck would my device 1) accept packets from that host 2) not have spoofing protection to ensure that host is only sending from his unauthorized space 3) be vulnerable in the first place.

My opinion.

alan2308

xnx wrote: »

I've attached some pictures of a quick ethernet tapping method I put together, it only works one way but it gives you an example of capturing CDP packets - you can't see the packets in this particular example though but it would look similar...

You know, hubs are pretty cheap now days...

john_samson

Hello Deathmage,
You turn off CDP when you don't need it as it generates unnecessary traffic causing overhead.
When you enable debugging,the debugging destination you use affects system overhead. Logging messages to the console produces very high overhead, whereas logging messages to a virtual terminal produces less overhead. Logging messages to a syslog server produces even less, and logging to an internal buffer produces the least overhead of any method.

Using the no debug all command is a convenient way to ensure that you have not accidentally left any debug commands enabled.

To disable CDP on the entire switch, use the “no cdp run” command from enable mode:
conf t
no cdp run

CDP can also be disabled on specific ports. To disable CDP on FastEthernet0/3, use these commands from enable mode:

conf t
int fa0/3
no cdp enable

xnx

alan2308 wrote: »

You know, hubs are pretty cheap now days...

Haha yeah I just realised that using a hub would look less 'tacky' but this way I could tap an 100mbit ethernet connection inline without having to worry where it's wired too for general troubleshooting

her.yang

The book answer is that you should turn it off for access ports connecting to host computers. This is a security measure, designed to prevent them from gathering information about your switch. Just keep in mind though, that CDP is used for a lot of things, not just identifying who's on the other end of a switch port. For example, Cisco IP phones use it to negotiate Power over Ethernet (PoE) and there's even a routing protocol that runs entirely off of CDP (On-Demand Routing, ODR).