When would you turn of CDP?

DeathmageDeathmage Banned Posts: 2,496
Hey guys,

I noticed a part in the book that says you can turn off CDP on edge routers. icon_study.gif

Why would you need to do this?

Comments

  • xnxxnx Member Posts: 464 ■■■□□□□□□□
    This would be stop any devices connected to it from gathering details which could help in an exploit such as Cisco IOS version...
    Getting There ...

    Lab Equipment: Using Cisco CSRs and 4 Switches currently
  • theodoxatheodoxa Member Posts: 1,340 ■■■■□□□□□□
    ^^^ There is a lot of information in a CDP Packet (Model, IOS, Port on Each End of Link, etc...) that you wouldn't want just anyone to have access to. You don't even need a Cisco device to utilize the information coming from CDP. You can capture them using Wireshark or any device that generates PCAP files. The contents are plain text.
    R&S: CCENT CCNA CCNP CCIE [ ]
    Security: CCNA [ ]
    Virtualization: VCA-DCV [ ]
  • xnxxnx Member Posts: 464 ■■■□□□□□□□
    I've attached some pictures of a quick ethernet tapping method I put together, it only works one way but it gives you an example of capturing CDP packets - you can't see the packets in this particular example though but it would look similar...
    Getting There ...

    Lab Equipment: Using Cisco CSRs and 4 Switches currently
  • OfWolfAndManOfWolfAndMan Member Posts: 923 ■■■■□□□□□□
    Alright so situation one: you're an exploiter and are trying to capture some packets. What do you do? First you'd figure out where a switch is. Next, assuming this port hasn't been configured yet (Which just doesn't happen on a complex corporate network, but idiots do exist), you ensure when connecting, your switch becomes the root bridge of STP. Boom. Packets for days. Not only would you be able to find the model of the switch and the IP address, but you'd also find what native Vlan the distant trunk is using.
    :study:Reading: Lab Books, Ansible Documentation, Python Cookbook 2018 Goals: More Ansible/Python work for Automation, IPSpace Automation Course [X], Build Jenkins Framework for Network Automation []
  • DeathmageDeathmage Banned Posts: 2,496
    Alright so situation one: you're an exploiter and are trying to capture some packets. What do you do? First you'd figure out where a switch is. Next, assuming this port hasn't been configured yet (Which just doesn't happen on a complex corporate network, but idiots do exist), you ensure when connecting, your switch becomes the root bridge of STP. Boom. Packets for days. Not only would you be able to find the model of the switch and the IP address, but you'd also find what native Vlan the distant trunk is using.

    I guess this would be an example of why you would set a native vlan to 900 or something high and not use it at all?
  • OfWolfAndManOfWolfAndMan Member Posts: 923 ■■■■□□□□□□
    I guess this would be an example of why you would set a native vlan to 900 or something high and not use it at all?
    No, you should just not set the native VLAN to 1 as that is the default and easily guessed. In this situation, you would already know the native VLAN of the other side. You want to see what's in a CDP packet? Here's a capture:

    CDP - The Wireshark Wiki

    Also, here's a little explanation about the Native VLAN configs. You still seem to be a little hazy on it.

    VLAN hopping - Wikipedia, the free encyclopedia

    You could do a LOT of things with CDP, but in the situation where it's required to be kept on for inventory, here's what you would do on each port not connecting to one of your switches:

    #switchport mode access
    #switchport access vlan [vlan #]
    (Vlan should not be the same as the native VLAN and should be set as a "Dead" VLAN not used by any users)
    #switchport voice vlan [vlan #]
    #switchport nonegotiate
    #switchport port-security
    #switchport port-security mac-address sticky
    #switchport port-security maximum 2
    (Only if you are running a phone and a computer on the same line via PoE)
    #shutdown (Until you KNOW there's an authorized user there)
    #no mdix auto
    #description [description]

    Best base config for now. Also, you need to make sure of a few other things:
    1. Native VLAN is not mismatched on each side
    2. You use the #suspend command under your native vlan config to prevent passing of any traffic under the native vlan
    3. Use a "Dead" VLAN for all ports that aren't connected to anything and suspend traffic on that VLAN as well.
    :study:Reading: Lab Books, Ansible Documentation, Python Cookbook 2018 Goals: More Ansible/Python work for Automation, IPSpace Automation Course [X], Build Jenkins Framework for Network Automation []
  • IristheangelIristheangel Mod Posts: 4,133 Mod
    I was watching IPexpert youtube videos for fun today and found this gem: https://www.youtube.com/watch?v=gPbrIyUQWg8&list=UUKfNWxQnLgKiOSbukZXxoLQ

    I guess you learn something new every day. I think keeping CDP but filtering insecure information is a great way to keep it on for administrative ease while reducing your security risk.
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
  • xnxxnx Member Posts: 464 ■■■□□□□□□□
    Wow, I never knew this was possible and i'm sure it's the same with many others on here
    Getting There ...

    Lab Equipment: Using Cisco CSRs and 4 Switches currently
  • powmiapowmia Users Awaiting Email Confirmation Posts: 322
    Selecting TLVs is a nice trick, but if all it takes for someone to pwn your devices is knowledge of the info displayed in standard CDP output... you're in trouble. I am personally a fan of just letting CDP run (troubleshooting ease) with the defaults (no commands in devices that aren't accepted across all platforms) and focusing on the real underlying issues... such as... if an infected PC attached to a VoIP phone flips on a pcap and can get that info.... why does it matter? Why the heck would my device 1) accept packets from that host 2) not have spoofing protection to ensure that host is only sending from his unauthorized space 3) be vulnerable in the first place.

    My opinion.
  • alan2308alan2308 Member Posts: 1,854 ■■■■■■■■□□
    xnx wrote: »
    I've attached some pictures of a quick ethernet tapping method I put together, it only works one way but it gives you an example of capturing CDP packets - you can't see the packets in this particular example though but it would look similar...

    You know, hubs are pretty cheap now days... icon_lol.gif
  • john_samsonjohn_samson Member Posts: 33 ■■□□□□□□□□
    Hello Deathmage,
    You turn off CDP when you don't need it as it generates unnecessary traffic causing overhead.
    When you enable debugging,the debugging destination you use affects system overhead. Logging messages to the console produces very high overhead, whereas logging messages to a virtual terminal produces less overhead. Logging messages to a syslog server produces even less, and logging to an internal buffer produces the least overhead of any method.

    Using the no debug all command is a convenient way to ensure that you have not accidentally left any debug commands enabled.

    To disable CDP on the entire switch, use the “no cdp run” command from enable mode:
    conf t
    no cdp run

    CDP can also be disabled on specific ports. To disable CDP on FastEthernet0/3, use these commands from enable mode:

    conf t
    int fa0/3
    no cdp enable
  • xnxxnx Member Posts: 464 ■■■□□□□□□□
    alan2308 wrote: »
    You know, hubs are pretty cheap now days... icon_lol.gif
    Haha yeah I just realised that using a hub would look less 'tacky' but this way I could tap an 100mbit ethernet connection inline without having to worry where it's wired too for general troubleshooting
    Getting There ...

    Lab Equipment: Using Cisco CSRs and 4 Switches currently
  • her.yangher.yang Member Posts: 22 ■□□□□□□□□□
    The book answer is that you should turn it off for access ports connecting to host computers. This is a security measure, designed to prevent them from gathering information about your switch. Just keep in mind though, that CDP is used for a lot of things, not just identifying who's on the other end of a switch port. For example, Cisco IP phones use it to negotiate Power over Ethernet (PoE) and there's even a routing protocol that runs entirely off of CDP (On-Demand Routing, ODR).
Sign In or Register to comment.