Is disabling cdp on your entire network a bad idea or good security practice?

StonedHitman

To me it doesn't seem like cisco discovery protocol, or cdp is all the great. I'm not saying it's bad either, it's a neat protocol. Cdp can leave your network susceptible to attacks and whatnot. What are your guys thoughts?

merc.man87

Unless you know who your neighbor is on your WAN. I'd say disable it on the public facing interface. But on the 'inards' of your network, it's the best!

elderkai

CDP/LLDP comes in handy often. Just disable on the WAN and if you really need, user ports.

StonedHitman

elderkai wrote: »

CDP/LLDP comes in handy often. Just disable on the WAN and if you really need, user ports.

I'm gonna have to agree with you there. I guess when I asked this question I was thinking of like, a really large enterprise internetwork. In this case I was thinking that would be alot of cdp traffic.

tomtom1

I think you should disable CDP globally but enable it when you are troubleshooting something and it could some in handy. Same goes for LLDP. You are really giving away a lot of usable information for hackers.

lrb

CDP and LLDP messages are only a few hundred bytes in length typically. When links between devices is usually aggregates of 10G/40G links, the overhead overhead of these is minimal.

These protocols are also a godsend in lieu of bad/missing network diagram. But like everyone above me has said, disable them on ports connecting to non IP phone hosts and on public facing interfaces.

theodoxa

CDP is useful. For example, I could plug a Laptop [with Wireshark] into a wall jack and within a few seconds know exactly where its connected (Device Name and Port Number), Plus the Model of the Switch, IOS is running on it, IP Addresses, Native VLAN, and VTP Domain. Alot faster and easier than tracing a wire.

SteveO86

Like others have said, I would keep CDP enabled on the trusted network. Then simply disable it at the untrusted edge of your network. (And by untrusted edge I am referring to the internet edge or where you Cisco equipment connects to another companies equipment.

CDP is extremely useful when troubleshooting and with LLDP's adoption rate it makes it that much more useful if you troubleshooting connections to ESXi hosts since you can easily verify which connection is where.

Also if you happen to be working within a Data Center & Nexus 5k, certain DCBX parameters are exchanged via LLDP so it becomes quite important in certain situations.

Thist guide is a bit older, but many of the references are still sorta valid. It's definitely worth a read through
Cisco Guide to Harden Cisco IOS Devices - Cisco

aftereffector

It's pretty useful for VoIP too

Iristheangel

Going to put this here too:

I was watching IPexpert youtube videos for fun today and found this gem: https://www.youtube.com/watch?v=gPbrIyUQWg8&list=UUKfNWxQnLgKiOSbukZXxoLQ

I guess you learn something new every day. I think keeping CDP but filtering insecure information is a great way to keep it on for administrative ease while reducing your security risk.

Architect192

Thanks Iris, great find