CDP questions

Answered Question
Mar 25th, 2008
User Badges:

My engineer has a question regards to CDP.


If we were to turn CDP off on a interface level would we still receive alerts on that interface i.e. up/down errors status in CiscoWorks.

Correct Answer by Joe Clarke about 9 years 3 months ago

In terms of security, it's best to disable CDP on all interfaces/ports which go to devices you do not manage, or to user access ports. I realize it may not always be possible to turn off CDP to access ports given things like IP telephony, but it should be very doable on links to devices that you do not manage (e.g. ISP devices). This way you're not providing people with more information than they need to know. Keeping CDP enabled on infrastructure links that interconnect managed devices should not open you up to any security problems.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Joe Clarke Tue, 03/25/2008 - 10:29
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Yes. Provided the interface is managed in DFM, it will still provide unreachable events for that interface. However, without CDP, Campus Manager will not be able to ascertain the related topology.

dionjiles Tue, 03/25/2008 - 10:56
User Badges:

Thanks for your response. Preparing for an network audit and security is asking if we can turn off CDP but we are in a battle with them right now. I am aware that Campus Manager will be affected if we were to do this hopefully we won't thanks.



Correct Answer
Joe Clarke Tue, 03/25/2008 - 11:00
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

In terms of security, it's best to disable CDP on all interfaces/ports which go to devices you do not manage, or to user access ports. I realize it may not always be possible to turn off CDP to access ports given things like IP telephony, but it should be very doable on links to devices that you do not manage (e.g. ISP devices). This way you're not providing people with more information than they need to know. Keeping CDP enabled on infrastructure links that interconnect managed devices should not open you up to any security problems.

dionjiles Tue, 03/25/2008 - 11:09
User Badges:

You are right. Thanks so much....this is why I'm always in the cisco forum.....very valuable information.

Actions

This Discussion