Controlling CDP protocol using ACL

Unanswered Question
Mar 30th, 2017
User Badges:


One of my clients asked me the below requirement.

"I wan to run CDP to all my Cisco Devices but under an ACL. The CDP will run only my LAN/WAN Devices which is allowed by IP/MAC address through an ACL.Only match IP addresses device will talk/communicate with each other."

I want to know if it is possible to meet the requirement using ACL ..

And I also know that it can be done using Cisco ISE,RADIUS-Authorization feature. but as client wants to do it by ACL , so I need a specific answer.

Best Regards


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Tagir Temirgaliyev Thu, 03/30/2017 - 20:28
User Badges:
  • Silver, 250 points or more

as I know CDP is layer 2 protocol. so you can not block it using match IP address ACL.

you can block it using layer 2 ACL with source mac address and destination multicast mac address CDP.

layer 2 ACL only supported in switches. not routers.

I actually never tryed to do so.

Rolf Fischer Thu, 03/30/2017 - 22:40
User Badges:
  • Blue, 1500 points or more


this is a quite unusual requirement and I don't know what benefit your customer expects from it.

However, I think you could try to use the Embedded Event Manager (EEM).

As you probably know, you can enable or disable CDP on a per-interface basis. With EEM you could use link-down events to disable CDP on a link and link-up events to verify that the connected device is allowed and then enable CDP on the link.

I'm sure you'll find help with writing an applet or script for this in the EEM section of this forum.



This Discussion