Disabling Cisco Discovery Protocol (“CDP”)

(This topic was noted as being covered by Cisco Network Academy CCNA training “Exploration 3” slide “2.4.4.3”. That information may be helpful for anybody with current access to Cisco's CCNA training material, which has been made available to people who signed up for college courses that use official Cisco training material.)

Note: people who are interested in obtaining the Cisco Cerfified Network Assocate (CCNA) Routing and Switching certification have some reason to be somewhat familiar with CDP. Overall, CDP may reveal information that doens't need to be revealed, and there is no compelling reason why it really must be used on a production-level network. However, it is a process that Cisco has developed, and Cisco may want people who get Cisco's certifications to be familiar with Cisco's technologies. So, even if this doesn't need to be used in actual production networks, people planning to get the certification should not necessarily dismiss this protocol as something that is completely useless to know about.

The Cisco Discovery Protocol (“CDP) sends a request for information about a device. Technicians can then use reported information to see information about a device.

Why disabling CDP is good
Security Risk

Note: Many people consider Cisco Discovery Protocol (“CDP) to be something that is best to be disabled because Cisco Discovery Protocol is a security risk. There is even some information from Cisco which seems to back up this concept:

Cisco documentation: “Device Resiliency and Survivability”, section about “Cisco Discovery Protocol (CDP) states, “The best practice is to disable CDP globally when the service is not used, or per interface when CDP is still required.” ... “As a general practice, CDP should not be enabled on interfaces that connect to external networks, such as the Internet.”

Cisco documentation: “Disable CDP Unless Needed” section states, “If CDP is needed, then consider disabling CDP on a per-interface basis.”.

Cisco Guide to Harden Cisco IOS Devices states, “CDP must be disabled on all interfaces that are connected to untrusted networks.” ... “Alternatively, CDP can be disabled globally”. “LLDP is similar to CDP.” ... “LLDP must be treated in the same manner as CDP and disabled on all interfaces that connect to untrusted networks.”

Cisco documentation; Cisco documentation, “Secure Cisco Discovery Protocol states, “The Cisco Discovery Protocol does not possess inherent security” ... “and is vulnerable to attacks.”

When using the Cisco Configuration Professional software, and choosing “Perform security audit”, “Disable CDP” is one of the recommended improvements.

(No directions are provided here at this time.)

Interoperability limitations

Cisco Guide to Harden Cisco IOS Devices states, “Link Layer Discovery Protocol (LLDP) is an IEEE protocol that is defined in 802.1AB. LLDP is similar to CDP. However, this protocol allows interoperability between other devices that do not support CDP.”

In other words, it sounds like LLDP provides similar benefits, but isn't vendor-specific. So, many upsides, and no real downsides for the end user who might use equipment from another vendor.

To be fair to the article that was just quoted, the context is that was a security guide that was recommending that people disable LLDP for the same reason that the article recommends CDP is disabled, which is mainly that these protocols “can be used by a malicious user for reconnaissance and network mapping.”

An opinion

Quick commentary: It is the opinion of the author of this text that CDP is generally not too incredibly useful in practice. Information about the equipment ought to be obtainable by checking documentation, or by using SSH (or perhaps another protocol mentioned by the In-Band management options listed in the section about Seeing Output on Cisco Equipment). A noteworthy characteristic to the CDP protocol is that it is a proprietary protocol that is Cisco's. That characteristic might not help anyone other than Cisco, but it is something that Cisco may see as a benefit. That might even be the primary reason why Cisco endorses this method, particularly over LLDP. Being a Cisco-proprietary method of doing things, this protocol is most certainly something that Cisco might expect people to learn about when completing official Cisco training and/or preparing for an official Cisco certification like the current Cisco Certified Network Associate (“CCNA”) Routing and Switching certification.

So, people who are learning Cisco's stuff as part of a formal program may benefit from learning about such a protocol, namely because it is required knowledge, and not-so-much because of actual extreme usefulness.

(It is noted that no sample command is currently provided here. Presumably that will change.)