Cisco Discovery Protocol. Many of us out here have a love/hate relationship with it. I for one (and I fear I could be in the minority) like it. Security, overhead, and multi-vendor environments are generally the biggest downsides to CDP. I can agree with the third point, but I can defend the first and second.
Allow me to paint the picture which inspired these words. A standard afternoon in Melbourne, Australia. Four-seasons-in-one day styled weather; sunny and twenty-six degrees one minute and sub-ten degrees and raining the next. The office room was full of discussions regarding best practice and security discussions. Mainly observing how these creatures were interacting for control of the meeting, I chimed in with a statement when LAN security came up. “You will be enabling CDP across your switches?” The comment was chuckled at in unison with some raised eyebrows. “Of course not,” was the reply. With the following points, I made my argument and defended my belief of the reasons I like this protocol.
By default, most people leave CDP running. CDP contains juicy information regarding hostname, management IP, local and remote interfaces, IOS version, platform and VTP domain. Rather useful information for ‘ne’er-do-wells’ attempting to break in.
Well, it is possible to control this information. There are two ways to do this.
1 switch(config)# no cdp run
This global command disables CDP traffic from being generated by the switch. However, unless the device has all interfaces facing the Internet, there is no real need to disable CDP across the entire platform. You can disable CDP from being sent from the switch on a per-interface level.
12 switch(config)# int gi0/10switch(config-if)# no cdp enable
This is where my argument for CDP begins. This deployment was an enterprise refresh and included many points of entry. Being in higher education, I have found that kids like to practice what is preached in class. With that, I proposed the first of a few suggestions. By disabling CDP packets from certain interfaces, the attached devices cannot sniff/read these packets.
- WAN interfaces
- Desktop access ports
- Internet facing interfaces
- Lightweight Access Points
- IP Phones
- Wireless LAN Controllers
By restricting the interfaces where CDP traffic is sent from, you in turn reduce the overhead on your links. With 1Gbps standard these days, and 10, 40, and 100Gbps Ethernet floating around, if CDP’s impact on bandwidth utilitization is a concern, then I think you have important issues to address.