Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-221017 | CISC-RT-000370 | SV-221017r856412_rule | Low |
Description |
---|
CDP is a Cisco proprietary neighbor discovery protocol used to advertise device capabilities, configuration information, and device identity. CDP is media-and-protocol-independent as it runs over layer 2; therefore, two network nodes that support different layer 3 protocols can still learn about each other. Allowing CDP messages to reach external network nodes provides an attacker a method to obtain information of the network infrastructure that can be useful to plan an attack. |
STIG | Date |
---|---|
Cisco IOS-XE Switch RTR Security Technical Implementation Guide | 2022-09-13 |
Check Text ( C-22732r408845_chk ) |
---|
Step 1: Verify if CDP is enabled globally as shown below: cdp run By default, CDP is not enabled globally or on any interface. If CDP is enabled globally, proceed to Step 2. Step 2: Verify CDP is not enabled on any external interface as shown in the example below: interface GigabitEthernet2 ip address z.1.24.4 255.255.255.252 … … … cdp enable If CDP is enabled on any external interface, this is a finding. |
Fix Text (F-22721r408846_fix) |
---|
Disable CDP on all external interfaces via no cdp enable command or disable CDP globally via no cdp run command. |