Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The Cisco perimeter router must be configured to have Cisco Discovery Protocol (CDP) disabled on all external interfaces.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-216585 | CISC-RT-000370 | SV-216585r531085_rule | Low |
| Description |
|---|
| CDP is a Cisco proprietary neighbor discovery protocol used to advertise device capabilities, configuration information, and device identity. CDP is media- and protocol-independent as it runs over layer 2; therefore, two network nodes that support different layer 3 protocols can still learn about each other. Allowing CDP messages to reach external network nodes provides an attacker a method to obtain information of the network infrastructure that can be useful to plan an attack. |
| STIG | Date |
|---|---|
| Cisco IOS Router RTR Security Technical Implementation Guide | 2020-09-23 |
Details
| Check Text ( C-17820r287133_chk ) |
|---|
| This requirement is not applicable for the DODIN Backbone. Step 1: Verify CDP is not enabled globally via the command no cdp run By default CDP is enabled globally; hence, the command cdp run will not be shown in the configuration. If CDP is enabled, proceed to step 2. Step 2: Verify CDP is not enabled on any external interface as shown in the example below. interface GigabitEthernet0/1 ip address x.1.23.2 255.255.255.252 no cdp enable Note: By default CDP is enabled on all interfaces if CDP is enabled globally. If CDP is enabled on any external interface, this is a finding. |
| Fix Text (F-17816r287134_fix) |
|---|
| This requirement is not applicable for the DODIN Backbone. Disable CDP on all external interfaces via no cdp enable command or disable CDP globally via no cdp run command. |