Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-221097 | CISC-RT-000370 | SV-221097r622190_rule | Low |
Description |
---|
CDP is a Cisco proprietary neighbor discovery protocol used to advertise device capabilities, configuration information, and device identity. CDP is media-and-protocol-independent as it runs over layer 2; therefore, two network nodes that support different layer 3 protocols can still learn about each other. Allowing CDP messages to reach external network nodes provides an attacker a method to obtain information of the network infrastructure that can be useful to plan an attack. |
STIG | Date |
---|---|
Cisco NX-OS Switch RTR Security Technical Implementation Guide | 2021-03-29 |
Check Text ( C-22812r409780_chk ) |
---|
Step 1: Verify CDP is not enabled globally via the command no cdp enable By default CDP is enabled globally; hence, the command cdp enable will not be shown in the configuration. If CDP is enabled, proceed to Step 2. Step 2: Verify CDP is not enabled on any external interface as shown in the example below: interface Ethernet2/2 description link to DISN no switchport no cdp enable Note: By default CDP is enabled on all interfaces if CDP is enabled globally. If CDP is enabled on any external interface, this is a finding. |
Fix Text (F-22801r409781_fix) |
---|
Disable CDP on all external interfaces via no cdp enable interface command or disable CDP globally via no cdp enable command. |