Disabling the Cisco Discovery Protocol

Problem

You don’t want to allow adjacent devices to gain information about this router for security reasons.

Solution

You can disable CDP on a single interface by using the command no cdp enable interface configuration command:

Router1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#cdp run
Router1(config)#interface FastEthernet0/0
Router1(config-if)#no cdp enable
Router1(config-if)#end
Router1#

And you can disable all CDP on the router with the global configuration command, no cdp run:

Router1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#no cdp run
Router1(config)#end
Router1#

Discussion

CDP can be an extremely useful feature because it tells you so much information about all of your neighboring devices. However, this can also represent a serious security problem. CDP packets are not encrypted in any way, so if somebody can just capture the CDP packets from a network segment as they pass between the routers, they can easily deduce a lot about your network architecture. And if they can get access to the router either via Telnet or SNMP, they can use the CDP tables to discover the entire topology of your network at Layer 2 and 3, including all IOS levels, router and switch model types, and IP addressing. If somebody was armed with this information and a Cisco bug list, they could launch a very effective attack against your network.

For this reason, many ...

Get Cisco IOS Cookbook, 2nd Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.