Cisco Discovery Protocol
| The Cisco Discovery Protocol, or CDP, is a proprietary protocol usable with Cisco networking devices for topological discovery. We've all had the happy experience of being called upon to work on a network whose topology we don't knowsometimes, in fact, part of the job is to figure that out. CDP is media and protocol independent; it works with SNMP, using a set of MIBs known as CISCO-CDP-MIB, which depends on the presence of a number of other MIBs. Although it can report Layer 3 information, it is not routable. Instead, CDP runs over Layer 2 using the Subnetwork Access Protocol (SNAP). Based on configurable timers, CDP devices send periodic updates to a multicast address; included in the configurable timers is a hold time (or time to live) for the update. Each update includes information about at least one interface on the reporting device that can receive SNMP traffic. By operating at Layer 2, the CDP information goes only to the immediately adjacent Cisco device; CDP packets are not forwarded among CDP devices. However, by working one's way through the devices, a patient person can derive the network topology. This is because the information given in a CDP update is extremely useful (to a legitimate network administrator or to a hacker). What kind of information depends on whether the user requests a simple show cdp neighbors or the more informative show cdp neighbors detail . The first command ( show cdp neighbors ) yields this information about every connected CDP-enabled neighbor:
With the second command ( show cdp neighbors detail ), in addition to the previously listed information, you (or a hacker) can learn this:
Although this is extremely useful if you have just inherited a network whose diagrams are dated (if anyone can find diagrams), it is also a wonderful exploratory tool for a hacker. Without going into too much detail, suppose that you have a simple network topology such as the one in Figure 5.1. Figure 5.1. A simple network topology. Figure 5.1 shows redundant access to the Internet via two perimeter routers (PR1 and PR2), with redundant distribution into the network core via two distribution routers (DR1 and DR2). Let's think about what you can learn with access to PR2. From PR2, you can learn about the existence, name, software version, and so on, of both DR1 and DR2. You can also learn the IP address to try to Telnet in. Because these routers are inside the perimeter, they might very well allow a Telnet connection from a fellow network member. From either of those, you can learn everything about the other DR, PR1, and core devices (probably two or more core routers). From any of the core routers, you can learn about their neighbors, and so on through the network. Configuring CDPFrom this terribly simple example, you can appreciate how much information can be gleaned about your network just from a weakness in one device. That's why the SAFE Blueprint recommends turning off CDP. If you need to use CDP inside your network, disable it on your edge devices and on the interfaces of the devices that connect to your edge devices. To disable CDP globally on a router, use this command in global configuration mode: no cdp run To disable it on a particular router interface, use this command in interface configuration mode: no cdp enable On a switch, you can disable CDP globally with this command: set cdp disable On a given port, use this command: set cdp disable [mod_num/port_num] The last item designates the module and port (or range of ports) to disable.
CDP VersionsCDP has only the original version (CDP) and a second version (CDPv2). The second version is the default on newer releases (beginning with 12.0T). It added the capability to exchange information on VTP management domain name, native VLAN, and full/half-duplex status (which can prove useful in switch troubleshooting because VLAN and duplex mismatches are displayed). |
EAN: 2147483647
Pages: 177