Disable CDP on your networking gear

Reading time: 3m

CDP is a network discovery protocol for Cisco equipment which allows it to discover adjacent networking gear, and is enabled by default.  The 0-day vulnerabilities found by Armis takes advantage of it being enabled to effect complete compromise on affected gear.

In this post, I will speak mainly to Cisco users, but also go into some other vendors as well.

Per Armis, a MSSP out of Palo Alto, they discovered 5 0-day vulnerabilities in CDP, Cisco Discovery Protocol.

What you can do to disable CDP on affected Cisco gear is the following:

conf t
no cdp run

Dell PowerConnect switches use a proprietary protocol called ISDP, which communicates with Cisco equipment over CDP.  Note that LLDP & LLDP-MED are not the same as CDP, and should be left alone if you configure it explicitly.

Per a Dell user guide:

CDP Interoperability through ISDP

Industry Standard Discovery Protocol (ISDP) allows the PowerConnect
switch to interoperate with Cisco devices running the Cisco Discovery
Protocol (CDP). ISDP is a proprietary Layer 2 network protocol which interoperates with Cisco network equipment and is used to share information
between neighboring devices (routers, bridges, access servers, and switches)

The switch software participates in the CDP protocol
and is able to both discover and be discovered by other CDP-supporting

On Dell PowerConnect switches, ISDPv1 and ISDPv2 are enabled globally on all ports.  If needed, you can disable both globally, and set them per interface.

Likewise on HP ProCurve switches, you can disable globally, and enable per port – https://techhub.hpe.com/eginfolib/networking/docs/switches/K-KA-KB/15-18/5998-8160_ssw_mcg/content/ch06s11.html

Leave a Reply

Your email address will not be published. Required fields are marked *