Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Turn off cdp

Status
Not open for further replies.
Flyers01

Flyers01

Technical User
May 19, 2008
62
US
I was told to turn cdp off on all cisco switches except for the uplink ports. What is the the benefit of these.
 
Sort by date Sort by votes
It stops CDP being sent on those ports.....

It can be considered a security risk - i.e. someone puts a sniffer on and captures the CDP packets sent from the switch, they will then determine its hostname and IP address, potentially leading to them trying to telnet/ssh/http to it (attack?).

Personally I would use other techniques to mitigate attacks as I think CDP is an excellent troubleshooting tool - i.e. apply ACL's to the VTY lines & HTTP/HHTPS (if enabled) and apply a service-policy to the control-plane.

HTH

Andy
 
Upvote 0 Downvote
Also, it's not really a security risk if the device is not on the edge of the network---cdp can only be used to compromise an edge device.

Burt
 
Upvote 0 Downvote
Make sure that you do not have CISCO phones on the network as turning off CDP will cease all IP phones quickly.

 
Upvote 0 Downvote
Actually turning off CDP won't stop Cisco phones. It will just prevent them from detecting the Voice VLAN and sending PoE Power requirements via CDP, so the switch (unless they are new phones that support 802.3af PoE) will just supply 15.4W of power per port. If the same options are in DHCP for the Access & Voice VLANs then the phones will just appear in the Access VLAN.

Andy
 
Upvote 0 Downvote
Andy,
how would you get them in the voice VLAN where they belong then? I know this is out of the scope of the original question but I was just wandering.
 
Upvote 0 Downvote
how would you get them in the voice VLAN where they belong then? I know this is out of the scope of the original question but I was just wandering.
Click to expand...

You wouldn't, they would be in the access VLAN (unless you manually configured it on the phone). If the same options are in the access VLAN scope (i.e. Option 150) then the phone will happily boot, lease an IP address in the access VLAN and attempt to register with the CCM.

Voice VLAN's are anything clever, just a way of segmenting your Voice & Data traffic on a switch. An IP Phone doesn't need a Voice VLAN to operate.

Andy
 
Upvote 0 Downvote
There really needs to be an 'edit' option on the forum...

I meant to write 'Voice VLAN's aren't anything clever'

Andy
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

sidwick30
  • Locked
  • Question
Public Server vs. using NAT for STUN / TURN servers
Replies
2
Views
68
burtsbees
burtsbees
xdxml12
  • Locked
  • Question
CDP
Replies
2
Views
70
tphethai
tphethai
AmgadElsharony
  • Locked
  • Question
can i configure Avaya IP Office on Cisco Switch ?
Replies
1
Views
57
madwok
madwok
checker1965
  • Locked
  • Question
Avaya IP Office LAN1 and LAN2 network connection problems
Replies
2
Views
75
checker1965
checker1965
avedei
  • Locked
  • Question
STP keeps cutting the wifi off
Replies
0
Views
42
avedei
avedei

Part and Inventory Search

Sponsor

Back
Top