[c-nsp] CDP agent for hosts
Roland Dobbins
rdobbins at cisco.com
Mon Jun 18 22:16:38 EDT 2007
On Jun 19, 2007, at 9:01 AM, ChrisSerafin wrote:
> I disable CDP for security reasons, but in a
> large environment like that I guess it would make sense.
Disabling CDP at all the edges is a good security measure; disabling
it on core/distribution interfaces can actually hinder security, as
tasks such as performing manual traceback using Netflow, etc., are
greatly hindered without the CDP information (if there are outsiders
in one's core who can type sh commands, one has bigger problems than
CDP, anyways, heh).
So, I would recommend disabling it on -all- edge interfaces (peering/
transit, customer, broadband access, IDC access, internal LAN access,
DCN access, etc.), but also recommend thinking about leaving it
enabled on the non-edge interfaces, FWIW.
----------------------------------------------------------------------
Roland Dobbins <rdobbins at cisco.com> // 408.527.6376 voice
Equo ne credite, Teucri.
-- Laocoön
More information about the cisco-nsp
mailing list