[c-nsp] Possible security issue with CDP

Gert Doering gert at greenie.muc.de
Sat Jun 28 04:56:38 EDT 2008


Hi,

On Fri, Jun 27, 2008 at 10:13:36AM -0700, Brandon Price wrote:
> I am sure this is a stupid question but I have to ask..
> 
> Is there any compelling reason to run CDP in a service provider
> environment?

We like it.  In a mostly-Cisco-Shop it's very convenient to see what is
connected where - even if perfect documentation would exist, it's useful
to check whether the documentation is correct :-) - but sometimes things
are set up in a hurry and documentation is less than perfect.

Even better, you can use it on a server to see which switchport it's
connected to.

> Ever since I discovered that CDP existed I have been disabling it.
> It seems like its entire purpose is to annoy people with inaccurate
> console messages about duplex and vlan mismatches.....

Usually the duplex mismatches are only inaccurate if there is a non-cisco
switch in between - in which case they are not overly useful.

Whether VLAN mismatch messages are useful or not depends a lot on the 
setup - inside the ISP network, a well-designed network shouldn't have
VLAN mismatches, so it's useful.  Towards customer devices, things are
different, because they usually use different VLAN numbers - and there,
there could be good reasons for turning off CDP alltogether.

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20080628/15498562/attachment.bin>


More information about the cisco-nsp mailing list