CDP - best practices
Cisco Discovery Protocol (CDP) is a protocol used by Cisco devices to discover and learn about neighboring devices directly connected to them. CDP is usually enabled by default, however, it is best practice to enable it only when necessary.
Some guidelines on how and when to use CDP follow:
- CDP can be a security risk as it broadcasts information about your network devices like device ID, IPv4 or IPv6 address, platform, capabilities, etc. An attacker with access to the network can use this information to understand the network topology and plan attacks.
- Non-Cisco Devices: If your network includes non-Cisco devices, enabling CDP may not be beneficial as it is a proprietary protocol and may not be supported by other vendors.
- Network Traffic: CDP messages are multicast every 60 seconds by default, which can consume unnecessary bandwidth and processing power on your network devices. In a large network with many Cisco devices, this could lead to significant network traffic.
- Unnecessary in Static Networks: If your network topology is static and doesn’t change often, there may be little benefit to having CDP enabled.
- Public Facing Interfaces: It is not advisable to enable CDP on interfaces that are facing the internet or untrusted networks. This can expose your device details to potential attackers.
- IP phones: Cisco IP phones use CDP to exchange information with the switches they're connected to, in order to correctly configure features such as the voice VLAN. If CDP is disabled, some of these processes may fail.