STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Cisco NX OS Switch RTR Security Technical Implementation Guide

V-221097

CAT III (Low)

The Cisco perimeter switch must be configured to have Cisco Discovery Protocol (CDP) disabled on all external interfaces.

Rule ID

SV-221097r999706_rule

STIG

Cisco NX OS Switch RTR Security Technical Implementation Guide

Version

V3R4

CCIs

CCI-002403

Discussion

CDP is a Cisco proprietary neighbor discovery protocol used to advertise device capabilities, configuration information, and device identity. CDP is media-and-protocol-independent as it runs over layer 2; therefore, two network nodes that support different layer 3 protocols can still learn about each other. Allowing CDP messages to reach external network nodes provides an attacker a method to obtain information of the network infrastructure that can be useful to plan an attack.

Check Content

Step 1: Verify CDP is not enabled globally via the command no cdp enable

By default CDP is enabled globally; hence, the command cdp enable will not be shown in the configuration. If CDP is enabled, proceed to Step 2.

Step 2: Verify CDP is not enabled on any external interface as shown in the example below:

interface Ethernet2/2
 description link to DISN
 no switchport
 no cdp enable

Note: By default CDP is enabled on all interfaces if CDP is enabled globally.

If CDP is enabled on any external interface, this is a finding.

Fix Text

Disable CDP on all external interfaces via no cdp enable interface command or disable CDP globally via no cdp enable command.