STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Cisco IOS XE Switch RTR Security Technical Implementation Guide

V-221017

CAT III (Low)

The Cisco perimeter switch must be configured to have Cisco Discovery Protocol (CDP) disabled on all external interfaces.

Rule ID

SV-221017r856412_rule

STIG

Cisco IOS XE Switch RTR Security Technical Implementation Guide

Version

V3R4

CCIs

CCI-002403

Discussion

CDP is a Cisco proprietary neighbor discovery protocol used to advertise device capabilities, configuration information, and device identity. CDP is media-and-protocol-independent as it runs over layer 2; therefore, two network nodes that support different layer 3 protocols can still learn about each other. Allowing CDP messages to reach external network nodes provides an attacker a method to obtain information of the network infrastructure that can be useful to plan an attack.

Check Content

Step 1: Verify if CDP is enabled globally as shown below:

cdp run

By default, CDP is not enabled globally or on any interface. If CDP is enabled globally, proceed to Step 2.

Step 2: Verify CDP is not enabled on any external interface as shown in the example below:

interface GigabitEthernet2
 ip address z.1.24.4 255.255.255.252
…
 …
 …
cdp enable

If CDP is enabled on any external interface, this is a finding.

Fix Text

Disable CDP on all external interfaces via no cdp enable command or disable CDP globally via no cdp run command.