Rule ID
SV-273644r1110900_rule
Version
V1R1
CCIs
LLDPs are primarily used to obtain protocol addresses of neighboring devices and discover platform capabilities of those devices. Use of SNMP with the LLDP Management Information Base (MIB) allows network management applications to learn the device type and the SNMP agent address of neighboring devices, thereby enabling the application to send SNMP queries to those devices. LLDPs are also media- and protocol-independent as they run over the data link layer; therefore, two systems that support different network-layer protocols can still learn about each other. Allowing LLDP messages to reach external network nodes is dangerous as it provides an attacker a method to obtain information of the network infrastructure that can be useful to plan an attack.
This requirement is not applicable for the DODIN Backbone. Review the global configuration to verify that LLDP has been disabled on external interfaces. (LLDP is enabled on all interfaces by default.) show running-config | include lldp no lldp enable ports ethernet 1/1/1 If LLDP is enabled on perimeter router external interfaces, this is a finding.
This requirement is not applicable for the DODIN Backbone. Disable LLDP on external interfaces of the perimeter router. ICX(config)# no lldp enable ports ethernet 1/1/x to 1/1/y