STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Cisco IOS Switch RTR Security Technical Implementation Guide

V-220450

CAT III (Low)

The Cisco perimeter switch must be configured to have Cisco Discovery Protocol (CDP) disabled on all external interfaces.

Rule ID

SV-220450r856241_rule

STIG

Cisco IOS Switch RTR Security Technical Implementation Guide

Version

V3R3

CCIs

CCI-002403

Discussion

CDP is a Cisco proprietary neighbor discovery protocol used to advertise device capabilities, configuration information, and device identity. CDP is media-and-protocol-independent as it runs over Layer 2; therefore, two network nodes that support different Layer 3 protocols can still learn about each other. Allowing CDP messages to reach external network nodes provides an attacker a method to obtain information of the network infrastructure that can be useful to plan an attack.

Check Content

Step 1: Verify if CDP is enabled globally as shown below: 

cdp run 

By default, CDP is not enabled globally or on any interface. If CDP is enabled globally, proceed to Step 2. 

Step 2: Verify CDP is not enabled on any external interface as shown in the example below: 

interface GigabitEthernet2 
 ip address z.1.24.4 255.255.255.252 
… 
 … 
 … 
cdp enable 

If CDP is enabled on any external interface, this is a finding.

Fix Text

Disable CDP on all external interfaces via no cdp enable command or disable CDP globally via no cdp run command.