STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 5 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Cisco IOS XE Router RTR Security Technical Implementation Guide

V-216675

CAT III (Low)

The Cisco perimeter router must be configured to have Cisco Discovery Protocol (CDP) disabled on all external interfaces.

Rule ID

SV-216675r855822_rule

STIG

Cisco IOS XE Router RTR Security Technical Implementation Guide

Version

V3R5

CCIs

CCI-002403

Discussion

CDP is a Cisco proprietary neighbor discovery protocol used to advertise device capabilities, configuration information, and device identity. CDP is media-and-protocol-independent as it runs over layer 2; therefore, two network nodes that support different layer 3 protocols can still learn about each other. Allowing CDP messages to reach external network nodes provides an attacker a method to obtain information of the network infrastructure that can be useful to plan an attack.

Check Content

This requirement is not applicable for the DODIN Backbone.

Step 1: Verify if CDP is enabled globally as shown below:

cdp run

By default, CDP is not enabled globally or on any interface. If CDP is enabled globally, proceed to step 2.

Step 2: Verify CDP is not enabled on any external interface as shown in the example below:

interface GigabitEthernet2
 ip address z.1.24.4 255.255.255.252
 …
 …
 …
cdp enable

If CDP is enabled on any external interface, this is a finding.

Fix Text

This requirement is not applicable for the DODIN Backbone.

Disable CDP on all external interfaces via no cdp enable command or disable CDP globally via no cdp run command.