What is Secure CDP and how does Secure CDP work ?

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hello everyone and happy new year it's january 1st 2021 my name is rafael and welcome to network engineer pro in today's video i'll be teaching you secure cdp that's right secure cisco discovery protocol it's something that not a lot of people may have heard of so i want to make my first video of the year on this as i think it's something that we should all at least know about and it's really easy to configure so i'll explain briefly what it is and why we need it then we're going to hop on the cli and get it configured and see it in action we're all familiar with cdp or maybe you're just starting out and maybe you've heard of it but you aren't sure exactly how it works in that case check the description of this video i put a link to my cdp tutorial video that's going to bring you up to speed all right so we know cisco devices like routers and switches use cdp directly connected cisco devices send cdp advertisements to each other with information embedded in something called a tlv or a type length value we type show cdp neighbor or show cdp neighbor detail on a router or switch and we see a lot of really helpful information about our directly connected neighbor those tlvs contain things like capabilities the interface that we're connected on we also see information like the native vlan ip addresses ip prefixes configured on the device and more now the problem is is that we see information like the native vlan ip addresses and ip prefixes configured on the device and more let's look at a wireshark capture really quick so i can show you what i mean all right so here's your typical cdp message we're going to have a device id this is going to be the host name we have our software version our platform is cisco we have some ip addresses this is one of the ip addresses configured on the remote device we have our port id we have capabilities whether or not the device can route can switch in our case this can it's also igmp capable and under ip prefixes we have some ipp prefixes here this is used for the on-demand writing protocol odr here's some vtp information the duplex is full and we have another ip address that we could use for management on the remote device these are all tlvs and this is the point of secure cdp is that we can remove we can filter out certain things from being sent so if we want to make sure that no ip addresses get sent you can go ahead and filter them out if you don't want ip prefixes to be sent in the cdp advertisement you can filter that tlv out as well depending on where you work or what you're connecting to it might be a security concern to send all of that information out in a cdp advertisement sure you can just turn cdp off on the interface or even globally but what if you wanted to still send cdp advertisements containing the port id and maybe the duplex info which is great for troubleshooting i'm sure we can all agree but at the same time we can remove the sensitive information like ip addresses and prefixes so we can make it harder for someone to know what our network looks like with secure cdp we can do exactly that that's right we can filter out sensitive things and only send what we want in the cdp advertisement those type link values or tlvs that contain all that info what we're going to do is we'll create something called a tlv filter list and filter out specific things that are being sent to a connected neighbor so a router connected to a switch only wants to send the port id it's using to connect and not the management ip address great secure cdp to the rescue let's hop on the cli and get started all right we are ready for the configuration portion of our video if you look in the upper right hand corner i have a very very simple topology just a router connected to a switch uh both are using gigabit zero slash zero our task is do not allow switch one to send the following tlvs using cdp over to r1 any ip addresses iprefixes vtp native vlan platform and capabilities and i put a little note at the bottom that this should only be applied on the interface that connects to router one so from switch one's perspective that's only gonna be gigabit zero slash zero and the reason i specified this as we'll see later is because you can apply your tlv filters globally on the device which means every interface or just on one specific interface all right before we go configuring let's look on router 1 the neighbor and let's do a show cdp neighbor let's see what we're getting from switch one so we can see our device id this is our host name we have our local interface whole time uh and our capabilities right switch one's capabilities is its routing switching and igmp and the port that's on switch one that we're connecting to is gigabit zero slash zero let me hit up arrow a couple times and i'm gonna do show cdp neighbor detail okay it's gonna give me a little bit more information i can see that there is an ip address on switch one that's 192.168.1.2 i can see some detailed uh version info we're using cdp version two here's some vtp information full duplex and here's a management ip address and actually happens to be the same address that it found in the entry address section all right so let's look at a wireshark capture i am capturing on switch one's gigabit 0 0 interface let's let me pull up wireshark over here all right i hope that you guys can see this fine all right so here is a cdp message from switch one going to router one and let me all right so we already have cdp expanded the device id is switch one we have our software version information cisco platform and cisco here's an address i have an address configured 192.168.1.2 and it's actually configured on gigabit 0 0 on switch 1. so you can see that switch 1 is sending us ip address information towards router 1 via cdp here's our port our our local port on switch 1 is gigabit 0 0. our capabilities if we expand this here we can see that it is a router it can do switching and it is igmp capable next is ip prefixes this has to do with on-demand routing odr it's a routing protocol that uses cdp so these interfaces here these slash 32s these are actually loopbacks that i configured on switch one and you can see that switch 1 is sending this information to router 1 via cdp next we have vtp information we're using full duplex and again our ip address is showing up here as well under the management address section so if we look at our task one more time we do not want switch one to send any ip address information any ip prefixes anything related to vtp the native vlan any platform information and any capabilities let's go ahead and get this configured so i'm going to go back on switch one all right so on switch one let's go ahead and get this configured so let me go to config t and i'm going to say cdp and if you hit question mark you can see that you have tlv list this is what we want to configure so tlv list hit question mark again we need to name it so i'm just going to name it secure dash cdp now once you're inside the tlv list if you hit question mark you're going to see every option that you have when it comes to cdp these are all the parameters that you could filter if you wanted to so you have the address you have capabilities duplex information hello protocol ip prefixes so you can see that there's some of this stuff that we need to do so let's look at our task um let's go ahead we want any ip address information we want to be filtered out so we're going to say address next what else are we going to say we're going to say management address after that we have ip prefixes after that on our task of things to do it's vtp anything vtp related we're going to have native vlan platform information and capabilities now i'm going to exit and now that the list the filter list is created you need to apply it somewhere like i said you can either apply it globally to every interface on the switch or you can apply it to just one interface and our task says that we should only be applying this on one interface so let's go ahead and do that we're going to go into gigabit 0 0 and we're going to say cdp and if you hit question mark you have filter list tlv list and what you need to do is you need to specify the name of the tlv list that we created earlier and if you remember it's secure dash cdp and it's telling us that a tlv list named secure cdp has been applied on gigabit 0 0. one way that we could verify this is by doing a show cdp tlv list and the name you can see that we have a tlv list created it's named secure dash cdp and the the tlvs that we are in fact filtering are the address capability ip prefix management address native vlan platform and the vtp management donate domain and it's been applied on gigabit 0 0. let's go ahead and hop back on router one and see what has changed hit up arrow a couple times and i'm gonna do again show cdp neighbor detail so you can already see that under entry addresses we used to have an ip address here we don't have that anymore you can also see that the vtp information that was under here is gone the management address is gone and if you look at when we did it the first time here we had management management addresses we had vtp all that all that's gone let's look at the wireshark capture as well so we can see it too okay so you can see under the addresses this number of addresses is now zero before if we look at the earlier capture we had it here we had ip address 192.168.1.2 it has now been removed and the management address has also been removed you can see there's a lot less information than there was before there's no more uh native vlan information there's no more platform there's no capabilities there's no vtp and there's no ip prefixes so by using secure cdp we are able to filter out what we don't want but still use cdp because it is helpful in some cases okay so we saw what's contained in a cdp advertisement before any filtering is applied we identified some sensitive info that we don't want to advertise out we created a tlv filter list specifying what we don't want to send we applied it to an interface and verified that it's doing exactly what we want by doing a show cdp neighbor on the other device and we verified it as well using wireshark really cool right and it's not too difficult if you know cdp then secure cdp is cake like i said at the end of the day you could just disable cdp at the interface level or globally if it's such a big deal but i wanted to show you that you can still use cdp while not giving out too much information that you don't want making it more secure it's all about what's happening now and what tools are available to us alright i hope everyone enjoyed this video if you did don't forget to like and subscribe again i want to wish everyone a happy new year great health and knowledge let's identify goals that we want to use to get better and knock them out one by one thanks everyone have a great day i'll see you in the next video

Info

Channel: Network Engineer Pro

Views: 157

Rating: undefined out of 5

Keywords: cisco discovery protocol, cisco discovery protocol vs lldp, cdp vs lldp, what is cdp, how to configure cdp, how to configure lldp, ccna for beginners, ccna full course, Dynamic discovery protocol, what is cisco cdp, ccna cdp, ccent training video, ccent certification, layer 2 neighbor discovery, CDP/LLDP, full free CCNA course, Free CCNA 200-301, CCNA 200-301 Full Course, CCNA 200-301 Study, Cisco CCNA Course, secure cdp, secure cisco discovery protocol, cdp, ccna, cisco

Id: E2Z6zLGGqEE

Channel Id: undefined

Length: 10min 59sec (659 seconds)

Published: Sat Jan 02 2021