- Finding Feature Information
- Prerequisites for Secure Cisco Discovery Protocol
- Restrictions for Secure Cisco Discovery Protocol
- Information About Secure Cisco Discovery Protocol
- How to Configure Secure Cisco Discovery Protocol
- Configuration Examples for Secure Cisco Discovery Protocol
- Additional References for Secure Cisco Discovery Protocol
- Feature Information for Secure Cisco Discovery Protocol
Secure Cisco Discovery Protocol
The Cisco Discovery Protocol does not possess inherent security mechanisms and is vulnerable to attacks. The Secure Cisco Discovery Protocol feature allows users to select the type, length, value (TLV) fields that are sent on a particular interface to filter information sent through Cisco Discovery Protocol packets.
- Finding Feature Information
- Prerequisites for Secure Cisco Discovery Protocol
- Restrictions for Secure Cisco Discovery Protocol
- Information About Secure Cisco Discovery Protocol
- How to Configure Secure Cisco Discovery Protocol
- Configuration Examples for Secure Cisco Discovery Protocol
- Additional References for Secure Cisco Discovery Protocol
- Feature Information for Secure Cisco Discovery Protocol
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for Secure Cisco Discovery Protocol
The Cisco software image must support basic Cisco Discovery Protocol functions.
Restrictions for Secure Cisco Discovery Protocol
Blocking the type, length, value (TLV) fields on one device can affect the functionality of clients on other devices where Cisco Discovery Protocol packets with blocked TLV fields are received because different clients use different TLV fields.
Information About Secure Cisco Discovery Protocol
Secure Cisco Discovery Protocol
The Cisco Discovery Protocol does not possess inherent security mechanisms and is vulnerable to attacks. The Secure Cisco Discovery Protocol feature provides security by allowing users to select the type, length, value (TLV) fields that are sent on an interface to filter the fields in Cisco Discovery Protocol packets.
This feature supports the following functions:
TLV lists can be configured globally and also at the interface level, but only one TLV fields list can be configured globally.
A TLV list configured on an interface is given a higher precedence.
All TLVs except the Device-ID TLV and the Application TLV can be blocked.
Information about the Cisco Discovery Protocol TLV list configured on an interface is stored in each Cisco Discovery Protocol interface subblock.
All TLVs are blocked on the sending side.
- The cdp tlv-list and cdp filter-tlv-list commands are required to configure a Cisco Discovery Protocol list and apply the list globally or on an interface.
The show cdp tlv-list and show cdp interface commands display information about the TLV list.
Supported Type, Length, Value Fields
Note | The Address TLV and Device ID TLV are mandatory TLVs and they cannot be blocked. Hence, they are not available in the Cisco software image for user configuration. |
How to Configure Secure Cisco Discovery Protocol
Configuring a TLV List and Adding TLVs to the List
1.
enable
2.
configure terminal
3.
cdp tlv-list tlv-list-name
4.
ip-prefix
5.
hello-protocol
6.
end
7.
show cdp tlv-list tlv-list-name
DETAILED STEPS
Applying TLV List Configurations at the Interface Level
1.
enable
2.
configure terminal
3.
interface type number
4.
cdp filter-tlv-list tlv-list-name
5.
end
6.
show cdp tlv-list tlv-list-name
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable Example: Device> enable |
Enables privileged EXEC mode. |
Step 2 |
configure terminal Example: Device# configure terminal |
Enters global configuration mode. |
Step 3 |
interface type number Example: Device# interface ethernet 0/0 |
Specifies an interface type and enters interface configuration mode. |
Step 4 |
cdp filter-tlv-list tlv-list-name Example: Device(config-if)# cdp filter-tlv-list group1 |
Applies a TLV list on an interface. |
Step 5 |
end Example: Device(config-if)# end |
Exits interface configuration mode and returns to privileged EXEC mode. |
Step 6 |
show cdp tlv-list tlv-list-name Example: Device# show cdp tlv-list group1 |
Displays information about the TLVs in a TLV list. |
Applying TLV List Configurations at the Global Level
1.
enable
2.
configure terminal
3.
cdp filter-tlv-list tlv-list-name
4.
end
5.
show cdp tlv-list tlv-list-name
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable Example: Device> enable |
Enables privileged EXEC mode. |
Step 2 |
configure terminal Example: Device# configure terminal |
Enters global configuration mode. |
Step 3 |
cdp filter-tlv-list tlv-list-name Example: Device(config)# cdp filter-tlv-list group1 |
Applies a TLV list globally. |
Step 4 |
end Example: Device(config)# end |
Exits global configuration mode and returns to the privileged EXEC mode. |
Step 5 |
show cdp tlv-list tlv-list-name Example: Device# show cdp tlv-list group1 |
Displays information about the TLVs in a TLV list. |
Configuration Examples for Secure Cisco Discovery Protocol
Example: Configuring a TLV List and Adding TLVs to the List
Device> enable Device# configure terminal Device(config)# cdp tlv-list group1 Device(config-tlv-list)# ip-prefix Device(config-tlv-list)# hello-protocol Device(config-tlv-list)# trust Device(config-tlv-list)# capability
Device(config)# cdp tlv-list group2 Device(config-tlv-list)# address Device(config-tlv-list)# duplex Device(config-tlv-list)# capability Device(config-tlv-list)# end
Device# show cdp tlv-list group1 Tlv-list : group1 Capability Hello-protocol Ip-prefix Trust Device# show cdp tlv-list group2 Tlv-list : group2 Address Capability Duplex Device# show cdp tlv-list * Tlv-list : group1 Capability Hello-protocol Ip-prefix Trust Tlv-list : group2 Address Capability Duplex
Note |
Example: Applying TLV List Configurations at Interface Level
The show cdp interface command displays Cisco Discovery Protocol TLV lists on all interfaces.
Device> enable Device# configure terminal Device(config)# interface ethernet 0/0 Device(config-if)# cdp filter-tlv-list group1 03:22:15: %CDP-6-TLV_LIST_INTERFACE: Tlv-list group1 applied on interface Ethernet0/0 Device(config-if)# exit Device(config)# interface ethernet 0/1 Device(config-if)# cdp filter-tlv-list group2 03:22:45: %CDP-6-TLV_LIST_INTERFACE: Tlv-list group2 applied on interface Ethernet0/1 Device(config-if)# end Device# show cdp tlv-list group1 Tlv-list : group1 Capability Hello-protocol Ip-prefix Trust Applied on: Et0/0 Device# show cdp interface ethernet0/0 Ethernet0/0 is up, line protocol is up Encapsulation ARPA Sending CDP packets every 60 seconds Holdtime is 180 seconds Tlv-list applied : group1 Device# show cdp interface ethernet0/1 Ethernet0/1 is up, line protocol is up Encapsulation ARPA Sending CDP packets every 60 seconds Holdtime is 180 seconds Tlv-list applied : group2 Device# show cdp interface Ethernet0/0 is up, line protocol is up Encapsulation ARPA Sending CDP packets every 60 seconds Holdtime is 180 seconds Tlv-list applied : group1 Ethernet0/1 is up, line protocol is up Encapsulation ARPA Sending CDP packets every 60 seconds Holdtime is 180 seconds Tlv-list applied : group2 . . .
Example: Applying TLV List Configurations Globally
Device> enable Device# configure terminal Device(config)# cdp filter-tlv-list group1 03:28:44: %CDP-6-TLV_LIST_GLOBALLY: Tlv-list group1 applied globally on all interfaces. Device(config)# end Device# show cdp interface Ethernet0/0 is up, line protocol is up Encapsulation ARPA Sending CDP packets every 60 seconds Holdtime is 180 seconds Tlv-list applied : group1 Ethernet0/1 is up, line protocol is up Encapsulation ARPA Sending CDP packets every 60 seconds Holdtime is 180 seconds Tlv-list applied : group2 . . .
Note | The show cdp interface command displays Cisco Discovery Protocol TLV lists on all interfaces. |
Additional References for Secure Cisco Discovery Protocol
Related Documents
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
Cisco Discovery Protocol commands |
|
SNMP configuration tasks |
Configuring SNMP Support |
On-Demand Routing configuration tasks |
Configuring On-Demand Routing |
Standards and RFCs
Standard/RFC |
Title |
---|---|
IEEE 802.1Q |
802.1Q—Virtual LANs |
MIBs
MIB |
MIBs Link |
---|---|
CISCO-CDP MIB |
To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL: |
Technical Assistance
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for Secure Cisco Discovery Protocol
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Information |
---|---|---|
Secure Cisco Discovery Protocol |
Cisco IOS XE 3.6 E |
The Secure Cisco Discovery Protocol feature allows you to select what information is sent in Cisco Discovery Protocol packets and block sensitive information. In Cisco IOS XE 3.6 E, this feature is supported on the following platforms: In Cisco IOS XE Release 3.6E, this feature is supported on Cisco Catalyst 3850 Series Switches. The following commands were introduced or modified: cdp filter-tlv-list, cdp tlv-list, show cdp interface, show cdp tlv-list. |