The Risks and Vulnerabilities of Unsecured CDP and LLDP Protocols

The Risks and Vulnerabilities of Unsecured CDP and LLDP Protocols

The information exchanged between neighbors may be obtained by these two protocols, which send data to a multicast destination MAC address (CDP: 01-00-0c-cc-cc-cc and LLDP: 01:80:c2:00:00:0e).

As long as we know the source and destination MAC addresses of the traffic, we may utilize L2 ACL to block it or deactivate it for any interface that is linked to an untrusted device.

There is another way to customize these protocols rather than disabling them because they send some predefined fields (Type, Length, Value) that we can be selected, so we can choose the list or profiling. 

⭐Related : 
Network Discovery Protocols : CDP and LLDP

To create the customized L2 DP, we may specify the TLV list and use it globally or per interface. As an example, let's utilize Cisco.

We have two devices connected, let us show the normal CDP exchange information that occurs between neighbors

Secure cdp tlv list
Fig 1.1- Secure cdp tlv list

If the client refuses to provide a network map or design, we will search for L2 DP assistance. Additionally, control plan CDP will assist us in identifying misconfigurations. These are just a few examples of how L2 discovery protocol assists us in our day-to-day operations.

CDP Neighbor

cdp neighbor details

There is a lot of information available to us, some of which is essential information. Therefore, this information constitutes a security breach, and it would be preferable to protect CDP rather than deactivate it in order to address the security issue.

Let's look at the TLV that the L2 DP sent in order to better comprehend the L2 DP. Create the list of TLV with name NDNA-1

cdp tlv list

We generated the CDP TLV list and selected every TLV, as can be seen. Following the creation of the TLV list, there are two ways to attach this list to a filter:

1. Global Level that will implement all interfaces that CDP enable

cdp tlv-list

2. Interface Level

Interface tlv-list

By Applying the tlv-list, we see just the address and Device ID TLV there, and these two TLV are mandatory and can't be blocked So now we know the TLV list that uses in TLV filter will suppress any field that list include 

sh cdp neighbor

Simply delete any TLV that has to be permitted to be communicated between neighbors from the TLV list.