Disable CDP protocol on APs

Danut
Getting noticed

Disable CDP protocol on APs

Hi,

I am sorry if this is a duplicate question, but I was not able to find the answer I am looking for, just similar topics which don't answer my question.

So, my question is simple. Can you disable CDP protocol on Meraki APs? especially for MR42 and MR33; which we got in our enterprise.

 

During some tests of a new protocol, using Wireshark I discovered that the APs send CDP messages. I checked the source of the messages and they are the Meraki APs indeed. We do have other Cisco devices in the network, but all of them are CDP disabled for security reasons. 

Thank you in advance !

P.S.: All of the devices are use the latest firmware.

6 Replies 6
ww
Kind of a big deal
Kind of a big deal

not from the dashboard no. i dont know if support can. 

cdp and lldp are on and used to provide the dashboard with info. but things like lldp are also  used for  negotiating poe, putting device in the correct vlan etc..

 

what cdp security risks do you face in a trusted network? 

Danut
Getting noticed

The problem with CDP packets is that they are sent over the network wirelessly and can be used for network discovery. 
If the CDP and LLDP protocols are used to provide info for the dashboard, I think the messages should be send over the LAN (since all the APs are in AP mode, not Repeater). If the messages are send over the LAN I would not have a problem with them, but since they are also send wirelessly I would like to stop them (on the wireless medium, of course)

 

Also, Cisco best practices for security suggest to disable CDP and LLDP protocols when not used.

Nick
Head in the Cloud

I didn't know they were going out wirelessly. I applaud your thoroughness
BrechtSchamp
Kind of a big deal

Mine aren't sending any LLDP or CDP frames over the wireless link. Are you using any of the APs in wireless bridge/mesh mode?

Danut
Getting noticed

Yes, we used them in bridge/mesh mode. I wanted to post an example but I forgot to save the pcap file before I went home from work.

 

I did some brief tests again today and I didn't saw any CDP or LLDP messages, but I am sure they existed. On the time I saw the messages I started to investigate the source and it turned out there were from the Meraki APs.

 

If someone can do some test and tell me if they can see similar messages I would really appreciate. I will try to do some extended captures over longer periods of time and check if they send CDP messages again.

P.S.: When I did the initial scan and saw the CDP messages I was connected to a Meraki MR33 AP. There were about 6 CDP messages which contained information about all the access points (Firmware, Version, Model, etc.). I was connected wirelessly only and that is when I started to became sceptical and investigate further the source and cause.

Danut
Getting noticed

Back again with some results.

I set the 2 Wireshark instances to collect data from LAN and WLAN. After 6 hours of collecting data I filtered the output and found no CDP messages over WLAN but found a lot of them over LAN. I am not sure what generate the CDP messages over the WLAN, but it seems they are not send anymore. I still don't understand why these messages are send via LAN? are they required in a mesh mode, or can they be disabled?

 

Thou they can only be captured inside the LAN (everywhere in the LAN, since they are broadcasted/multicasted), and they don't seem to contain critical information I would like to reduce the number of messages that can be used to gather network information. I know these messages represent a low/minimal risk, but if they can be stopped I would like mitigate the risk.

I know I started this thread to let you know I saw the CDP messages on WLAN. It looks like the scan I did over a work shift didn't reveal any CDP frames over the WLAN. I would do further scans and I intend to let the Wireshark capture packets from WLAN for a week and I will analyse the results.

 

Below, I attached a picture with the result I collected from LAN with private data hidden. The source of these messages are the Meraki APs:

Wireshark CDP packets capturedWireshark CDP packets captured

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels