Meraki

Community

Disable CDP protocol on APs

Danut
Getting noticed
‎Mar 13 2019 4:38 AM
‎Mar 13 2019 4:38 AM

Disable CDP protocol on APs

Hi,

I am sorry if this is a duplicate question, but I was not able to find the answer I am looking for, just similar topics which don't answer my question.

So, my question is simple. Can you disable CDP protocol on Meraki APs? especially for MR42 and MR33; which we got in our enterprise.

 

During some tests of a new protocol, using Wireshark I discovered that the APs send CDP messages. I checked the source of the messages and they are the Meraki APs indeed. We do have other Cisco devices in the network, but all of them are CDP disabled for security reasons. 

Thank you in advance !

P.S.: All of the devices are use the latest firmware.

0 Kudos
6 Replies 6
ww
Kind of a big deal
Kind of a big deal
‎Mar 13 2019 5:20 AM
‎Mar 13 2019 5:20 AM

not from the dashboard no. i dont know if support can. 

cdp and lldp are on and used to provide the dashboard with info. but things like lldp are also  used for  negotiating poe, putting device in the correct vlan etc..

 

what cdp security risks do you face in a trusted network? 

In response to ww
Danut
Getting noticed
‎Mar 13 2019 6:12 AM
‎Mar 13 2019 6:12 AM

The problem with CDP packets is that they are sent over the network wirelessly and can be used for network discovery. 
If the CDP and LLDP protocols are used to provide info for the dashboard, I think the messages should be send over the LAN (since all the APs are in AP mode, not Repeater). If the messages are send over the LAN I would not have a problem with them, but since they are also send wirelessly I would like to stop them (on the wireless medium, of course)

 

Also, Cisco best practices for security suggest to disable CDP and LLDP protocols when not used.

In response to Danut
Nick
Head in the Cloud
‎Mar 13 2019 6:37 AM
‎Mar 13 2019 6:37 AM

I didn't know they were going out wirelessly. I applaud your thoroughness
0 Kudos
In response to Nick
BrechtSchamp
Kind of a big deal
‎Mar 13 2019 8:03 AM
‎Mar 13 2019 8:03 AM

Mine aren't sending any LLDP or CDP frames over the wireless link. Are you using any of the APs in wireless bridge/mesh mode?

0 Kudos
In response to BrechtSchamp
Danut
Getting noticed
‎Mar 14 2019 1:59 AM
‎Mar 14 2019 1:59 AM

Yes, we used them in bridge/mesh mode. I wanted to post an example but I forgot to save the pcap file before I went home from work.

 

I did some brief tests again today and I didn't saw any CDP or LLDP messages, but I am sure they existed. On the time I saw the messages I started to investigate the source and it turned out there were from the Meraki APs.

 

If someone can do some test and tell me if they can see similar messages I would really appreciate. I will try to do some extended captures over longer periods of time and check if they send CDP messages again.

P.S.: When I did the initial scan and saw the CDP messages I was connected to a Meraki MR33 AP. There were about 6 CDP messages which contained information about all the access points (Firmware, Version, Model, etc.). I was connected wirelessly only and that is when I started to became sceptical and investigate further the source and cause.

0 Kudos
In response to Danut
Danut
Getting noticed
‎Mar 15 2019 1:26 AM
‎Mar 15 2019 1:26 AM

Back again with some results.

I set the 2 Wireshark instances to collect data from LAN and WLAN. After 6 hours of collecting data I filtered the output and found no CDP messages over WLAN but found a lot of them over LAN. I am not sure what generate the CDP messages over the WLAN, but it seems they are not send anymore. I still don't understand why these messages are send via LAN? are they required in a mesh mode, or can they be disabled?

 

Thou they can only be captured inside the LAN (everywhere in the LAN, since they are broadcasted/multicasted), and they don't seem to contain critical information I would like to reduce the number of messages that can be used to gather network information. I know these messages represent a low/minimal risk, but if they can be stopped I would like mitigate the risk.

I know I started this thread to let you know I saw the CDP messages on WLAN. It looks like the scan I did over a work shift didn't reveal any CDP frames over the WLAN. I would do further scans and I intend to let the Wireshark capture packets from WLAN for a week and I will analyse the results.

 

Below, I attached a picture with the result I collected from LAN with private data hidden. The source of these messages are the Meraki APs:

Wireshark CDP packets capturedWireshark CDP packets captured

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.