We are concerned about Zero Day vulnerabilities affecting Cisco devices and specifically CDP support. Is it possible to disable CDP on the devices to reduce risk? What is the implication in Spectrum of such an action?
Release : 10.4
Component : SPECTRUM SPCCSS
Customers may be concerned about Zero Day vulnerabilities affecting Cisco devices and specifically CDP support. What is the impact of disabling this on the devices?
One of Spectrum's highlights is the Fault Isolation process to determine root cause of an outage. In order for Spectrum to properly diagnose root cause of an outage, it will check up/down status of devices and connected neighbor devices and based on response, will try to determine root cause of the outage. In order for that to work smoothly, device models in Spectrum OneClick topology must have good, proper connections made (connecting pipes) between the devices in a given domain.
Spectrum gathers the connection info based on ip address tables on the devices- i.e. MAC addresses found in ARP tables, CDP tables, etc. So logically, in order for Spectrum to automatically manage good proper connectivity between devices, it needs to be able to poll the proper MAC connectivity info from the device's ip tables, whichever that may be based on the vendor.
Now, it is certainly possible (and sometimes necessary) to manually manage connections between devices. Would even go further and say, its recommended, in order to verify connections for proper Fault Isolation to perform. If some protocol like CDP were to be disabled on the device, certainly Spectrum would no longer be able to obtain MAC address connectivity info to manage the connections properly on its own for those Cisco devices - but said connections can still be managed manually. The issue this presents is, its labor intensive (Cisco being the most popular product/brand, likely have tons of Cisco models) and of course, the users would need advance notice of connection information and changes on the network so they can properly manage any connections (pipes) that may need to be removed/changed/added.
In addition, if the device supports LLDP or other supported protocol, it may be possible Spectrum may be able to poll and create connections properly based on protocols other than CDP. This would be a case-to-case basis per device.
Thus, while technically CDP can be disabled, there are risk factors involved including potential Fault Isolation issues (and thus the potential for missed outages, missed SLAs, etc) and increasing labor/time management of Spectrum users required to manually manage the proper connections without CDP. However, if another protocol can be used, it may help mitigate the issue of disabling CDP and allow Spectrum to continue to manage connections on that device automatically.