Hi Harold/all, In your description u mentioned that u can use /31 mask also,
Your comments: "Since the point-to-point link is likely to have a /30 (or /31 if they're running 12.2) mask on it" questions is ------------- -will the connection work , till now i only know that 30 is the max mask used on serial lines .how will we use this 31 mask - Does this applies only in ios version 12.2 or later as mentioned. - Do people use these 31 mask - Can anybody provide me any inf & link Thanx in Advance (Please refer the description below in thread he mentioned that.) -------------------- Over a leased line I can't see the harm in leaving it running. If someone manages to get into your router, there's very little target enumeration they can do with CDP that can't be done by other means. Since the point-to-point link is likely to have a /30 (or /31 if they're running 12.2) mask on it, it's not going to be a stretch to figure out the other router's IP. While disabling CDP is certainly a sound practice on LAN interfaces, we also disable it on our switched WAN connections on general principles. That isn't a magic bullet by any means though, disabling CDP is security through obscurity more than anything else. If you're concerned about unauthorized access to your routers, then you should consider running access classes on your vty lines and AAA so you can audit access to the routers, if you aren't already. > -----Original Message----- > From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, February 11, 2003 1:12 PM > To: [EMAIL PROTECTED] > Subject: Re: Why disable cdp for back-to-back serial connec [7:62798] > > > Lawrence Law wrote: > > > > Dear Priscilla, > > > > Thank you for your clear explaination. > > > > May be it is better to disable cdp for low speed link, and > > security issue. > > CDP uses very little bandwidth, so unless it's a really > low-speed link, I > wouldn't turn it off for that reason. Regarding security, if > it's a private > point-to-point HDLC link, then security probably isn't too > much of an issue. > It would be hard for a hacker to see the packets. > > On the other hand, if the hacker somehow got into a router > that was running > CDP on any of its interfaces, then the hacker could learn > about one or more > additional routers, and that's not good. You want to limit > how much a hacker > can learn. > > It's sort of a close call since CDP is so helpful for troubleshooting, > though. How about the rest of you out there? Do you disable > CDP like some > security documents say to do? > > If often occurs to me these days that we spent the '80s and > '90s developing > all sorts of cool protocols to share info of all sorts, and > were spending > the '00s disabling most of them for security reasons. It's a > crazy world we > live in. > > Priscilla > > > > > > Regards, > > Lawrence > > > > > > > > ""Priscilla Oppenheimer"" wrote in > > message > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > Cisco Discovery Protocol (CDP) is a managment protocol that > > allows routers > > > and switches to tell each other about their IOS version, > > hardware > > platform, > > > and basic config info. Some security experts say to disable > > it because it > > > tells too much. > > > > > > It has nothing to do with bringing the serial interface > > up/up. You could > > use > > > it or you could not. The two routers on the HDLC link don't > > have to agree. > > > One could send CDP while the other doesn't and the link > > should still come > > > up/up, assuming everything is OK at the physical and > > data-link layers. > > > > > > It's too bad they used "no cdp enable" in that simple example > > with no > > > explanation. I don't think it's the default? So someone had > > to type it in, > > > so they should have explained it. > > > > > > Priscilla > > > > > > > > > Lawrence Law wrote: > > > > > > > > Dear all, > > > > > > > > > > > > From cisco configuration example > > > > > > > > > > > > > > http://www.cisco.com/en/US/tech/tk713/tk317/technologies_confi guration_examp > > > le09186a00800944ff.shtml > > > > > > I'm wondering that the line "no cdp enable" is required > for > > > both router > > > in order to make a serial connection up for back-to-back > > > connection. > > > > > > Regards, > > > Lawrence Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=62853&t=62853 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
