Detections
Analytics
4.12.1 Ensure LLDP is Disabled if not Required
Information
LLDP should be disabled when not requiredRationale:
The Link Layer Discovery Protocol (LLDP) is a vendor-neutral and widely supported standard used for network devices to advertise information about their capabilities, identity, software and management details to other network devices on the LAN. LLDP is specified in the IEEE 802.1AB-2005 standard.
It is broadly similar in purpose and application to the older, proprietary Cisco Discovery Protocol (CDP) which is still widely used in Cisco networks, but less widely in multivendor environments (and is not supported on Junos).
Devices configured for LLDP advertise information on all chosen Ethernet interfaces by sending an Ethernet Frame containing an LLDPDU to a Multicast Address (several address options existing, including Unicast) which 802.1D compliant switches should not forward further. This information is specified in a sequence of Type-Length-Value (TLV) data structures, which may include:
System hostname and description (system-name and system-description TLVs)
Port details and description for the sending interface (mac-phy-config-status, port-description)
VLAN name and description for the sending interface (vlan-name, port-vid)
Management IP address for the Junos device (management-address)
Device capabilities (such as Switch or Router) (system-capabilities, preformatted based on model)
LAGP Link Aggregation information (link-aggregation)
Device Serial Number (jnpr-chassis-serial)
Further information and additional TLVs
This information can be extremely useful when documenting or troubleshooting a network, but is also extremely useful to a potential attacker, either directly connected to the device or having compromised a neighbouring device.
To reduce the information given to a potential attacker, in high security environments LLDP should be disabled where it is not absolutely required for normal operation. LLDP can either be disabled globally, or on a per interface basis (for example, leaving LLDP enabled on access ports where it may be used for PoE or VoIP applications, but disabling it on infrastructure links or connections to untrusted networks).
Impact:
LLDP is commonly used to support VoIP and devices such as Wireless APs or Access Control systems which make use of PoE for power - disabling LLDP or LLDP-MED for these interfaces may result in service disruption.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
To turn off LLDP globally for all interfaces, issue the following command from the [edit protocols] configuration hierarchy:[edit protocols]
user@host# set lldp disable
Sending of LLDPDUs will be disabled, while any LLDP related configuration will be retained (but ignored).
Alternatively, you may wish to disable LLDP on a per-interface basis by issuing the following command from the [edit protocols] configuration hierarchy:
To disable LLDP for a specific interface, leaving LLDP enabled for all others:
[edit protocols]
user@host# set lldp interface <interface name> disable
Or to disable LLDP for all interfaces and allow only for specific ports:
[edit protocols]
user@host# delete lldp interface all
user@host# set lldp interface <interface name>
This procedure should be repeated for all Routing Instances/Logical Systems where LLDP is configured but not required.
Default Value:
LLDP is disabled by default
See Also
Item Details
Audit Name: CIS Juniper OS Benchmark v2.1.0 L2
Category: CONFIGURATION MANAGEMENT
References: 800-53|CM-7b., CSCv7|9
Plugin: Juniper
Control ID: c3a8d0085de7390db4d6e767ec87805c602458826257dd0bfcfc1a633a2e6de6