Rule ID
SV-217041r855896_rule
Version
V3R2
CCIs
LLDPs are primarily used to obtain protocol addresses of neighboring devices and discover platform capabilities of those devices. Use of SNMP with the LLDP Management Information Base (MIB) allows network management applications to learn the device type and the SNMP agent address of neighboring devices, thereby enabling the application to send SNMP queries to those devices. LLDPs are also media- and protocol-independent as they run over the data link layer; therefore, two systems that support different network-layer protocols can still learn about each other. Allowing LLDP messages to reach external network nodes is dangerous as it provides an attacker a method to obtain information of the network infrastructure that can be useful to plan an attack.
This requirement is not applicable for the DoDIN Backbone.
Review all router configurations to ensure LLDP is not enabled external interface.
protocols {
…
…
…
lldp {
advertisement-interval 30;
interface all;
}
}
If LLDP is configured globally or on any external interface, this is a finding.This requirement is not applicable for the DoDIN Backbone. Disable LLDP on all external interfaces. If necessary, remove the interface all parameter and define all internal interfaces as shown in the example below. [edit protocols lldp] delete interface all set interface ge-0/1/0 set interface ge-0/1/1