Posted by: Carole Warner Reece
on Jun 29, 2008
One of the NetCraftsmen engineers mentioned a condition where CDP can potentially leak information -- this is based on a thread on the c-nsp mailer.
An organization had 'cdp off' on a POS1/0/0 interface which is an STM-16 link. After changing the encapsulation from ppp to hdlc, the IOS automatically changes CDP to be on without even a system message. This could be an issue if you are trying to maintain a secure router.
This behavior has been documented in CSCso40579, but has been marked closed. CSCso59137 (sev=4) documents the behavior as working as designed. This bugid will print a CDP status change message when such an event occurs.
Moral of the story - if you want your router to stay secure, always double check your settings after making configuration updates since things might change without you knowing it.
Posted by: Rob Chee
on Jun 13, 2008
It looks like Cisco has been fixing NAT issues with DMVPN. They fixed the NAT issue for spokes talking to the hub using NAT traversal. This is the same method that VPN clients use. It uses UDP port 4500 to send the IPSec traffic instead of IP protocol 50 (ESP) and IP protocol 51 (AH).
