On Catalyst switches, you can use the "set port host" macro. It turns a bunch of stuff off.
That won't help with HSRP, though. HSRP is definitely hackable. If you can see the packets, you can see the unencrypted authentication string, and then you can claim to be the active router yourself and all traffic will go to you instead of where it should go. I've done it! :-) You should check to see if Cisco ever fixed this, though. Maybe they use a stronger authenticaton method now. I'll see if I can find out..... _______________________________ Priscilla Oppenheimer www.troubleshootingnetworks.com www.priscilla.com s vermill wrote: > > Larry Letterman wrote: > > > > disable STP on the port... > > > > -- > > > > Larry Letterman > > Network Engineer > > Cisco Systems > > > Thanks Larry. I've never claimed to be a security expert. I > generally get the network going and let the local policy folk > implement what they see fit. I guess turning off STP is a > start, but I thought that I once ran across a simple command > that made an access port truly an access port. As part of a > turnover process, a security audit was conducted on a network > we�ve recently built. One of the red flags thrown at us was > that STP, HSRP, and VTP information could be passively > collected. All true. So are L2 ACLs the only answer? I > thought Cisco addressed this in some way, but again, I > sometimes remember things that never happened. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61810&t=61796 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
