servers with a VACL...
Larry Letterman
Network Engineer
Cisco Systems
- Original Message -
From: Daniel Cotts
To:
Sent: Friday, January 24, 2003 2:49 PM
Subject: RE: How to Block STP, VTP, etc. on Access Ports?
[7:61796]
It appears that the Security Consultants then didn't
earn
Group,
I sometimes remember things that never happened. Do I remember that there
is a simple commad that allows you to block STP, VTP, HSRP, etc. from
hitting access ports?
Thanks much!
Scott
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61796t=61796
disable STP on the port...
--
Larry Letterman
Network Engineer
Cisco Systems
s vermill wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Group,
I sometimes remember things that never happened. Do I
remember that there
is a simple commad that allows you to block STP, VTP,
Larry Letterman wrote:
disable STP on the port...
--
Larry Letterman
Network Engineer
Cisco Systems
Thanks Larry. I've never claimed to be a security expert. I generally get
the network going and let the local policy folk implement what they see
fit. I guess turning off STP is a
.
-Original Message-
From: s vermill [mailto:[EMAIL PROTECTED]]
Sent: Friday, January 24, 2003 2:17 PM
To: [EMAIL PROTECTED]
Subject: How to Block STP, VTP, etc. on Access Ports? [7:61796]
Group,
I sometimes remember things that never happened. Do I
remember that there
is a simple
Daniel Cotts wrote:
On CatOS switches there is the set port host command.
To optimize the port configuration, the set port host command
sets channel
mode to off, enables spanning tree PortFast, sets the trunk
mode to off, and
disables the dot1q tunnel feature. Only an end station can
On Catalyst switches, you can use the set port host macro. It turns a
bunch of stuff off.
That won't help with HSRP, though. HSRP is definitely hackable. If you can
see the packets, you can see the unencrypted authentication string, and then
you can claim to be the active router yourself and all
Priscilla Oppenheimer wrote:
On Catalyst switches, you can use the set port host macro. It
turns a bunch of stuff off.
That won't help with HSRP, though. HSRP is definitely hackable.
If you can see the packets, you can see the unencrypted
authentication string, and then you can claim to
Hi,
disabling STP is not recommended. Use Portfast instead. VTP is
only on trunk ports active. HSRP is configured per interface (on
router). What do you want to achieve?
Jens Neelsen
CCNP, CCDP, CCSI
--- Larry Letterman wrote:
disable STP on the port...
--
Larry Letterman
Network
Priscilla Oppenheimer wrote:
Priscilla Oppenheimer wrote:
On Catalyst switches, you can use the set port host macro.
It
turns a bunch of stuff off.
That won't help with HSRP, though. HSRP is definitely
hackable.
If you can see the packets, you can see the unencrypted
Jens Neelsen wrote:
Hi,
disabling STP is not recommended. Use Portfast instead. VTP is
only on trunk ports active. HSRP is configured per interface (on
router). What do you want to achieve?
Jens Neelsen
CCNP, CCDP, CCSI
Jens,
Thanks. I have no intention of turning off STP. We
Oh, good point regarding fixing the HSRP hole. An access list solves the
problem.
For your other issues, though, you don't need an access list probably, just
set port host if your switch supports it (or something similar on other
switches).
The Center for Internet Security has some good info for
Priscilla Oppenheimer wrote:
Oh, good point regarding fixing the HSRP hole. An access list
solves the problem.
For your other issues, though, you don't need an access list
probably, just set port host if your switch supports it (or
something similar on other switches).
These are 6509s.
It appears that the Security Consultants then didn't earn their fee. Must
be a company run by Dogbert.
Consulting truism: The higher up the chain of command you sell your
services - the less you have to know and the higher you can charge.
-Original Message-
From: s vermill
14 matches
Mail list logo
