Is "no span port configured" sufficient to prevent someone captures traffic intended for another device, specially someone's password, using sniffer software (e.g. ethereal) running on PC connected to the same LAN?
If you have a fully switched network, i.e no hubs used, if SPAN feature is completely disabled in those switches and the login to the switches are secure then I would say you are probably safe from sniffer attacks. But, to completely mitigate against sniffer attacks Cisco SAFE blueprint recommends cryptogrophy (encryption) which would make any data irrelevant even if someone captures it.
I also would consider implementing ARP inspection. There are tools in the internet designed to allow for "man in the middle" attacks. The idea is to answer ARPs for the default gateway with your own MAC. Then all traffic from the respective host is sent to the attackers host. The applications allow sniffing of all packets, especially because the application inserts the real default gateway MAC and forwards it. So the user might "just" experience performance problems (as all traffic is directed through the attackers LAN port.
ARP inspection allows a switch to detect such behaviour and error disable the attackers port.
I absolutely agree. One thing I would add is to use full port security with the disable option (as apposed to alert). If anyone attempts to become the gateway's mac, kill their switch port fast! Of course, this would probably prevent you from doing sticky learning, as the attacker could just become a "secure mac" while stealing traffic by answering the default gateway's arp
I agree here, one of the things to look out for is if there is any asymetrical routing taking place (and your timers are not set up correctly) you can get into a situation where all traffic is flooded out all ports in the vlan, thus anyone attached to any port, span or not, would get all the data to a specific device.
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...
Attached policy provides CLI access to the Cisco 4G router over text messaging. Two files are in the attached .tar file:
2. PDF with instructions on how to load and use the .tcl file.