23 Dec
2011
23 Dec
'11
4:13 p.m.
On Fri, 23 Dec 2011, Tomas Podermanski wrote:
Port security does not help in that case (same as 802.1x). Port security is a layer 2 feature so all layer 3 attacks can be still performed. That prevents only against source MAC address spoofing. All other attacks like DAD DOS, NDP Exhaustion, RA flooding etc. can be performed even though the port security is implemented.
If you can limit number of ARP/NDP entries per interfaces and you complement RAGuard and DHCPv4 snooping your are done. With "extended port security" such a features are comming... Best Regards, Janos Mohacsi