You have configured antispoofing ACLs and DHCP snooping.
Which of the following are you most likely securing? (Select the best answer.)
- the control plane
- the management plane
- the data plane
- every network plane
Most likely, you are securing the data plane if you have configured antispoofing access control lists (ACLs) and Dynamic Host Configuration Protocol (DHCP) snooping. The data plane is responsible for traffic passing through the router, which is referred to as transit traffic. Therefore, data plane security protects against unauthorized packet transmission and interception. Threats such as IP spoofing, Media Access Control (MAC) address spoofing, Address Resolution Protocol (ARP) spoofing, DHCP spoofing, unauthorized traffic interception, and unauthorized network access can be mitigated and monitored by implementing features such as the following:
– ARP inspection
– Antispoofing ACLs
– DHCP snooping
– Port ACLs (PACLs)
– Private virtual LANs (VLANs)
– Unicast Reverse Path Forwarding (uRPF)
– VLAN ACLs (VACLs)
You are securing the control plane if you have configured Control Plane Policing (CoPP), Control Plane Protection (CPPr), routing protocol authentication, and filtering. The control plane is responsible for the creation and maintenance of structures related to routing and forwarding. These functions are heavily dependent on the CPU and memory availability. Therefore, control plane security methods protect against unauthorized traffic destined for the router, which can modify route paths and consume excessive resources. Path modification can be caused by manipulating the traffic generated by routing protocols, VLAN Trunking Protocol (VTP), and Spanning Tree Protocol (STP). Path modification attacks can be mitigated by implementing routing protocol authentication and filtering, VTP authentication, and STP protection features. In addition, excessive CPU and memory consumption can be caused by control plane flooding. Resource consumption attacks can be mitigated by implementing control plane filtering and rate limiting with CoPP and CPPr.
You are securing the management plane if you have configured Authentication, Authorization, and Accounting (AAA) solutions and Management Plane Protection (MPP). Device configuration protection is associated with the management plane. Management plane security protects against unauthorized device access and configuration. Unauthorized access can be mitigated by implementing a strong AAA solution and by implementing MPP, which creates protected management channels over which administrators must connect in order to access device administration features. Management traffic can be encrypted by implementing Secure Shell (SSH). You can mitigate unauthorized configuration of a device by implementing RoleBased Access Control (RBAC), whereby administrators are limited to using only the features they need to accomplish their jobs. Detection and logging of management plane access can be performed by implementing Simple Network Management Protocol version 3 (SNMPv3) and Syslog servers.