What features can protect the data plane? (Choose three.)
A.
policing
B.
ACLs
C.
IPS
D.
antispoofing
E.
QoS
F.
DHCP-snooping
Explanation:
Data Plane Security
Data plane security can be implemented using the following features:
Access control lists
Access control lists (ACLs) perform packet filtering to control which packets move through the
network and where.
Antispoofing
ACLs can be used as an antispoofing mechanism that discards traffic that has an invalid
source address.
Layer 2 security features
Cisco Catalyst switches have integrated features to help secure the Layer 2 infrastructure.
ACLs
ACLs are used to secure the data plane in a variety of ways, including the following:
Block unwanted traffic or users
ACLs can filter incoming or outgoing packets on an interface, controlling access based on
source addresses, destination addresses, or user authentication.
Reduce the chance of DoS attacks
ACLs can be used to specify whether traffic from hosts, networks, or users can access the
network. The TCP intercept feature can also be configured to prevent servers from being
flooded with requests for a connection.
Mitigate spoofing attacks
ACLs enable security practitioners to implement recommended practices to mitigate spoofing
attacks.
Provide bandwidth control
ACLs on a slow link can prevent excess traffic.
Classify traffic to protect other planes
ACLs can be applied on vty lines (management plane).
ACLs can control routing updates being sent, received, or redistributed (control plane).
Antispoofing
Implementing the IETF best current practice 38 (BCP38) and RFC 2827 ingress traffic filtering
renders the use of invalid source IP addresses ineffective, forcing attacks to be initiated from
valid, reachable IP addresses which could be traced to the originator of an attack.Features such as Unicast Reverse Path Forwarding (uRPF) can be used to complement the
antispoofing strategy.
Layer 2 Data Plane Protection
The following are Layer 2 security tools integrated into the Cisco Catalyst switches:
Port security
Prevents MAC address spoofing and MAC address flooding attacks DHCP snooping
Prevents client attacks on the Dynamic Host Configuration Protocol (DHCP) server and
switch Dynamic ARP inspection (DAI)
Adds security to ARP by using the DHCP snooping table to minimize the impact of ARP
poisoning and spoofing attacks
IP source guard
Prevents IP spoofing addresses by using the DHCP snooping table