Which of the following security functions is associated with the data plane? (Select 2 choices.)
A.
device configuration protection
B.
signaling protection
C.
traffic conditioning
D.
traffic filtering
Explanation:
Traffic conditioning and traffic filtering are security features that are associated with the data plane. Cisco
devices are generally divided into three planes: the control plane, the management plane, and the data plane.
Each plane is responsible for different operations, and each plane can be secured by implementing various
security methods.
The data plane is responsible for traffic passing through the router, which is referred to as transit traffic.
Therefore, data plane security protects against unauthorized packet transmission and interception. Threats
such as IP spoofing, Media Access Control (MAC) address spoofing, Address Resolution Protocol (ARP)
spoofing, Dynamic Host Configuration Protocol (DHCP) spoofing, unauthorized traffic interception, and
unauthorized network access can be mitigated and monitored by implementing features such as the following:
– ARP inspection- Antispoofing access control lists (ACLs)
– DHCP snooping
– Port ACLs (PACLs)
– Private virtual LANs (VLANs)
– Unicast Reverse Path Forwarding (uRPF)
– VLAN ACLs (VACLs)
The control plane is responsible for the creation and maintenance of structures related to routing and
forwarding. These functions are heavily dependent on the CPU and memory availability. Therefore, control
plane security methods protect against unauthorized traffic destined for the router, which can modify route
paths and consume excessive resources. Path modification can be caused by manipulating the traffic
generated by routing protocols, VLAN Trunking Protocol (VTP), and Spanning Tree Protocol (STP). Path
modification attacks can be mitigated by implementing routing protocol authentication and filtering, VTP
authentication, and STP protection features. In addition, excessive CPU and memory consumption can be
caused by control plane flooding. Resource consumption attacks can be mitigated by implementing control
plane filtering and rate limiting with Control Plane Policing (CoPP) and Control Plane Protection (CPPr).
Device configuration protection is associated with the management plane. Management plane security protects
against unauthorized device access and configuration. Unauthorized access can be mitigated by implementing
a strong Authentication, Authorization, and Accounting (AAA) solution and by implementing Management Plane
Protection (MPP), which creates protected management channels over which administrators must connect in
order to access device administration features. Management traffic can be encrypted by implementing Secure
Shell (SSH). You can mitigate unauthorized configuration of a device by implementing RoleBased Access
Control (RBAC), whereby administrators are limited to using only the features they need to accomplish their
jobs. Detection and logging of management plane access can be performed by implementing Simple Network
Management Protocol version 3 (SNMPv3) and Syslog servers.Cisco: Cisco Guide to Harden Cisco IOS Devices