You have configured antispoofing ACLs and DHCP snooping.
Which of the following are you most likely securing? (Select the best answer.)
A.
the control plane
B.
the management plane
C.
the data plane
D.
every network plane
Explanation:
Most likely, you are securing the data plane if you have configured antispoofing access control lists (ACLs) and
Dynamic Host Configuration Protocol (DHCP) snooping. The data plane is responsible for traffic passing
through the router, which is referred to as transit traffic. Therefore, data plane security protects against
unauthorized packet transmission and interception. Threats such as IP spoofing, Media Access Control (MAC)
address spoofing, Address Resolution Protocol (ARP) spoofing, DHCP spoofing, unauthorized traffic
interception, and unauthorized network access can be mitigated and monitored by implementing features such
as the following:
– ARP inspection
– Antispoofing ACLs
– DHCP snooping
– Port ACLs (PACLs)
– Private virtual LANs (VLANs)
– Unicast Reverse Path Forwarding (uRPF)
– VLAN ACLs (VACLs)
You are securing the control plane if you have configured Control Plane Policing (CoPP), Control Plane
Protection (CPPr), routing protocol authentication, and filtering. The control plane is responsible for the creation
and maintenance of structures related to routing and forwarding. These functions are heavily dependent on the
CPU and memory availability. Therefore, control plane security methods protect against unauthorized traffic
destined for the router, which can modify route paths and consume excessive resources. Path modification can
be caused by manipulating the traffic generated by routing protocols, VLAN Trunking Protocol (VTP), and
Spanning Tree Protocol (STP). Path modification attacks can be mitigated by implementing routing protocol
authentication and filtering, VTP authentication, and STP protection features. In addition, excessive CPU and
memory consumption can be caused by control plane flooding. Resource consumption attacks can be mitigated
by implementing control plane filtering and rate limiting with CoPP and CPPr.
You are securing the management plane if you have configured Authentication, Authorization, and Accounting
(AAA) solutions and Management Plane Protection (MPP). Device configuration protection is associated with
the management plane. Management plane security protects against unauthorized device access and
configuration. Unauthorized access can be mitigated by implementing a strong AAA solution and by
implementing MPP, which creates protected management channels over which administrators must connect in
order to access device administration features. Management traffic can be encrypted by implementing Secure
Shell (SSH). You can mitigate unauthorized configuration of a device by implementing RoleBased Access
Control (RBAC), whereby administrators are limited to using only the features they need to accomplish their
jobs. Detection and logging of management plane access can be performed by implementing Simple Network
Management Protocol version 3 (SNMPv3) and Syslog servers.Cisco: Cisco Guide to Harden Cisco IOS Devices