Cisco® CCNA Security Exam Notes : Securing The Control Plane


Go to latest CCNA Exam Cram

4. Secure Routing and Switching

4.3 Securing the control plane

For complete security, a router's traffic is typically segmented into three planes, each with a clearly identified objective. The data plane enables forwarding of user traffic securely; the control plane enables forwarding of traffic originating at the networking device such as routing protocol traffic securely and the management plane enables forwarding of traffic that is originated by a network administrator securely

Function of control plane policing

Cisco recommends three ways to protect Control plane. These are:

1. CoPP (Control Plane Policing): This feature allows users to configure a QoS filter that manages the traffic flow of control plane packets to protect the CP of Cisco IOS routers and switches against various attacks like Denial-of-Service (DoS). Hence a set of rules can be established and associated to the input and output ports of the CP.

2. CoPPr: Although it is similar to Control Plane Policing (CoPP), CPPr has the ability to restrict/police traffic using finer granularity than that used by CoPP. CPPr divides the aggregate control plane into three separate control plane categories, known as subinterfaces: (1) host, (2) transit, and (3) CEF-exception. CPPr protects the control and management planes of a Cisco IOS device, which maintains routing stability, network reachability, and packet delivery. Overall, CPPr increases the reliability, confidentiality (security), integrity, and availability of network devices. Using CPPr you can rate-limit and filter this type of traffic with a more fine-toothed comb than CoPP.

3. Routing protocol authentication: By using routing protocol authentication, it is possible to eliminate the routing traffic from an attacker using a rogue router on the network. By using a rogue router, an attacker will be able learn the network architecture, and inject his own routes to drive the traffic to the rogue router, thereby compromising the network security.

Previous   Contents   Next