For complete security, a router's traffic is typically segmented into three planes, each with a clearly identified objective. The data plane enables forwarding of user traffic securely; the control plane enables forwarding of traffic originating at the networking device such as routing protocol traffic securely and the management plane enables forwarding of traffic that is originated by a network administrator securely
Function of control plane policing
Cisco recommends three ways to protect Control plane. These are:
1. CoPP (Control Plane Policing): This feature allows users to configure a QoS filter that manages the traffic flow of control plane packets to protect the CP of Cisco IOS routers and switches against various attacks like Denial-of-Service (DoS). Hence a set of rules can be established and associated to the input and output ports of the CP.
2. CoPPr: Although it is similar to Control Plane Policing (CoPP), CPPr has the ability to restrict/police traffic using finer granularity than that used by CoPP. CPPr divides the aggregate control plane into three separate control plane categories, known as subinterfaces: (1) host, (2) transit, and (3) CEF-exception. CPPr protects the control and management planes of a Cisco IOS device, which maintains routing stability, network reachability, and packet delivery. Overall, CPPr increases the reliability, confidentiality (security), integrity, and availability of network devices. Using CPPr you can rate-limit and filter this type of traffic with a more fine-toothed comb than CoPP.
3. Routing protocol authentication: By using routing protocol authentication, it is possible to eliminate the routing traffic from an attacker using a rogue router on the network. By using a rogue router, an attacker will be able learn the network architecture, and inject his own routes to drive the traffic to the rogue router, thereby compromising the network security.