Protect control plane
The control plane traffic is the traffic that network devices send between each other (without interaction from an administrator) for automatic network discovery and configuration. An example of such traffic are routing updates or ARP messages. If a failure occurs in this plane, the devices might lose ability to share or learn routing information. Here are the security measures you can use to protect the control plane:
- Control Plane Policing (CoPP) – an IOS feature that enables you to manage the flow of traffic handled by the CPU of your network devices. This feature is designed to prevent unnecessary traffic from overwhelming the CPU. You can configure this as a filter for any traffic destined to the IP address of an IOS device. For example, you can specify that management traffic (e.g. SSH) is rate-limited down to a specific level. If an attack occurs that involves an excessive amount of this type of traffic, the excess traffic above the specified threshold will simply be ignored and not processed by the CPU.
- Cisco Control Plane Protection (CPPr) – the extension of the CoPP feature set that enables the finer classification of traffic that is going to use the CPU. CPPr creates three virtual control plane categories (also known as subinterfaces) under the aggregate control plane interface:
- Host subinterface – all control plane and management plane traffic destined for one of the routers physical or logical interfaces that must be handled by the CPU.
- Transit subinterface – certain data plane traffic traversing the router that requires CPU intervention before forwarding (such as IP options).
- CEF (Cisco Express Forwarding) – exception subinterface – traffic related to network operations, such as keepalives or packets with Time-To-Live (TTL) mechanisms that are expiring.
- Routing protocol authentication – routing updates should be authenticated in order to remove the possibility of an attacker manipulating routing tables by putting a rogue router running the same routing protocol. If you use authentication, a rogue router on the network will not be trusted by the routers in your network.