352-001 · Question #596
Which two items are required for data plane hardening of an infrastructure device? (Choose two)
The correct answer is E. Infrastructure ACLs G. Control Plane Policing. Infrastructure ACLs and Control Plane Policing are the two primary mechanisms used to harden infrastructure devices against unauthorized data plane traffic reaching critical device resources.
Question
Which two items are required for data plane hardening of an infrastructure device? (Choose two)
Options
- ADisable unused services
- BRouting protocol authentication
- CSNMPv3
- DRedundant AAA servers
- EInfrastructure ACLs
- FWarning banners
- GControl Plane Policing
How the community answered
(24 responses)- A4% (1)
- D4% (1)
- E92% (22)
Why each option
Infrastructure ACLs and Control Plane Policing are the two primary mechanisms used to harden infrastructure devices against unauthorized data plane traffic reaching critical device resources.
Disabling unused services is a management plane hardening technique that reduces attack surface on the device itself but does not harden the data plane.
Routing protocol authentication secures control plane adjacencies against injection attacks but does not filter or police data plane traffic.
SNMPv3 provides authenticated and encrypted management plane access but has no role in data plane hardening.
Redundant AAA servers improve management plane availability and resilience but are not a data plane hardening control.
Infrastructure ACLs (iACLs) are deployed at network ingress points to explicitly permit only authorized traffic destined for infrastructure address space and drop everything else, directly filtering data plane traffic before it can reach the device.
Warning banners are a legal deterrent and management plane control and provide no technical data plane protection.
Control Plane Policing (CoPP) rate-limits or drops traffic that is punted from the data plane up to the route processor, preventing CPU exhaustion attacks and protecting the control plane from data plane-sourced floods.
Concept tested: Infrastructure device data plane hardening with iACLs and CoPP
Source: https://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html
Topics
Community Discussion
No community discussion yet for this question.