nerdexam
Cisco

400-007 · Question #139

Which three items do you recommend for control plane hardening of an infrastructure device? (Choose three.)

The correct answer is B. Control Plane Policing E. SNMPv3 F. routing protocol authentication. Control plane hardening protects a device's routing and management processes by limiting malicious traffic, securing management protocols, and authenticating routing peers.

Designing Security

Question

Which three items do you recommend for control plane hardening of an infrastructure device? (Choose three.)

Options

  • Aredundant AAA servers
  • BControl Plane Policing
  • Cwarning banners
  • Dto enable unused .services
  • ESNMPv3
  • Frouting protocol authentication

How the community answered

(52 responses)
  • A
    4% (2)
  • B
    79% (41)
  • C
    6% (3)
  • D
    12% (6)

Why each option

Control plane hardening protects a device's routing and management processes by limiting malicious traffic, securing management protocols, and authenticating routing peers.

Aredundant AAA servers

Redundant AAA servers improve authentication service availability and resilience but do not directly harden the control plane against traffic-based or protocol-based attacks.

BControl Plane PolicingCorrect

Control Plane Policing (CoPP) rate-limits traffic destined for the device's control plane processor, protecting it from CPU exhaustion and denial-of-service attacks targeting the routing engine.

Cwarning banners

Warning banners serve a legal and compliance purpose by notifying users of authorized-use policies and have no direct technical effect on control plane security.

Dto enable unused .services

Enabling unused services expands the device attack surface - security best practice requires disabling all unused services, not enabling them.

ESNMPv3Correct

SNMPv3 provides authentication and encryption for network management traffic, preventing unauthorized access, eavesdropping, or tampering with device management communications.

Frouting protocol authenticationCorrect

Routing protocol authentication (such as MD5 or SHA for OSPF or BGP) prevents malicious route injection by ensuring only cryptographically verified peers can exchange routing updates.

Concept tested: Control plane hardening techniques for infrastructure devices

Source: https://www.cisco.com/c/en/us/support/docs/ip/access-lists/43920-control-plane-policing.html

Topics

#control plane hardening#CoPP#SNMPv3#routing protocol authentication

Community Discussion

No community discussion yet for this question.

Full 400-007 Practice