Cisco CCNP Security Cert Guide: Implementing and Configuring Cisco IOS Routed Data Plane Security
This chapter covers the following subjects:
- Routed data plane attack types: Reviews the types of attack that are focused on the routed data plane.
- Access control lists (ACL): Covers the fundamentals of using ACLs and the configuration and verification commands to use.
- Flexible Packet Matching (FPM): Covers the steps involved in developing a traffic class and policy and assigning it to an interface. It also goes over the verification commands that can be used in configuration and troubleshooting.
- Flexible NetFlow: Reviews the fundamentals of Flexible NetFlow and describes the configuration and verification commands to use it.
- Unicast Reverse Path Forwarding (Unicast RPF): Covers the basics of how Unicast RPF functions and discusses the commands required to configure and verify it.
Several different parts of a network need to be secured from internal and external attack. The three planes as defined by Cisco include the data plane, management plane, and control plane, and these are split between those focused on the switched parts of the network and those focused on the routed parts of the network. This chapter addresses the routed data plane, including the Cisco IOS Software features that can be used to secure the network user data that traverses the network and discusses how to configure these features on the network devices within the network.
"Do I Know This Already?" Quiz
The "Do I Know This Already?" quiz helps you decide whether you really need to read the entire chapter. If you already intend to read the entire chapter, you do not necessarily need to answer these questions now.
The ten-question quiz, derived from the major sections in the "Foundation Topics" section of this chapter, helps you determine how to spend your limited study time.
Table 8-1 outlines the major topics discussed in this chapter and the "Do I Know This Already?" quiz questions that correspond to those topics.
Table 8-1. "Do I Know This Already?" Foundation Topics Section-to-Question Mapping
Foundation Topics Section
Questions Covered in This Section
Routed Data Plane Attack Types
Routed Data Plane Security Technologies
Which of the following are some of the most common types of routed data plane attacks?
- Routing protocol spoofing
- Slow-path denial of service
- STP spoofing
- Traffic flooding
Which of the following ACL ranges are used for standard access lists?
When using a reflexive access list, which of the following ACL types must be used?
- Standard IP ACL
- Extended IP ACL
- Extended IP named ACL
- Reflexive ACL
- Standard IP named ACL
Which of the following are valid steps required for the creation of an FPM filtering policy?
- Defining a service policy
- Loading of a PCFD
- Defining an access list
- Loading of a PHDF
Which command are used to load a traffic classification file (TCDF)?
- load protocol
- load classification
- load tcdf
- load class-file
Which commands are used to configure matching for a traffic class?
- match field
- match start
- match beginning
- match l2-layer
- match packet
Which of the following are restrictions when using FPM?
- Stateful inspection only
- IPv4/IPv6 unicast packets only
- IPv4 unicast packets only
- Cannot be used with IP options packets
Which of the following are benefits that are gained by using Flexible NetFlow?
- Flexible key and nonkey fields
- Version 5 export format
- Standardized key and nonkey fields
- Version 9 export format
Which of the following are Flexible NetFlow components?
- Flow sequencers
- Flow policers
- Flow monitors
- Flow samplers
Unicast RPF utilizes which of the following to compare source packet information?
- IP routing table
- CEF FIB
- Topology tables
- NetFlow records
The answers to the "Do I Know This Already?" quiz are found in Appendix A. The suggested choices for your next step are as follows:
- 8 or less overall score: Read the entire chapter. This includes the "Foundation Topics" section.
- 9 or 10 overall score: If you want more review on these topics, skip to the "Exam Preparation" section. Otherwise, move on to Chapter 9, "Implementing and Configuring Cisco IOS Control Plane Security."