Home > Articles > Cisco > CCNA Security

  • Print
  • + Share This
This chapter is from the book

Data Plane Security

Data plane security can be implemented using the following features:

Access control lists

Access control lists (ACLs) perform packet filtering to control which packets move through the network and where.


ACLs can be used as an antispoofing mechanism that discards traffic that has an invalid source address.

Layer 2 security features

Cisco Catalyst switches have integrated features to help secure the Layer 2 infrastructure.


ACLs are used to secure the data plane in a variety of ways, including the following:

Block unwanted traffic or users

ACLs can filter incoming or outgoing packets on an interface, controlling access based on source addresses, destination addresses, or user authentication.

Reduce the chance of DoS attacks

ACLs can be used to specify whether traffic from hosts, networks, or users can access the network. The TCP intercept feature can also be configured to prevent servers from being flooded with requests for a connection.

Mitigate spoofing attacks

ACLs enable security practitioners to implement recommended practices to mitigate spoofing attacks.

Provide bandwidth control

ACLs on a slow link can prevent excess traffic.

Classify traffic to protect other planes

ACLs can be applied on vty lines (management plane).
ACLs can control routing updates being sent, received, or redistributed (control plane).


Implementing the IETF best current practice 38 (BCP38) and RFC 2827 ingress traffic filtering renders the use of invalid source IP addresses ineffective, forcing attacks to be initiated from valid, reachable IP addresses which could be traced to the originator of an attack.

Features such as Unicast Reverse Path Forwarding (uRPF) can be used to complement the antispoofing strategy.

Layer 2 Data Plane Protection

The following are Layer 2 security tools integrated into the Cisco Catalyst switches:

Port security

Prevents MAC address spoofing and MAC address flooding attacks

DHCP snooping

Prevents client attacks on the Dynamic Host Configuration Protocol (DHCP) server and switch

Dynamic ARP inspection (DAI)

Adds security to ARP by using the DHCP snooping table to minimize the impact of ARP poisoning and spoofing attacks

IP source guard

Prevents IP spoofing addresses by using the DHCP snooping table

  • + Share This
  • 🔖 Save To Your Account