The Data Plane, control plane, and the management plane are the three basic components of Cisco network foundation protection The data plane also known as the user plane and forwarding plane, This plane is the part of a network and carries user traffic. Data plane protection can be implemented by the following technologies
Access Control List ( ACL )
Block unwanted traffic, Reduce the chance of DoS, Provide bandwidth control, Mitigate spoofing attacks, are the different ways of secure the data in the data plane The ACL can be used filter the incoming and outgoing packets on an interface, controlling access based on source addresses, destination addresses, and user authentication.
The case of Anti-Spoofing. the term Spoofing refers to an attacker forging the source address of a packet and make it look as though it comes from a higher security network. To properly protect our network IP spoofing, you must define the topology of your network within each gateway’s topology property
Spoofed packets can be detected by the firewall and router based on their technologies the network gateway that examines incoming packets the anti-spoofing implemented on internet service providers side
The layer 2 Security
The layer 2 or LANs are vulnerable to attacks such as address spoofing and Layer 2 denial of service (DoS) on network devices. The switch security features protect the access ports on the device against the loss of information and productivity that such attacks can cause.
The layer 2 security features supported on switching devices are:
DHCP Snooping—The DHCP snooping blocks ingress Dynamic Host Configuration Protocol (DHCP) server messages on untrusted ports, and builds and maintains a database of DHCP lease information, which is called the DHCP snooping database.
MAC Limitation—The MAC limitation Protects against flooding of the Ethernet switching table or layer 2 forwarding table. we can limit the mac address on the interface
Sticky MAC Learning—Also known as persistent MAC. Persistent MAC learning enables interfaces and it automatically learns the mac address
IP Source Guard—The source IP source guard is enabled, and the address in the packet sent from an untrusted access interface is validated against the DHCP snooping database. If the packet is not validated, the packet is discarded
IDS and IPS – The IDS – Intrusion Detection Systems and IPS – Intrusion Prevention Systems (IPS) to detect and prevent attacks on your network and another prevention is to implement management bandwidth.
Download What is Data Plane Protection in Cisco in pdf – Click here