The Data Plane, control plane, and the management plane are the three basic components of Cisco network foundation protection  The data plane also known as the user plane and forwarding plane, This plane is the part of a network and carries user traffic. Data plane protection  can be implemented by the following  technologies

Access Control List ( ACL )

Block unwanted traffic, Reduce the chance of DoS, Provide bandwidth control, Mitigate spoofing attacks, are the different ways of secure the data in the data plane The ACL can be used filter the incoming and outgoing packets on an interface, controlling access based on source addresses, destination addresses, and user authentication.


The case of Anti-Spoofing. the term Spoofing refers to an attacker forging the source address of a packet and make it look as though it comes from a higher security network. To properly protect our network  IP spoofing, you must define the topology of your network within each gateway’s topology property

Spoofed packets can be detected by the firewall and router based on their technologies  the network gateway that examines incoming packets the anti-spoofing implemented on internet service providers side

The layer 2 Security

The layer 2 or LANs are vulnerable to attacks such as address spoofing and Layer 2 denial of service (DoS) on network devices. The switch security features protect the access ports on the device against the loss of information and productivity that such attacks can cause.

The layer 2  security features supported on switching devices are:

DHCP Snooping—The DHCP snooping blocks ingress Dynamic Host Configuration Protocol (DHCP) server messages on untrusted ports, and builds and maintains a database of DHCP lease information, which is called the DHCP snooping database.

MAC Limitation—The MAC limitation Protects against flooding of the Ethernet switching table or layer 2 forwarding table. we can limit the mac address on the interface

Sticky  MAC Learning—Also known as persistent  MAC. Persistent MAC learning enables interfaces and it automatically learns the mac address

IP Source Guard—The source IP source guard is enabled, and the address in the packet sent from an untrusted access interface is validated against the DHCP snooping database. If the packet is not  validated, the packet is discarded

IDS and IPS – The IDS – Intrusion Detection Systems and  IPS – Intrusion Prevention Systems (IPS) to detect and prevent attacks on your network and another prevention is to implement management bandwidth.

Also, Read…

Download What is Data Plane Protection in Cisco in pdf – Click here