Which of the following security functions is associated with the control plane? (Select the best answer.)

A.
device configuration protection

B.
device resource protection

C.
traffic accounting

D.
traffic filtering

Explanation:
Device resource protection is a security function that is associated with the control plane. Cisco devices are
generally divided into three planes: the control plane, the management plane, and the data plane. Each plane is
responsible for different operations, and each plane can be secured by implementing various security methods.
The control plane is responsible for the creation and maintenance of structures related to routing and
forwarding. These functions are heavily dependent on the CPU and memory availability. Therefore, control
plane security methods protect against unauthorized traffic destined for the router, which can modify route
paths and consume excessive resources. Path modification can be caused by manipulating the traffic
generated by routing protocols, VLAN Trunking Protocol (VTP), and Spanning Tree Protocol (STP). Path
modification attacks can be mitigated by implementing routing protocol authentication and filtering, VTP
authentication, and STP protection features. In addition, excessive CPU and memory consumption can be
caused by control plane flooding. Resource consumption attacks can be mitigated by implementing control
plane filtering and rate limiting with Control Plane Policing (CoPP) and Control Plane Protection (CPPr).
Traffic accounting and traffic filtering are security features that are associated with the data plane. The data
plane is responsible for traffic passing through the router, which is referred to as transit traffic. Therefore, data
plane security protects against unauthorized packet transmission and interception. Threats such as IP spoofing,
Media Access Control (MAC) address spoofing, Address Resolution Protocol (ARP) spoofing, Dynamic Host
Configuration Protocol (DHCP) spoofing, unauthorized traffic interception, and unauthorized network access
can be mitigated and monitored by implementing features such as the following:
-ARP inspection
– Antispoofing access control lists (ACLs)
– DHCP snooping – Port ACLs (PACLs)
– Private virtual LANs (VLANs)
– Unicast Reverse Path Forwarding (uRPF)
– VLAN ACLs (VACLs)
Device configuration protection is associated with the management plane. Management plane security protects
against unauthorized device access and configuration. Unauthorized access can be mitigated by implementing
a strong Authentication, Authorization, and Accounting (AAA) solution and by implementing Management Plane
Protection (MPP), which creates protected management channels over which administrators must connect in
order to access device administration features. Management traffic can be encrypted by implementing Secure
Shell (SSH). You can mitigate unauthorized configuration of a device by implementing RoleBased Access
Control (RBAC), whereby administrators are limited to using only the features they need to accomplish their
jobs. Detection and logging of management plane access can be performed by implementing Simple Network
Management Protocol version 3 (SNMPv3) and Syslog servers.

Cisco: Cisco Guide to Harden Cisco IOS Devices