CCNP ENARSI Certification Cram Notes : Infrastructure Security

3.3 Troubleshoot control plane policing (CoPP) (Telnet, SSH, HTTP(S), SNMP, EIGRP, OSPF, BGP)

Control plane policing (CoPP) is a security feature used to protect the control plane of a network device from denial-of-service (DoS) attacks, which can disrupt the device's ability to process and forward traffic. CoPP accomplishes this by rate-limiting or dropping traffic that is directed to the control plane of the device, which includes protocols such as Telnet, SSH, HTTP(S), SNMP, EIGRP, OSPF, and BGP.

To troubleshoot CoPP, you can perform the following tasks:

1. Verify that CoPP is enabled on the device: Check the device configuration to ensure that CoPP is enabled and that the policy map is correctly configured.

2. Check the CoPP configuration: Ensure that the policy map has been configured to allow the necessary control plane traffic and to rate-limit or drop traffic that is not authorized.

3. Verify the CoPP counters: Check the CoPP counters to see if any traffic has been dropped or rate-limited. This can help identify which traffic is being affected by the policy map.

4. Use debugging and logging: Use the debug and logging commands to gather more information about the traffic that is being affected by the CoPP policy map.

5. Check for other security features: If CoPP is not working as expected, check for other security features that may be affecting the traffic. For example, ACLs or uRPF may be blocking traffic that is allowed by the CoPP policy map.

By performing these troubleshooting steps, you can identify and resolve issues with CoPP and ensure that the control plane of your network devices is protected from DoS attacks.

3.4 Describe IPv6 First Hop security features (RA guard, DHCP guard, binding table, ND inspection/snooping, source guard)

IPv6 First Hop security features are designed to protect the network against a range of threats, including rogue router advertisements (RA), neighbor discovery (ND) attacks, and unauthorized DHCP servers. The following are the main IPv6 First Hop security features:

1. RA guard: RA guard is used to prevent rogue RA messages from being sent on the network. It filters and drops RA messages that are not from a valid source.

2. DHCP guard: DHCP guard protects against rogue DHCP servers on the network. It works by intercepting DHCP messages and verifying that they come from a trusted DHCP server.

3. Binding table: Binding tables store a list of trusted IPv6 addresses and their associated MAC addresses. They are used to validate the source MAC address of incoming packets.

4. ND inspection/snooping: ND inspection/snooping is used to prevent ND spoofing attacks. It inspects ND messages and drops any that are not from a trusted source.

bSource guard is used to prevent traffic with spoofed source addresses from entering the network. It works by verifying the source address of incoming packets against a trusted source address database.

These features can be configured on switches and routers to provide an additional layer of security to the network.