Control plane protection overview

Control plane (the main CPU that runs the routing protocols and all other application-layer services) is the most vulnerable part of your router. A determined attacker can quickly overload the CPU of any router (or switch) with a targeted denial-of-service attack, either by sending IP packets that are propagated from the switching fabric (or interrupt code on software-only platforms) to the control plane processes or by targeting individual services running on the router (see, for example, the problems one of the readers had with public DNS server running on the router).

Cisco IOS offers several control plane protection mechanisms. I’ve summarized them in the “Protecting the router’s control plane” article in the CT3 wiki and Sebastian Majewski has provided sample router configuration.

1 comment:

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.