There are three planes of a router that need to be secured, the management plane, control plane and data plane.
Management Plane
Used to access and configure a switch or router. It is secured through SNMPv3, TACACS+, VTY ACLs and SSH. It is also a best practice to have role based CLI views.
TACACS+ and RADIUS are used in part to secure user access to the management plane, the major differences between them:
| Characteristic | TACACS+ | RADIUS |
| Transport | TCP | UDP |
| Modularity | Separates authentication, authorization and accounting | Combines authentication and authorization |
| Security | Limit commands | No command limit |
| Encryption | Entire packet | Only encrypts password |
| Accounting | Basic | Robust |
| Standard | No | Yes |
Sources:
Cisco Document ID 13838
TSHOOT Book p.287
Control plane
Includes routing protocols and spanning tree used between routers and switches, it is the ability of a router to route. The control plane can be secured by the command auto secure, routing protocol authentication, and CPU/memory thresholding.
See each routing protocol discussion for troubleshooting steps.
Securing STP
Root Guard — Is enabled on a per-port basis. When a port receives a superior BPDU, with a lower bridge ID, the local switch will not allow the new switch to become the root. Instead the port is changed to root-inconsistent state, no data can be sent or received until the BPDUs stop.
BPDU Guard — PortFast moves an end-user port to forwarding state without going through all of the STP checks and can induce loops in the network. If any BPDU is received on a port where BPDU guard is enabled that port is put into errdisable state. It can then be recovered manually or through the errdisable timeout function.
Data plane
Forwards data through a router or switch. The data plane can be secured through ACLs, 802.1x, Unicast Reverse Path Forwarding (uRPF), IPsec VPN tunnels.
Securing DHCP and ARP:
DHCP snooping — With DHCP snooping enabled a switch port is either trusted or untrusted. Any DHCP replies coming from an untrusted port are discarded because they must have come from a rogue DHCP server. Additionally that switch port is shut in the errdisable state.
Dynamic ARP Inspection (DAI) — Helps to prevent ARP spoofing attacks. DHCP snooping keeps track of completed DHCP bindings including MAC address, IP address offered and lease time. This database is used by DAI to stop man-in-the-middle style attacks.
802.1X
Port-based authentication is a combination of AAA authentication and port security. An 802.1x port begins in an unauthorized state and requires the client to authenticate before it is allowed to communicate. The three components of an 802.1x network are:
Supplicant — Device trying to gain access.
Authenticator — Acts as an intermediary (proxy) between the host and the authentication server, requesting identity information from the host, verifying that information with the authentication server, and relaying a response to the host.
Authentication Server — Performs the actual authentication of the supplicant. The authentication server validates the identity of the supplicant and notifies the switch if it is authorized to communicate on the network.
Source:
TSHOOT Book
6500 802.1X Configuration Guide
ChainRingCircus 