Data Plane Protection - Cisco NFP (Network Foundation Protection)
The three planes which are defined by Cisco NFP (Network Foundation Protection) are Management plane, Control plane and Data plane. Management plane, Control plane and Data plane must be well protected to ensure business continuity and prevent external attacks to the organization's network infrastructure devices. Cisco NFP (Network Foundation Protection) framework provides the technologies and tools which are required to secure Management plane, Control plane and Data plane. Following list are the important Tools and Technologies to protect Data Plane.
Access Control Lists: Access control lists (ACLs) can be used to filter (permit or deny) which packets are allowed through the network.
Antispoofing: Most of the attackers try to spoof their IP address for not to be detected. Incoming traffic filtering to filter attacks originating from invalid source IP addresses can be enabled.
Cisco IOS technology uRPF (Unicast Reverse Path Forwarding) is very effective in providing security against antispoofing.
Layer 2 security: Layer 2 security is very important, because most of the attacks are originating from inside the network. Port security (to protect against MAC address flooding attacks), DHCP snooping (to prevent attacks against DHCP Server), Dynamic ARP inspection (DAI) (To prevent ARP related attacks and ARP poisoning) and IP source guard (use dynamic DHCP snooping and static IP source binding together for layer 2 security).