About Data Plane Security Features
Data plane security features leverage the hardware and software forwarding capabilities of a switch to perform policing actions such as: forwarding or dropping certain packets, limiting certain resources below a set limit, constraining the forwarding of traffic, etc. In addition, controlling the bandwidth used by certain classes of traffic or certain devices can be used to guarantee optimal network performance. It can also be used to prevent certain attacks such as DoS (as explained in the previous section regarding the control plane).
The following are commonly used data plane security features that admins can employ to protect network resources and nodes:
- Port Isolation
- Limiting the number of MAC addresses on a per port basis (also known as Port Security)
- vPort-based Activity Tracking and Security
- Dynamic Host Configuration Protocol (DHCP) Snooping
- Router Advertisement (RA) Guard
- MAC Access Control Lists (ACLs)
- IP ACLs
Let’s see how each one works and how it can be used as a countermeasure/protection against network attacks.