Skip to content
Study CCNP

Configure And Verify

5.2 Configure and verify infrastructure security features

2 min read ENCOR 350-401 v1.2

Aligned to Cisco's 350-401 ENCOR v1.2 exam topics.

On this page

Infrastructure security is about protecting the network devices and the traffic paths they control. ENCOR focuses on two tools here: ACLs and CoPP.

The difference

  • ACLs usually protect interfaces, subnets, services, and traffic paths. They decide what traffic is allowed through or to an interface.
  • CoPP protects the control plane. It decides how much traffic is allowed to reach the device CPU.

Both matter. A router can forward packets at hardware speed while still being vulnerable to traffic punted to the CPU. CoPP keeps noisy or hostile traffic from starving routing protocols, management access, and other critical control-plane functions.

Simple mental model

Data plane: packets forwarded through the device
Control plane: packets processed by the CPU to run the network
Management: SSH, SNMP, NETCONF, RESTCONF, syslog, AAA
Policy tools: ACLs, CoPP, firewall policy, segmentation, identity

Use ACLs close to the source for unwanted transit traffic. Use CoPP to defend the CPU. Use both as part of a larger design.

Transit packet (user
server):
hits interface ACL in/out
forward or drop in data plane
punted to CPU
CoPP class polices -> permit limited rate or drop flood

Example: ACL plus CoPP

ACL protecting a server VLAN:

ip access-list extended USERS-TO-SERVERS
 remark Users may reach HTTPS applications only
 permit tcp 10.10.10.0 0.0.0.255 10.20.20.0 0.0.0.255 eq 443
 deny ip any 10.20.20.0 0.0.0.255 log
 permit ip any any

interface Vlan10
 description Users
 ip access-group USERS-TO-SERVERS in

CoPP protecting the route processor:

ip access-list extended COPP-CRITICAL
 remark Permit routing/control examples for classification
 permit ospf any any
 permit tcp 10.10.10.0 0.0.0.255 any eq 22
 permit icmp any any echo

class-map match-any COPP-CRITICAL
 match access-group name COPP-CRITICAL

policy-map COPP-POLICY
 class COPP-CRITICAL
  police 64000 conform-action transmit exceed-action drop
 class class-default
  police 16000 conform-action transmit exceed-action drop

control-plane
 service-policy input COPP-POLICY

CoPP syntax and platform defaults vary. The idea is what matters: classify traffic destined to the CPU and rate-limit classes so critical traffic survives abuse.

Verification

show access-lists
show ip interface Vlan10
show policy-map control-plane
show platform hardware qfp active feature copp statistics

The exact platform command varies. On the exam, know that ACL counters and policy-map counters are your friends.

Lab

Goal: Protect a server VLAN and the control plane.

Tasks:

  1. Build a users VLAN and a servers VLAN.
  2. Permit users to reach server HTTPS.
  3. Deny other user-to-server traffic and log it.
  4. Apply the ACL inbound on the users SVI.
  5. Generate permitted and denied traffic.
  6. Build a simple CoPP policy for SSH, ICMP, and routing/control traffic.
  7. Apply it to the control plane.
  8. Verify counters increment in the expected classes.

Success criteria:

  • HTTPS from users to servers works.
  • Non-HTTPS user-to-server traffic fails.
  • ACL counters increment.
  • CoPP policy is attached to the control plane.
  • Policy counters increment during test traffic.

Quick check

  • ACLs filter packets based on match criteria and placement.
  • CoPP protects the CPU, not just a VLAN.
  • The implicit deny at the end of ACLs is real.
  • A permit in a CoPP classification ACL means “match this class,” not always “forward this traffic.” The policy action decides what happens after classification.

Objectives

  1. 5.2.a ACLs
  2. 5.2.b CoPP