Configure And Verify
5.2 Configure and verify infrastructure security features
Aligned to Cisco's 350-401 ENCOR v1.2 exam topics.
On this page
Infrastructure security is about protecting the network devices and the traffic paths they control. ENCOR focuses on two tools here: ACLs and CoPP.
The difference
- ACLs usually protect interfaces, subnets, services, and traffic paths. They decide what traffic is allowed through or to an interface.
- CoPP protects the control plane. It decides how much traffic is allowed to reach the device CPU.
Both matter. A router can forward packets at hardware speed while still being vulnerable to traffic punted to the CPU. CoPP keeps noisy or hostile traffic from starving routing protocols, management access, and other critical control-plane functions.
Simple mental model
Data plane: packets forwarded through the device
Control plane: packets processed by the CPU to run the network
Management: SSH, SNMP, NETCONF, RESTCONF, syslog, AAA
Policy tools: ACLs, CoPP, firewall policy, segmentation, identityUse ACLs close to the source for unwanted transit traffic. Use CoPP to defend the CPU. Use both as part of a larger design.
Transit packet (user
server):
hits interface ACL in/out
forward or drop in data plane
punted to CPU
CoPP class polices -> permit limited rate or drop floodExample: ACL plus CoPP
ACL protecting a server VLAN:
ip access-list extended USERS-TO-SERVERS
remark Users may reach HTTPS applications only
permit tcp 10.10.10.0 0.0.0.255 10.20.20.0 0.0.0.255 eq 443
deny ip any 10.20.20.0 0.0.0.255 log
permit ip any any
interface Vlan10
description Users
ip access-group USERS-TO-SERVERS inCoPP protecting the route processor:
ip access-list extended COPP-CRITICAL
remark Permit routing/control examples for classification
permit ospf any any
permit tcp 10.10.10.0 0.0.0.255 any eq 22
permit icmp any any echo
class-map match-any COPP-CRITICAL
match access-group name COPP-CRITICAL
policy-map COPP-POLICY
class COPP-CRITICAL
police 64000 conform-action transmit exceed-action drop
class class-default
police 16000 conform-action transmit exceed-action drop
control-plane
service-policy input COPP-POLICYCoPP syntax and platform defaults vary. The idea is what matters: classify traffic destined to the CPU and rate-limit classes so critical traffic survives abuse.
Verification
show access-lists
show ip interface Vlan10
show policy-map control-plane
show platform hardware qfp active feature copp statisticsThe exact platform command varies. On the exam, know that ACL counters and policy-map counters are your friends.
Lab
Goal: Protect a server VLAN and the control plane.
Tasks:
- Build a users VLAN and a servers VLAN.
- Permit users to reach server HTTPS.
- Deny other user-to-server traffic and log it.
- Apply the ACL inbound on the users SVI.
- Generate permitted and denied traffic.
- Build a simple CoPP policy for SSH, ICMP, and routing/control traffic.
- Apply it to the control plane.
- Verify counters increment in the expected classes.
Success criteria:
- HTTPS from users to servers works.
- Non-HTTPS user-to-server traffic fails.
- ACL counters increment.
- CoPP policy is attached to the control plane.
- Policy counters increment during test traffic.
Quick check
- ACLs filter packets based on match criteria and placement.
- CoPP protects the CPU, not just a VLAN.
- The implicit deny at the end of ACLs is real.
- A permit in a CoPP classification ACL means “match this class,” not always “forward this traffic.” The policy action decides what happens after classification.