Which statement is correct about the Cisco IOS Control Plane Protection feature?
Sure, I'll be happy to help explain the Cisco IOS Control Plane Protection feature and the statements provided in the question.
The Cisco IOS Control Plane Protection (CPP) feature is designed to provide additional security to the router's control plane by protecting it against various types of attacks. The control plane is responsible for managing and processing network traffic, as well as configuring the router's interfaces and protocols. Therefore, it is critical to protect the control plane from malicious traffic that could cause denial-of-service (DoS) attacks or compromise the router's security.
Now, let's take a closer look at each statement and determine which one is correct:
A. Control Plane Protection is restricted to the IPv4 or IPv6 input path. This statement is incorrect. The Control Plane Protection feature can provide protection to both IPv4 and IPv6 traffic, as well as other protocols such as MPLS.
B. Traffic that is destined to the router with IP options will be redirected to the host control plane. This statement is also incorrect. The Control Plane Protection feature does not redirect traffic with IP options to the host control plane. Instead, it drops this traffic to protect against potential attacks.
C. Disabling CEF will remove all active control-plane protection policies. Aggregate control-plane policies will continue to operate. This statement is partially correct. Disabling Cisco Express Forwarding (CEF) will remove all active per-protocol control-plane protection policies, but the aggregate control-plane policies will still be in effect. The aggregate control-plane policies provide general protection for the control plane and are not protocol-specific.
D. The open-port option of a port-filtering policy allows access to all TCP/UDP based services that are configured on the router. This statement is incorrect. The open-port option of a port-filtering policy allows access to a specific TCP/UDP port, but not to all TCP/UDP-based services configured on the router.
Therefore, the correct answer is C.