Most of a network engineer's security education is about protecting traffic: encrypting it, filtering it, tunnelling it. Infrastructure security is the other half, and the half that gets forgotten until an audit or an incident forces the issue. It is about protecting the network devices themselves: who is allowed to administer them, what they can do, whether the CPU can be overwhelmed, whether an address can be spoofed, and whether the management channels are locked down. A perfectly encrypted data plane running on routers anyone can log into is not a secure network.
This is the hub for the PingLabz Infrastructure Security cluster, mapping to ENCOR Security (a 20% domain) and ENARSI Infrastructure Security (another 20%). Every technique below was configured on real Cisco IOS XE in a live lab, and where a feature genuinely cannot be demonstrated on the available platforms, that is stated plainly rather than faked. If you are studying for CCNP, hardening a real network, or trying to pass a security audit, start here.
What Infrastructure Security Covers
The discipline splits into a few clear areas, each protecting a different part of the device or the access to it:
Identity and Access: AAA
Everything starts with controlling who can administer the devices. AAA (Authentication, Authorization, Accounting) centralizes that control against a server rather than scattering local passwords across hundreds of boxes. The protocol choice is the first decision: TACACS+ for administering devices (it encrypts the full payload and does per-command authorization), RADIUS for admitting users (it carries the 802.1X attributes that assign a VLAN).
AAA on Cisco IOS XE: TACACS+ vs RADIUS configures both, authenticates a live login against a real RADIUS server, and shows the actual Access-Request/Access-Accept exchange on the wire, including the lesson that RADIUS sends the username in the clear. It also demonstrates the single most important AAA safety rule with real output: every method list ends in local, so an unreachable AAA server falls back to local authentication instead of locking you out of the entire network.
Protecting the Control Plane
A router's CPU is a shared, finite resource, and traffic aimed at the router itself (routing protocols, SSH, ARP, ICMP to its own IP) must be processed by that CPU. Flood it and the control plane collapses without a single link failing. Control Plane Policing rate-limits each category of that traffic so no single class can starve the rest.
Control Plane Policing (CoPP) builds a policy and then floods the router with a ping flood to prove it: the policer showed 597 packets conformed and transmitted, 3817 dropped, absorbing 90% of the attack while OSPF stayed adjacent throughout. It also covers the cardinal rule that makes CoPP safe: never drop your routing protocols, and only police (never drop) SSH.
Anti-Spoofing: uRPF and IPv6 First-Hop Security
Source IP addresses are trivially forged, and forged sources are the raw material of reflection attacks and spoofed floods. Unicast RPF checks that each packet's source is actually reachable via the interface it arrived on, and drops the lies. Unicast RPF: strict vs loose proves it with 20 spoofed packets producing exactly 20 verification drops while legitimate traffic passes, and explains when strict mode breaks (asymmetric routing) and when to fall back to loose.
At Layer 2, IPv6 introduces spoofing risks that IPv4 never had, because hosts autoconfigure from unauthenticated Router Advertisements that any device can send. IPv6 First-Hop Security is a suite of switch features that lock this down:
RA Guard and DHCPv6 Guard stop rogue gateways and rogue DHCPv6 servers. The lab flooded 15 rogue RAs and proved that the victim host learned only the legitimate prefix, never the rogue one. ND Inspection, Snooping, and Source Guard completes the picture, building the device-tracking binding table and using it to stop address theft in the control plane and source spoofing in the data plane.
Advanced Access Control
The flat permit/deny ACL from the CCNA does not scale. Advanced ACLs on IOS XE covers time-based ACLs (with a real capture of a schedule showing (inactive) because the lab ran on a weekend), object groups that name sets of hosts and services once and reference them everywhere, and IPv6 ACLs, including the trap that locks people out: an IPv6 ACL must explicitly permit Neighbor Discovery, or IPv6 connectivity collapses.
Hardening the Management and Link Layers
The management plane is the softest target, because it is designed to talk back to whoever connects. Hardening the management plane on Cisco IOS XE covers modern SSH (17.x now enforces 3072-bit keys and ships strong ciphers by default), VTY access-class restrictions, login block-for brute-force protection with live show login output, SNMPv3-only, and the full lockdown checklist.
Below the IP layer, MACsec (802.1AE) encrypts every Ethernet frame on a link in hardware, protecting the physical infrastructure itself. And above it, REST API security for network engineers addresses the new management plane, where a leaked automation token has a blast radius of the entire network rather than one device.
The Infrastructure Hardening Checklist
The Full Infrastructure Security Cluster
Adjacent clusters: 802.1X for port-based network access control, the IPv6 cluster for the addressing the first-hop features protect, and IP Services for the AAA, SNMP, and NTP services this cluster hardens.
Layer 2 access security at expert depth
Most attacks that start inside the building start at Layer 2: a rogue DHCP server handing out a malicious gateway, ARP spoofing to become the man in the middle, IP spoofing to slip past an ACL. The defence is a stack that all rests on one foundation - the DHCP snooping binding table: DHCP snooping in depth, then Dynamic ARP Inspection and IP Source Guard, with storm control covering the flood-based denial of service the others do not.
Studying for the CCIE?
This cluster is part of the full CCNA to CCNP to CCIE Enterprise ladder on PingLabz, every rung built on real Cisco output. For expert-level depth across every EI v1.1 blueprint domain - and the four integration Super Labs - see the CCIE Enterprise Infrastructure study hub.
Frequently Asked Questions
TACACS+ or RADIUS for logging into my switches?
TACACS+. It encrypts the whole payload and supports per-command authorization, which is what device administration needs. RADIUS is for network access (802.1X, VPN, Wi-Fi).
What is the single most important AAA rule?
Every authentication method list must end in local, so an unreachable AAA server falls back to local login instead of locking you out of every device.
Will CoPP or uRPF break my network?
They can if misconfigured. CoPP must never drop routing protocols; uRPF strict mode breaks on asymmetric routing (use loose there). Both are safe when you understand your traffic first.
Why is IPv6 more exposed at the access layer than IPv4?
Because IPv6 hosts autoconfigure from unauthenticated Router Advertisements that any device can send. RA Guard, DHCPv6 Guard, ND Inspection, and Source Guard are the switch-side defences.
Can everything here be labbed on virtual routers?
Almost. MACsec is the exception: it needs PHY-level encryption hardware that virtual switches lack, so it is covered as a concept with honest platform guidance. Everything else in this cluster was captured on live IOS XE.
Key Takeaways
- Infrastructure security protects the devices and their management, not the traffic. A secure data plane on insecure devices is not secure.
- AAA centralizes access control: TACACS+ for device admin, RADIUS for network access, always with a local fallback.
- CoPP keeps the CPU alive under attack; uRPF and IPv6 first-hop security reject spoofed and rogue traffic.
- Advanced ACLs make policy readable and time-aware; management-plane hardening locks down SSH, SNMP, and the VTYs.
- MACsec encrypts the wire; API security protects the automation that now drives the network.
- Two exam domains (ENCOR 20%, ENARSI 20%) live here. Every technique above was configured on real IOS XE, with honest notes where a platform could not demonstrate a feature.