Control Plane vs Data Plane

you weren’t working networking long
before you hear someone talking about the control plane and the data plane at
first this can be quite confusing what are they what are they used for
what’s the difference between them we’re here to demystify the control and data
planes in times past communication was very manual think of an ancient general
organizing his troops he may post a soldier as a messenger this soldier
needs to listen closely for any messages or watch read signals and be prepared to
pass them on he’s not overly concerned with the message itself he just needs to
pass it on quickly and accurately but there are also times when the messages
are meant directly for him another soldier may be talking to him
maybe he’s getting new orders or maybe he’s finding out about a shift change
in this case our soldier cares about this message he needs to listen to
what’s being said think about it and then respond our networking devices are
like this soldier a major part of what they do is receive traffic and pass it
on quickly and accurately this is the data plane also known as the forwarding
plane this includes the FIB at layer 3 and switching at layer 2 routers and
switches will also make good use of technologies like saif t cam tables and
specialized Asics if they’re available but these devices also need to be able
to respond to traffic that’s sent to them and generate messages themselves
they need to participate in the conversation this kind of traffic could
include management routing protocols ping monitoring and so on this is
control plane traffic the control plane is special as it’s involved in
controlling how data is forwarded through the network think of routing
protocols for example the control plane can definitely affect the data plane
this includes altering and filtering data like load balancing firewall rules
and so on you can roughly think of the control plane as the brain of the
network but why do we bother making a distinction between the two one reason
is technologies can be developed independently you can take a router that you
bought a few years ago and installed new software on it giving you new features
the control plane features are not locked into the hardware of the data
plane as they can major advantage is seen in Software Defined Networking if
the data plane and control plane is separate we can remove the control plane
from the device and now we have a separate device such as an SDN
controller which manages how the network behaves our switches and routers can now
simply focus on forwarding only think of our soldier again for a moment imagine
if he gets too busy chatting to another soldier he could get easily distracted
or overwhelmed this may make it difficult to do his real job
he might even miss something important the same can happen in the network the
control plane utilizes the CPU regularly so if the CPU gets fully utilized the
control plane suffers if it gets too busy to handle any new packets it may
struggle with something critical like OSPF or EIGRP this in turn can cause a
problem for the data plane so as you can see the control plane is a potential
attack surface if an attacker can overwhelm the control plane perhaps with
a ping flood or some other DDoS attack they could compromise the whole device
this is why we can use control plane protection this is where we limit the
amount of certain types of control plane traffic that a device will accept some
devices will have basic protection built-in some more advanced platforms
will let you configure the protection yourself mostly through quads policies
there’s just one last thing I’d like to cover and that’s what is sometimes known
as the management plane the management plane is management traffic that’s going
to a device like ssh telnet web console SNMP and others strictly speaking this
is still control plane traffic but you can treat it differently to other types
of control plane traffic like routing updates NetFlow ping and so on this
raises an interesting question is all management traffic control plane traffic
well it depends on the perspective if management traffic is going to a device
then as far as this device is concerned this is control plane traffic if
management traffic is going through a device perhaps to manage another device
somewhere else then from the devices perspective this is data plane traffic
so the simplified version of all this is that when forwarding traffic were using
the data plane when generating or responding to traffic we’re using the
control plane hope all this makes sense and thank you for watching

