Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2288
Views
4
Helpful
6
Replies

Data Plane vs Control Plane Concepts clarification

Go to solution
nwekechampion
Level 3
Level 3

‎04-06-2023 08:19 PM

Hi Guys,

 

Just looking for clarification on the application of control plane and data plane concepts.

Would I be correct in saying that the the application of control plane and data plane depends on the architecture in place and not the protocols used?

For example is SD-WAN:

  1. underlay
    1. data plane ==> is CEF/FIB table on the edge routers
    2. Control plane (combined with dataplane per device) ==> BGP
  2. Overlay
    1. data plane ==> TLOCS, BFD, NAT and encryption, Colors
    2. Control plane (separation on VSMARTS) ==> IPSEC, OMP

SD-Access:

  1. Underlay
    1. Data plane ==> CEF/FIB
    2. Control plane ==> OSPF/ISIS/EIGRP
  2. Overlay
    1. Data plane ==> VXLAN
    2. Control Plane ==> LISP

 

Could anyone clarify, please?

Labels:
2 Accepted Solutions

Accepted Solutions

Go to solution
Kanan Huseynli
VIP
VIP

‎04-06-2023 10:24 PM

Hi,

control and dataplane are not SDN specific terms.

Whatever related to user traffic flow it is dataplane. As you mentioned, devices use CEF/FIB to select path. Matching access-list doing some action /QoS /NAT /policing&shaping /encapsulation and encryption (also de- operations) of IPSec/ VXLAN etc. are data plane processes.

Control plane is needed to build forwarding plane - logic for data traffic (data plane). It includes any routing protocol, any negotiation between devices, LISP in SDA (as you mentioned) etc.

Example with IPSec (general and sd-wan case):

whatever done to build SA tunnels for user traffic is control plane in IPSec (Phase1 IKE /  Phase2 Quick mode) and plus protocols do health/ liveness check (like with dead Peer Detection in IPSec) are also considered control plane.
after that, when user traffic comes and IPSec does encapsulation&decapsulation also encryption&decryption - these are dataplane.

Please, note that there is no IKE in SD-WAN IPSec architecture, they relay on vSmart authentication. Devices advertise keys to vSmart, vSmart distributes key to other routers. Key distribution / rotation between controller (vsmart) and routers (edge devices) are control plane, but encrypting and decryption using these keys are dataplane operations.

Example with SDA:

LISP , yes, is control plane protocol.
VxLAN is data plane protocol (user traffic is encapsulated& decapsulation with VxLAN).

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

View solution in original post

Go to solution
Kanan Huseynli
VIP
VIP
In response to nwekechampion

‎04-12-2023 01:44 AM

Hi,

sure. For underlay you may have, for example, BGP on WAN facing interface (transport) to connect to ISP or MPLS provider - this is control plane in underlay. Most data plane traffic is in overlay (in SD-WAN), but DirectInternetAccess traffic can be assumed data plane traffic in underlay.

Anything is related to protocol/ technique - CPU it is control plane. Anything is related to forwarding of user/data traffic - it is data plane.

 

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

View solution in original post

6 Replies 6

Go to solution
Kanan Huseynli
VIP
VIP

‎04-06-2023 10:24 PM

Hi,

control and dataplane are not SDN specific terms.

Whatever related to user traffic flow it is dataplane. As you mentioned, devices use CEF/FIB to select path. Matching access-list doing some action /QoS /NAT /policing&shaping /encapsulation and encryption (also de- operations) of IPSec/ VXLAN etc. are data plane processes.

Control plane is needed to build forwarding plane - logic for data traffic (data plane). It includes any routing protocol, any negotiation between devices, LISP in SDA (as you mentioned) etc.

Example with IPSec (general and sd-wan case):

whatever done to build SA tunnels for user traffic is control plane in IPSec (Phase1 IKE /  Phase2 Quick mode) and plus protocols do health/ liveness check (like with dead Peer Detection in IPSec) are also considered control plane.
after that, when user traffic comes and IPSec does encapsulation&decapsulation also encryption&decryption - these are dataplane.

Please, note that there is no IKE in SD-WAN IPSec architecture, they relay on vSmart authentication. Devices advertise keys to vSmart, vSmart distributes key to other routers. Key distribution / rotation between controller (vsmart) and routers (edge devices) are control plane, but encrypting and decryption using these keys are dataplane operations.

Example with SDA:

LISP , yes, is control plane protocol.
VxLAN is data plane protocol (user traffic is encapsulated& decapsulation with VxLAN).

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

Go to solution
nwekechampion
Level 3
Level 3
In response to Kanan Huseynli

‎04-10-2023 09:09 PM

Thanks @Kanan Huseynli ,

I am aware they are not SDN specific terms, I was just looking to understand how the control-plane-dataplane segregation applies to Ciscos SD-Access and SD-WAn environment.

The design CVDs explanation of the planes, for both technologies, are way too wordy for me, unfortunately.

However, I am still left with some unanswered questions.

1. does the overlay control and dataplane differ from that of the underlay (traditional network)?

2. is ipsec an overlay dataplane or control plane component in SD-WAN fabric?

 

0 Helpful

Go to solution
Kanan Huseynli
VIP
VIP
In response to nwekechampion

‎04-11-2023 03:43 AM

Hi,

Q1: could you explain it a bit?

Q2: we can say both. IPSec key distribution, key rotation, algorithm types are control plane. Whatever used in encryption&decryption actually on the data itself is part of data plane

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

0 Helpful

Go to solution
nwekechampion
Level 3
Level 3
In response to Kanan Huseynli

‎04-12-2023 12:04 AM

Thanks..

Q1.. Underlay has a data plane to build the physical network for Overlay, so it should still follow the rules of routing using rib/cef

So my question ==> Does the  control plane and data plane still apply in the underlay, that is, running on the same device (router/switch)?

0 Helpful

Go to solution
Kanan Huseynli
VIP
VIP
In response to nwekechampion

‎04-12-2023 01:44 AM

Hi,

sure. For underlay you may have, for example, BGP on WAN facing interface (transport) to connect to ISP or MPLS provider - this is control plane in underlay. Most data plane traffic is in overlay (in SD-WAN), but DirectInternetAccess traffic can be assumed data plane traffic in underlay.

Anything is related to protocol/ technique - CPU it is control plane. Anything is related to forwarding of user/data traffic - it is data plane.

 

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

Go to solution
nwekechampion
Level 3
Level 3
In response to Kanan Huseynli

‎04-13-2023 10:10 AM

Thanks for your explanation @Kanan Huseynli 

0 Helpful
Customers Also Viewed These Support Documents