Control, Data, Management Plane & VLAN [7 Questions]

Iluvnetwork · ‎11-08-2017

Recently, I had a chance to ask some questions to the CCIE holder. I asked few questions that have been bothering me most. He gave me answers, but he told me that he is not 100% sure.

If you know the correct answer, please comment :)

1. When I asked him about control and data plane protocols, he told me that there are no such things. He said, "Protocols are just protocols, and control and data plane are all about whether data are processed by the software or the hardware. Control plane is where data are processed by using resources from CPU, Memory, and etc. Data plane is where data are processed in hardware based." I honestly didn't understand the differdences between control and data plane. Isn't using resources from CPU, Memory, and etc also considered as hardware based? I would really appreciate if you could explain to me what data and control plane exactly are, and their differences as easily as possible.

2. He told me that there are no such things as control/data plane protocols. But, I often hear or see about control/data plane protocols & control/data protocols. If I understood correctly, there are no such things as control/data plane protocols, but there are control/data protocols?

3. I recently saw people are debating about whether ICMP is considered as control plane protocol or data plane protocol. If both control/data plane protocols and control/data protocols are correct terminologies, could you please explain to me the differences between control/data plane protocols and control/data protocols?

4. According to Cisco, VTP is always forwarded on trunks with a VLAN 1 tag, and DTP packets are sent on the native VLAN on 802.1Q trunk. I asked him why CDP and VTP are always forwarded on trunks with a VLAN 1 tag. He told me that "Since the DTP packet doesn't get fowarded, there is no need to tag VLAN info. However, VTP packet does get fowarded and loop might happen. That's why VTP is always forwarded on trunks with a VLAN 1 tag." I recently learend about 802.1D STP, but I have not heard that STP doesn't work for packets that do not have VLAN info. Also, 802.1D STP works fine even if I don't create VLANs on the packet tracer. If he is right, could you help me understanding his explanations?

5. Is it possible to delete VLAN 1?

6. When VLAN 1 is removed from the allowed list, the switch continues to pass some VLAN 1 traffics such as CDP, VTP, and etc. My assumption is that when VLAN 1 is removed from the allowed list, data (plane?) protocols can be blocked, but control (plane?) protocols cannot be blocked. Is my assumption right?

7. Are there any security related issues you have heard caused by not able to block control (plane?) protocols by removing VLAN 1 from the allowed list?

Mark Malone · ‎11-08-2017

Answered a couple of them start it off

5. Is it possible to delete VLAN 1?

no never , only disable at layer 3 and remove from trunk

6. When VLAN 1 is removed from the allowed list, the switch continues to pass some VLAN 1 traffics such as CDP, VTP, and etc. My assumption is that when VLAN 1 is removed from the allowed list, data (plane?) protocols can be blocked, but control (plane?) protocols cannot be blocked. Is my assumption right?

By default, a trunk port sends traffic to and receives traffic from all VLANs. All VLAN IDs, 1 to 4094, are allowed on each trunk. However, you can remove VLANs from the allowed list, preventing traffic from those VLANs from passing over the trunk.

To reduce the risk of spanning-tree loops or storms, you can disable VLAN 1 on any individual VLAN trunk port by removing VLAN 1 from the allowed list. When you remove VLAN 1 from a trunk port, the interface continues to send and receive management traffic, for example, Cisco Discovery Protocol (CDP), Port Aggregation Protocol (PAgP), Link Aggregation Control Protocol (LACP), DTP, and VTP in VLAN 1.

Iluvnetwork · ‎11-08-2017

By default, a trunk port sends traffic to and receives traffic from all VLANs. All VLAN IDs, 1 to 4094, are allowed on each trunk.
-> Not all VLANs. Only Active VLANs.

Mark Malone · ‎11-08-2017

yes of course the vlan has to be active I believe that would be presumed , that's direct from the Cisco doc below

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3650/software/release/3se/vlan/configuration_guide/b_vlan_3se_3650_cg/b_vlan_3se_3650_cg_chapter_0100.html

Iluvnetwork · ‎11-08-2017

On an 802.1Q trunk, DTP packets are sent on the native VLAN. This is the case even if the native VLAN has been cleared from the trunk. I guess DTP packets are always sent untagged.

Anyways, are CDP, DTP, and VTP all management plane protocols? I have been thought they are control plane protocols. Are there any ways to categorize control and management protocols?

Mark Malone · ‎11-08-2017

even if you change the native vlan , vtp/cdp packets are still marked as vlan 1 , but with dtp and stp they always are marked with native when you deep dive the packets

I would class dtp/cdp/vtp as control protocols

from a doc
By default on an ENI, Layer 2 control protocols, such as Cisco Discovery
Protocol (CDP), Spanning-Tree Protocol (STP), and Link Layer Discovery Protocol (LLDP), are
disabled

Mark Malone · ‎11-08-2017

This is a good bullet point in the differences of control v data plane
http://sdntutorials.com/difference-between-control-plane-and-data-plane/

management plane is more like ssh , tacacs ,netflow etc protocls like that , they even have a feature on ios-xr that can control them called MPP

another good post where its been discussed

https://supportforums.cisco.com/t5/lan-switching-and-routing/management-control-and-data-plane/td-p/2803553