Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

What is plane? What are the differences in Planes in Routers and ASA

Hi Experts,

 

In routers I have read there are four difference planes: Data plane, management plane, control plane, and service plane. In ASA, I heard there is a control plane and data plane.

Can anyone please explain what is plane? and what are the differences in planes in routers and asa?

8 REPLIES

 Hi,This will explain you the

 

Hi,

This will explain you the concept.

https://learningnetwork.cisco.com/thread/33735

 

Regards

Karthik

 

New Member

Hi Karthik,First of all

Hi Karthik,

First of all thanks for replying to my question.

I went through the link but I still have few questions:

1) What is the plane? I still could not understand clearly.

2) Do we have same functioning of control plane and data plane in ASA as well?

3) What is management plane?

 

Hi,1) What is the plane? I

Hi,

1) What is the plane? I still could not understand clearly.

Normally plane refers to the surface/level which has some connecting points...... in a networking scenario plane refers to the logical surface / process of defining how data gets in and goes out and processed by different logical planes in a box.... here also we have each planes has the connecting points with each other.....

2) Do we have same functioning of control plane and data plane in ASA as well?

Yes it is concept wise same as the other definition about control and data plane..... it differs on vendor/models.... but the universal concept is same.... they can have a naming different.....

 

Control-Plane is something we call it as the heart of the process..... it is something handles that comes to the box.... if any traffic is destined or defined to the box/device... then it is handled by control plane....

 

Data Plane is something which has the forwarding information we can say that as forwarding plane.... which has the routing table and other access-rule information to define how that traffic to be handled.... on which interface it enter and how it goes out of the box.....

3) What is management plane?

Management Plane:

Whatever you do editing/moniotoring/managing the device.... say SNMP/CLI/GUI are some functionalities we can say it as management plane... it is a sub-component of control plane we can say.... management plane can be controlled by control-plane

http://en.wikipedia.org/wiki/Forwarding_plane

 

Regards

Karthik

 

VIP Green

Just to add to what Karthik

Just to add to what Karthik has already mentioned.

A plane is just a way to describe what part of the router or ASA different functions take place in. 

Management plane - handles traffic such as Telnet, SSH, SNMP etc.

Data plane - handles all traffic that passes through the device (Service plane actually falls under this category but is sometimes seperated when being described)

Control plane - handles all traffic that is destined to the device or indirectly to the device (to the box traffic)

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

Marius your explanation is

Marius your explanation is also very helpful and quite easy to understand. I thank you for helping me out in clearing this very confusing topic.

I will expect some more helps in future from  all you experts.

 

New Member

Thanks Karthik for a

Thanks Karthik for a wonderful explanation of planes concept.

One more thing Karthik which I want to know, in router I read there are four planes; Control plane, data plane, management plane, and service plane. So In cisco ASA do we have all four planes?

I would also appreciate if you can share any cisco ASA 5500 logical architecture diagram as you share of router's, if possible

VIP Green

Technically there are only

Technically there are only three planes, Control plane, Data plane, and Management plane.  The Service plane is actually part of the Data plane but is sometimes separated to easier define QoS, GRE encapsulation...etc.

The ASA also has a Control plane, Data plane and Management plane.  The way I view it is that the planes are not actually instances in the IOS router or ASA they are just used to describe the different types of traffic and how they are handled by the device.

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer

Hi, Here you get the overview

Hi,

 

Here you get the overview detail for ASA... here it has been defined with different terms... but the message they conveyed is for your query.. ;)

CPU Complex

The Cisco ASA 5585-X general-purpose CPU complex uses multiple threads to process transit traffic flows in parallel. All but one core run data path processes, which continuously scan the memory for new packets, carry out the entire set of the SoftNP security checks, and release the permitted packets back into the network. One of the cores always runs a dedicated control plane process that handles management and network control traffic as well as more complex application inspection functions. All CPU-complex cores take turns in running the control plane process in order to achieve the best resource use. Since the control plane process typically inspects a very small portion of the transit flows, data path processes are the primary consumers of the CPU-complex resources.

Each data path process works on packets received from one interface RX ring at a time. Since the ASA 5585-X platform aligns the number of RX rings across all 10 Gigabit Ethernet CPU-complex uplinks to the available cores, the CPU complex never ends up in a situation where some data path processes are starved for new work. Different cores periodically take turns attaching to different RX rings, which increases the overall capacity-use efficiency. To preserve the packet order and help ensure accurate state checking, each stateful flow can be processed by only one CPU core at any given time. To make the resource distribution across connections even fairer, the data path processes load-balance the incoming packets across 32,000 CPU work-dispatch queues. The same source and destination IP address and transport port hash is used as when load-balancing traffic across the MAC uplinks in the NIC subsystem. All packets for a single flow always select the same work-dispatch queue, and this mechanism is used to further contain the damage from packet-flood attacks. If a particular stateful flow is generating packets at an unreasonably high rate, the ASA will limit the impact to the particular associated work-dispatch queue. Once the queue is full, the ASA drops any subsequent packets that hash to the same queue. As the result, the oversubscription impact from a single flow is contained to just one work queue out of 32,000; this translates into about a 0.003 percent chance of one offending flow affecting other legitimate transit connections. This process is yet another example of how the ASA 5585-X architecture is explicitly designed to contain and self-mitigate common packet-flood attacks.

As mentioned earlier, the ASA performs all packet-processing tasks in the flexible SoftNP. On the multiple-core Cisco ASA platforms, such as the ASA 5585-X, the SoftNP components are spread across the data path and control plane processes. Most of the connection-processing functions are implemented directly in the data path with the following logical components:

Fast path: As the name implies, this component allows to forward packets that match already established stateful connections at a very high rate. It uses the previously evaluated security policy for the given flow to perform the full scope of stateful checks with extremely low latency.

Session manager: This component evaluates the complete security policy when attempting to create the stateful connection entry. If the connection is permitted by the policy used by the first packet, the complete inspection action set is programmed into the fast path for future packet processing.

Packets that match certain connections may be escalated from any data path process to the control plane. Figure 5 provides a brief view of the functional separation between the fast path and session manager components within the data path as well as the control plane modules of the SoftNP.

Figure 5. The ASA SoftNP Logical Diagram

In this hierarchical ASA architecture, a defense-in-depth approach can be effectively implemented, where every connection is permitted or denied after the minimum necessary set of security checks. While ASA can effectively manage most security threats at the basic Layer 3 and 4 levels, advanced application inspection engines as well as IPS and CX modules can examine the permitted traffic all the way up to Layer 7 in order to stop the most complex attacks. At every step, the ASA 5585-X architecture aims at optimizing the processing resources toward potentially malicious traffic.

 

Regards

Karthik

358
Views
8
Helpful
8
Replies