The Control Plane (Basic)

The network is said to have two planes: a control plane and a data plane. The data plane simply refers to the information that is being transported. Beside the main function of a network to route and forward data, there's another critical function that should be provided by the network for the network administrators. The network should provide a way for network administrators to provision and maintain the network devices themselves. The functions include monitoring network throughput and performance, updating the network topology, establishing new connections, and enforcing security and service policies. These functions is performed by the control plane in a network device. The control plane is responsible to provide a clean way to the network administrator to access the device, give command, and providing response. When a network goes wrong, the control plane is critical. If somehow the control plane is compromised, the network device could be "locked up". In this state, no network changes are possible, no monitoring is available, and there is no visibility into the operational state.

Control Plane Protection

Control Plane Protection (sometimes called Control Plane Policing or CoPP) should be taken to ensure bandwidth availability for the network administrator. The actions taken involves:

  • Preserving CPU “bandwidth” as a high priority for control plane services

  • Safeguards on the data plane to prevent CPU overruns

  • Separate CPU processors for the data plane and control plane

Denial of service (DoS) and distributed denial of service (DDoS) attacks typically try to overwhelm a device with traffic to the point of instability. Control Plane Policing (CoPP) uses QoS traffic policies to restrict the amount of traffic destined for network devices. The CoPP treats the Control Plane as an independent entity, it has its own ingress and egress port, therefore a set of rules can be attached to the ingress and/or egress of the port. The rules applied to a packet after it has been determined to have the Control Plane as its destination and when a packet goes out from the Control Plane.

An example command of attaching a QoS to the control Plane is:

Router(config)# control-plane

Router(config)#service-policy {input | output} policy-map-name

The first line will enter the control plane configuration mode, while the second line will attach the QoS to the ingress or egress of the control plane port.