Thanks for your detailed explanation. With regards Kings
On Wed, Nov 17, 2010 at 2:44 AM, Tyson Scott <[email protected]> wrote: > It is not there, who would ever use DNS on a router in production. In real > world we would never look at DNS as control or management function on a > router. It is a protocol that would typically only be seen in the data > plane. > > > > It is not control-plane. You need to separate what is the control-plane > and what CPP CPPr are. They are not the same thing. > > > > Here is a definition of the control-plane > > In routing, the control plane is the part of the router architecture that > is concerned with drawing the network map, or the information in a (possibly > augmented) routing table that defines what to do with incoming packets. > Control plane functions, such as participating in routing protocols, run in > the architectural control element.[1] In most cases, the routing table > contains a list of destination addresses and the outgoing interface(s) > associated with them. Control plane logic also can define certain packets to > be discarded, as well as preferential treatment of certain packets for which > a high quality of service is defined by such mechanisms as differentiated > services. > > > > What fits under that definition? ARP, IGP, BGP, IGMP, PIM, and other > protocols that "glue" the network together just as Yusuf describes in his > book. These protocols can also be very easily identified because these > protocols will typically terminate on the interface of the router. But then > BGP, IGMP, and PIM have exceptions to that typical rule as well. I also > think that if the router can run without it then you can't define it as > fitting into any portion of the router as a primary function. > > > > Is that a full list of everything that may terminate on the control-plane, > no. But everything else starts to become "may be a control-plane function, > may be a data plane function". VPN traffic for example may terminate on the > control plane or it may simply flow thru the router on the forward path. If > you terminate it on the control-plane then you need to take VPN traffic into > consideration in your protection mechanisms using protection mechanisms like > "call admission control". But that isn't there by default because 90% of > the routers in production don't provide encryption services so 90% of the > time VPN is not a control-plane function. So if we go based on a 51% rule > is the norm that means that VPN is a data plane function right? No we can't > really say that either. But trying to fit protocols into a nice box of it > is data plane/control plane/management plane just doesn't work. There are > too many exceptions to make any good rule of thumb. > > > > Simply said it is not a control-plane function, it is not a management > plane function it is not a data plane function. It is a process that runs > on the router. Controlling access to it would be controlled on the host > control plane sub-interface. Where is the management-interface also > defined? Control-plane host. Does that make these other protocols > control-plane protocols? No they are protocols that may run on the host > control-plane in management functions. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Managing Partner / Sr. Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Eugene Pefti > *Sent:* Monday, November 15, 2010 10:41 PM > *To:* 'Kingsley Charles'; 'Pieter-Jan Nefkens' > > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] DNS part of which plane > > > > If we don’t know “why” for this “chicken-egg” debate who will be the > authority to answer it, folks. > > I would never put DNS to management plane let it be Cisco world or anything > else. And Kings’ finding supports it. > > > > Eugene > > > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kingsley Charles > *Sent:* Sunday, November 14, 2010 9:32 PM > *To:* Pieter-Jan Nefkens > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] DNS part of which plane > > > > If DNS is part of management plane then why isn't it in the following list: > > router2(config-cp-host)#management-interface g0/0 allow ? > beep Beep Protocol > ftp File Transfer Protocol > http HTTP Protocol > https HTTPS Protocol > snmp Simple Network Management Protocol > ssh Secure Shell Protocol > telnet Telnet Protocol > tftp Trivial File Transfer Protocol > tl1 Transaction Language Session Protocol > tls Transport Layer Security Protocol > > > With regards > Kings > > On Tue, Nov 9, 2010 at 12:50 PM, Pieter-Jan Nefkens <”> wrote: > > Hi Kings, > > > > But DNS is used for management. You can use it, for example, for URL > filtering, certificate enrollment / verification, etc... > > And you might want to consider to let DNS traffic leave out of the > management interface (thus out-of-band certificate enrollment, RBL checks, > url filtering, etc). And that would mean that dns would be part of the > management plane. > > > > For me, the control plane basically is the CPU in the router that talks > with the data plane and allows the setting of hardware entries in the data > plane and handle all traffic that can't be handled in the data-plane. > > This includes the arp entries (arp is then placed in the data plane), > application layer inspection that can't be handled in hardware, changes of > routing entries, etc.. > > > > The management plane for me is mostly the ways to configure traffic and how > the router handles traffic and applications. And then in general all traffic > that is nog immediately part of routing / switching. (the handling of > routing protocols is of course on the control plane, as it comes in from all > interfaces), but you might want to restrict management traffic > > > > HTH > > > > Pieter-Jan > > > > On 9 nov 2010, at 06:33, Kingsley Charles wrote: > > > > Tyson, DNS is not required to build the network hence I agree it's not part > of control plane. > > DNS is a protocol that builds the Name to IP address table. If CDP is part > of the control plane which doesn't help much to operate the network then I > feel DNS can also be part of control plane :-) > > > > > With regards > Kings > > On Tue, Nov 9, 2010 at 10:07 AM, Tyson Scott <[email protected]> wrote: > > Is DNS necessary, from a router perspective, for the network to operate? > > > > Control plane is only network services that "glue" the network together. > > > > Routing protocols, > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Managing Partner / Sr. Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* Kingsley Charles [mailto:[email protected]] > *Sent:* Monday, November 08, 2010 11:06 PM > *To:* Tyson Scott > *Cc:* Eugene Pefti; [email protected] > > > *Subject:* Re: [OSL | CCIE_Security] DNS part of which plane > > > > > > Hi Tyson > > Can you please let me know the reason for having DNS in management plane. > How does the DNS help to manage the deivce? > > I am not getting the picture. > > With regards > Kings > > On Tue, Nov 9, 2010 at 8:08 AM, Tyson Scott <[email protected]> wrote: > > DNS is management plane. It is not a service that glues the L3 network > together. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Managing Partner / Sr. Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Eugene Pefti > *Sent:* Sunday, November 07, 2010 3:23 AM > *To:* 'Kingsley Charles' > > > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] DNS part of which plane > > > > That’s right. We see all ports that open on the router that belongs to the > so-called host subinterface of Control Plane. What are debating about then ? > ;) > > I didn’t find that DNS belongs to management plane in Cisco’s official > documentation. Perhaps Yusuf in his flash cards is not right as the list of > protocols mentioned in the Figure for this question is too big. Unless I > confuse entirely the concept of Control and Management Plane > > > > *From:* Kingsley Charles [mailto:[email protected]] > *Sent:* Sunday, November 07, 2010 12:56 AM > *To:* Eugene Pefti > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] DNS part of which plane > > > > Eugene, the O/P is self explanatory. The show control-plane host openshows > all the port that the router is listening to. The > O/P has port 22 and 23 which is ssh and telnet respectively. Does that mean > telnet and ssh are control plane protocols? > > The O/P includes management, control and service protocol port numbers. > ISAKMP is in service plane right, you can 500 and 4500 in the O/P too. > > > With regards > Kings > > On Sun, Nov 7, 2010 at 1:13 PM, Eugene Pefti <[email protected]> > wrote: > > It’s a good point, Kings. > > Our customer uses their routers as DNS servers at their remote offices and > the traffic destined to the router itself can be falling under the > management plane. > > I thought that you control access to the router via a regular ACL which I > still do by applying it to different VLAN interfaces. > > But when I query the router to show me open ports under the control plane I > see DNS on the list as well. Hence DNS traffic is from control-plane ;) > > > > Router_LAB#show control-plane host open > > Active internet connections (servers and established) > > Prot Local Address Foreign > Address Service State > > tcp *:22 *:0 > SSH-Server LISTEN > > tcp *:23 > *:0 Telnet LISTEN > > tcp *:53 *:0 > DNS Server LISTEN > > udp *:53 *:0 > DNS Server LISTEN > > udp *:67 *:0 > DHCPD Receive LISTEN > > udp *:2887 > *:0 DDP LISTEN > > udp *:123 > *:0 NTP LISTEN > > udp *:4500 > *:0 ISAKMP LISTEN > > udp *:500 > *:0 ISAKMP LISTEN > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kingsley Charles > *Sent:* Saturday, November 06, 2010 11:52 PM > *To:* [email protected] > *Subject:* [OSL | CCIE_Security] DNS part of which plane > > > > Hi all > > As per the Yusuf flash cards, DNS is part of the Management plane. > > Management plane is used to manage the device and control plane is used to > dynamically build the network. > > The DNS builds the network by resolving the FQDN to IP address. > > I think, DNS should be in the control plane list. > > Any thoughts? > > With regards > Kings > > > > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > > > --- > > Nefkens Advies > > Enk 26 > > 4214 DD Vuren > > The Netherlands > > > > Tel: +31 183 634730 > > Fax: +31 183 690113 > > Cell: +31 654 323221 > > Email: [email protected] > > Web: http://www.nefkensadvies.nl/ > > > > > > > > > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
