350-501 SPCOR Cisco CCNP Service Provider – Network Infrastructure Protection
June 9, 2023

1. Network Infrastructure Protection

Okay, in this video we will try to understand what is network infrastructure and what are the key areas we need to focus on providing some network infrastructure protection. So let’s get started with network infrastructure protection first. Now network infrastructure primarily consists of network devices like routers switches, firewalls or it can be the cables interconnecting the devices, servers and devices. So most of the companies rely on the network infrastructure to run their business because enterprise business completely rely heavily on this network infrastructure which can be exposed to different types of threats. Because let’s take an example.

There is an attacker who is trying to introduce some attack into a network and that is going to impact the performance of your network. And due to some reason, due to some severe attacks, if the network goes down, then or maybe your server goes down when the user is trying to access, the specific services will not be able to access, which is going to impact the business. So the network infrastructure deals with the devices or the devices networking devices or the computers which includes like application systems which you are running on the different devices like workstations servers, laptops, tablets and the smartphones.

It can also deals with other devices like routers switches, vyp devices or maybe some firewalls or maybe some wireless lan controllers or access points. It also includes like the data which is stored in your storage devices or maybe the data which is moving in the network and also the users. So these are all things we combinely refer as a network infrastructure and it’s really important to make sure that your network infrastructure all the time. So to provide some protection to our network infrastructure we need to make sure that the users should be able to access the resources in our network.

So like I said already, all the enterprise businesses rely completely on the network infrastructure and there are different types of attacks can occur in your network. It can be an internal attacks where the user sitting inside your company are trying to introduce some kind of malicious traffic or trying to gain some unauthorized access.Or maybe the attacks can be coming from the outside network, from Internet and again the same thing trying to access some information in your network or maybe sending some kind of malicious traffic into a network. So we need to make sure that this enterprise, the network infrastructure is up and running 99. 99% of the time and to protect your network.

So we need to focus on some of the key areas like we need to secure the infrastructure devices like the end devices which is used by the end users like pcs or the endpoints we call them as or any of the end devices installed applications. This needs to be secured. Apart from that we also need to make sure that your routing infrastructure is also secured like you’ve got some routers and there’s a possibility that an attacker tries to introduce some attacks on the router. And we need to make sure that this router is secured with some security features and also the switching infrastructure, also like you’re connecting your lan.

So in my land we got some devices here. Probably there is a possibility that all the internal threats may be coming from the internal users. So we can implement some security features on the switches to to prevent some of the internal layout attacks. And also we need to make sure that we are running some network telemetry services like ntp to have a proper synchronized time or generating some syslogs or running some kind of snmp. And we also need to implement some services to make your network or to monitor your network generally. And also something like device resiliency and survivability.

Now, this device resiliency survivability is nothing. But if any attack generally happens, how good your network devices are able to survive from that. Because if any attack occurs in a network, if your network is not able to survive that attack, then it can make your network down or maybe the users will not be able to access the resources which can impact the enterprise business. So the main thing here is we need to understand the network infrastructure. That’s what we try to understand, network infrastructure. And they’re.

2. Identify Network Device Planes

Okay, so in order to provide network infrastructure protection we need to understand the behavior. What are the different networking devices used in your network infrastructure and then what are the functionalities like? We got some routers features or firewalls. These are the typical networking devices which we use and what exactly the functionalities, what are the different functionalities we do on these devices? So all these functionalities are divided into some different components or different context. We call them as planes. Now we got three different planes or the basic functionality of the networking devices is divided into three different parts or context.

We call them as control plane, data plane and management plane. Now, the basic difference between these three is the control plane deals with all the traffic, which is relating to like a router building up a routing table because you run some kind of routing protocol like ehrp or Rip protocols. And then based on that, it is going to set up the routing table. And this routing table is used by the router to forward the packet. So all the functions which are relating to setting up the database which can be used to power the traffic is something done by the control plane or this is the functionality of the control plane.

Or it can be an example like you can take a switch where a switch is going to run some spanning tree or some kind of vtp or any other layer two process which is going to help in making decisions on how to forward the traffic at the layer two. And the same thing applies to the router the asa firewalls as well. So the control plane deals with we’ll go one by one, let’s get started with the control plane first. The control plane deals with the traffic which is destined to the network or source from the networking device. So it means like I said, an example, a router is going to run some routing protocol ehrp, and based on that it’s going to run some routing table like you got some network and it is something initiated by the router or received to the router.

So it’s a traffic which is destined to the router, it’s destined to this router and also it is initiated from this router or maybe a switch to switch. If you talk about layer two features like routing protocol traffic and it’s going to learn the information which is required for the packet forwarding like it is going to learn some information like routing table which can be used by the router to forward the traffic. But the control plane will not actually forward the traffic, the actual forwarding is done by the data plane. But for the data plane to forward the traffic, basically you need to have the control plane has to be built. So in terms of security, let’s say if there is any attack happening on the control plane and if the control plane is not operating or it’s not functioning, then automatically it will impact the other planes also.

So the control plan information has to be prebuilt in order to forward the packets and it’s going to tell where to forward, which interface to forward and how exactly to power. And this entire process is process based. Now, some of the examples of the control point traffic like routing protocols, common example when we use some any routing protocol, osp of ehr bgp or any protocols, if you’re using some kind of multicasting, multicast routing, something like that, this icmp beam comes out of that. If you’re using some kind of dmv Pen technologies, there is nhrp protocol ldp and mpls technologies. We use icmp V six at the layer two we can say arp, stp and btp protocols. They are like control plane protocols which works at the control plane. The next management plane.

The management plane majorly deals with managing the traffic. Now, managing means managing the device, it’s not managing the traffic, it’s managing the device. Like the simple example is if you want to access this router, we generally log into the device through telnet or maybe I use a console, any device, right, that is for management purposes. So it deals with all the traffic which is relating to management like telnet, Sshtps, we’ll see what is S. And for guest we use Https, some network telemetry services like ntp, syslog, snmp and Netflix. These kinds of traffic comes under management plane and also triple A radius and tag access servers. Now, triple A will talk about this authentication authorized accounting.

It is to control the control the device administration in general and traffic destined to the network and here also the traffic will be destined to the router or maybe from this device you are trying to access some other device destined to the route to the network or source from the networking device. So again, network device management and telemetry services comes under this and telemetry services we’ll talk about more on this. These services comes under network traffic visibility or telemetry services. And the traffic here is also process switched in general. Now the data plane deals with the actual forwarding of the traffic because the actual forwarding is done by the data plane.

But whereas the control plane is going to build the database like routing table which will be used to forward the traffic. Of course management plane deals with all the managementrelated traffic and here the traffic moving through the device. Like the data plane traffic is nothing but the traffic transitioning to the router, maybe going from wire router like a user sitting in the lamp is trying to access something on the internet or maybe some yaw server. So the packet goes to the gateway and the router is going to forward the traffic. So it deals with all the traffic which is moving through that particular device. And majorly it will do packet forwarding from one interface to another interface and for the control plane. For the data plane to work, control plane must be up and running. As I said, if there is any security attack or attack on the control plane and if the control plane is not functioning, then it will also impact the data plane also as well as management plane if you are managing remotely. So control plane is like building the database which is used to forward the traffic or to manage the specific devices. Of course, if there is any attack on the management plane, if the management plane is not working where you’re not able to log into any device, still you can forward the traffic because the data plane is completely relying on the control plane, not on the management plane.

And all the traffic is sef switch. sef is cisco Express forwarding method which is faster way to transit the packets where it is going to bring down this routing table down to the data plane in the form of fib table and all the traffic is switched in the data plane by using this table. So we call this as cisco Express forwarding feature. Now, before we get into the implementation of network security, we need to understand the three different planes because when we get into next topics where we’ll see how to secure your network, we will be securing them individually. So we’ll see what are the different we need to understand what are the different functionalities done at the control plan and how we can secure the control plane and then later on we’ll see how to secure what are the different different functionalities in the management.

3. Data Plane

So the first thing we’ll try to understand about the data plane. Now, data plane refers to a specific component or we can say data plane is majorly responsible for forwarding the traffic. So it’s responsible for forwarding the traffic. Like if it is a simple example of your router. Now, let’s say I’m trying to send a packet from 192-1681 dot one and maybe I am destined to this 192-1685 network, the packet reaches the router. Now, once it reaches the router, the router receives it and it is going to process it. Process is nothing but checking the routing table and then figuring out the exit path or the exit interface and according to the routing table it is going to forward the packet. So you can say forward the packet or the data or if it is done in the network in the land generally we call as frame.

You can use any name or you can send message, whatever it is like in the same way switches. Also, whenever you are trying to send a packet, generally the traffic is moving and that particular device is responsible for forwarding out of a specific interface depending upon whether it is based on the L three address in case of routing, in case of switches, it will see the Mac addresses and forwarding. So that’s something what we refer to the data plan. So data plane refers to the actual forwarding of your packet from one interface to another interface. It is also referred as a forwarding plane. So forwarding plane, that’s another name we can say. Now, there are different types of traffic includes like it can be general IP traffic which contains an IP packet and checks the IP addresses and forward the packet.

Or it can be a non IP packets. Now, non IP packets means it can be like Mac addresses, like the switches check the Mac addresses to forward the packet out of specific interface or routing tables like routing tables because the routing tables has to be built to forward, right? So the router is going to check the routing table and forward the packet based on the IP or even we can say a specific interface connecting to that or specific cable or when the router is when the packets are inside the router, it does some kind of queueing buffering kind of thing. So these are all individual tasks. We can say these are specific to data plane traffic or data plane job. Again, for the data plane to work, the control plane should be functional. Again, we’ll talk about control plane. Probably the next topic.

Control plane is nothing but it is responsible for building the routing table or building the database and based on that information is going to forward. So the data plane is going to forward the traffic or forward the packets. But that is only possible when you configure some routing protocol. Let’s say, let’s take an example routing. When you configure the routing protocol, and you have a route inside the routing table and that is something done by the control plane. So control plane learns the information whereas the data plane is using that information to forward the packets. So let’s see more on some of the common examples with respect to data plane.

Like you can compare, like one example is when you are sending a packet in your switch network, the switch is going to identify the Mac address and according to that Mac address it is going to forward out of specific port. That is one kind of data plane task. And another it can be like when the packet is moving between the switches, you do have some kind of trunk links configured and it is going to do some kind of tagging and then forward it from switch to switch or maybe switch to router if you’re using sub interfaces for interval and routing. There is one more example in the land, the common task when it comes to van, again, when the packet is moving from the land, when it is moving to the router, the format will change.

Again, the router, this is one of course it will change the format, that is called encapsulating and decapitating the packet from layer two to layer three because it is moving from switch to router network. And once it reaches the router network, the router is going to check the routing table and based on the routing table, it is going to forward, that is again forwarding the packet to the next interface. And while it is forwarding, let’s say the router forwards to the next router and that router receives and maybe there is an ACL applied on that particular interface which is going to filter your traffic. That is again, one more common example of the data plane.

And again one more thing. If you’re using nat, if you’re connecting to some internet here and you need to convert this to public IP addresses by using something called nat, that is again another example where your source or destination ips can be changed as they go, especially when you’re doing the nat. Or if you’re using some kind of vpls, probably you encrypt the traffic. If you are setting up over internet, some kind of vpn, then probably like ipsec vpn, like you can say encrypting your traffic so that it should not be seen by anyone. That is also an example of your data plane task. Now, these are some of the common tasks. Generally what we see in our networks, there are plenty more.

4. Control Plane

The next thing we’ll try to understand the control plane. Like in the previous section we have discussed data plane. Data plane is responsible for doing the forwarding job. But the question is in order to forward, the router should know exactly where to forward because this router might be connecting to multiple interfaces. Now, to reach a packet to let’s say this is my destination. Now, the router should know to reach this particular destination address or to this particular Mac address if it is in the switch network. So it should know on which interface the packet has to be sent. So how that particular device is going to learn like routing table.

So we configure some kind of protocol, let’s say we run some ospa protocol and then based on the ospa protocol it is going to learn the routes and build the routing table. And that is what the job of the control plane. So the job of the control plane is to build a database and this database will be used by the data. Of course data plane. Data plane will do the forwarding and it is going to forward based on the database which is being built by the control plane. I can take another example, like in case of switch networks, like when you are sending the packets out of any specific port, the switch is going to see the Mac table and based on the Mac addresses, it’s going to forward the packet.

That is again, another information has to be built or you run generally on some STP protocol. The STP protocol is going to decide which interface, like you may have multiple interfaces, is going to assign one interface into forwarding, remain into blocking and which interface is forwarding. Again, that is decided by the Http. Again, these all jobs resides inside your control plane. So control plane is going to tell how to forward the packet, whenever a packet received, what exactly to do, where exactly to forward. Like some of the examples, when you are running some routing protocols in the layer three in the switch networks, you can take an example of Mac table arp finding the Arp entry or STP vtp.

If you’re using some advanced scenarios like multicasting, then igmp pin protocols will be used to build the database in multicasting. Again, this nhrp is used in some dme pin scenarios. Again, ldp is used in mpls scenarios to build a label table binding table. For mpls again, for ipv six we have Icmpv six of course for ipv six we have neighbor discovery protocol to find the neighbor information. So these are all features they set in the control plan. So control plane information has to be built compulsory so that the packets can get forwarded. So the control plane will tell or build the database which will be used by the data plane to forward.

5. Management Plane

The next thing we’ll try to understand the management plane. The management plane relates to, we can say, the most of the tasks which are relating to managing your device. Like you may want to configure the device. Let’s say I have a router and I want to make some changes to the router configurations. So what you do is you go to the command line and then you initiate a telnet connection or sss Is connection, and then you go to the cli of that particular router and you start typing the commands. So this is one example of your management plane task. So maybe you want to monitor or you issue some of the show commands to verify the status of the interfaces or you verify the routing table.

This is again another example of your management plane. So maybe you’re trying to monitor or maybe you make some changes to troubleshoot as well. So most of the things like here when we talk about most of these things comes under the management plane. Not only that, even if you are using some kind of network device management options like maybe you’re running some kind of snmp to collect the statistics of your network information like these kind of things also comes under the data plan or collecting the traffic using the netflow or enabling some other services like Time synchronization by using ntp or generating some log messages or triple A options.

Now, these are all the examples common as a management plane. The management plan relates to not only managing your network, apart from that, you’re also using some other tools or some of the protocols which are generally used for collecting or monitoring your network, collecting the statistics. And then those statistics will be displayed by using Snmp softwares running on Snmp Snmp servers. With the help of management plane, we can identify the problems and take an action where we are specifically responsible.

Leave a Reply

How It Works

img
Step 1. Choose Exam
on ExamLabs
Download IT Exams Questions & Answers
img
Step 2. Open Exam with
Avanset Exam Simulator
Press here to download VCE Exam Simulator that simulates real exam environment
img
Step 3. Study
& Pass
IT Exams Anywhere, Anytime!