Management, Control, and Data Planes
A device’s networking functions can be divided into separate planes of operation: the management plane, the control plane, and the data plane. This applies to both physical networking hardware as well as virtual networking components found in Software-Defined Data Centers.
Physical vs Virtual
The primary difference is not in WHAT services they perform, but WHERE they are. In a physical networking environment, all three are contained within the same device. For example, consider a physical Cisco switch. Configuration is a function of the management plane. When you access the switch using the command line interface, you are participating with the management plane. Even if you were to access the switch by a web interface, the same applies. The management plane is used by the administrator to supply a configuration and to monitor the device.
A Physical Switch as an Example
The switch will dynamically learn the MAC addresses assigned to the hosts within that domain. The learning occurs in the control plane. You can think of the control plane as the brains of the operation. It learns the MAC addresses and the location of the devices, reading the Ethernet headers to find the source MAC and making note of which interface the frame arrived on. That information is then recorded in the MAC table. Another example of learning in the control plane is Spanning Tree Protocol. STP’s job is to identify physical loops and block specific interfaces that ultimately eliminate all loops, giving a single path from one point to any other point within the Layer 2 domain. If the primary path fails, the corresponding blocked port transitions to forwarding. The switch learns the topology, figures out which ports should be forwarding and which should be blocking. The end result of all this learning is a MAC table of learned hosts and ports and a loop free topology. Now the switch knows exactly where to forward the traffic.
However, it’s the data plane that does the real work in moving the frames. It switches frames from the input interface to an output interface (which is why it’s called a switch). But the data plane doesn’t have to think; it just does the work. The thinking part has already been accomplished by the control plane and the decisions it made are recorded in the MAC table and STP topology.
Same Planes, Same Functions
With NSX, we have the same planes and they have the same functions. The management plane is for configuration, the control plane is where the learning takes place, and the data plane is responsible for forwarding the traffic. The difference is that in a physical switch, all three live under the same roof. Each plane is found within the confines of the switch.
NSX separates the planes using different components. The management plane is a function of NSX Manager. Instead of each component having its very own management plane, management is decoupled from the device and handled centrally by NSX Manager. This way, instead of configuring each component individually, NSX devices can be configured from a single point.
The control plane is also separate. It is handled by a cluster of NSX Controllers. The Controllers learn. They learn about the hosts, the IP and MAC mappings, they learn the connectivity status of the components, and they learn routes via the Logical Router Control VM. They determine where to send traffic, but none of that traffic actually passes through the Controllers. Their focus is on the learning and decision making.
The data plane is handled by the NSX Virtual Switch. It is responsible for forwarding the traffic.
Virtually More Benefits
Although we find the same functionality, it’s implemented differently. The physical network is constrained. All the planes must live in the same box and every time a frame is forwarded to a different device; it repeats the same process using its own three planes. However, NSX is all done in software, and isn’t limited by those physical restrictions. Separating the functions gives us a bonus side benefit: higher availability. For example, if a physical router were to lose its routing table (control plane), you’re done. No packets would be forwarded to remote networks. But if you lose the cluster of NSX Controllers (control plane), data is still forwarded. Whatever decisions were made by the control plane is cached at the data plane level and therefore the workloads are unaffected.