Specifications
Access Layer April 2014
15
Figure 8 - DHCP snooping and Dynamic ARP inspection
2090
Untrusted
IP:10.4.10.10
MAC:AA
IP:10.4.10.20
MAC:DD
Untrusted
Trusted Interface
to DHCP Server
(10.4.200.10)
DHCP ACK or Bad Source IP
to Interface Binding
DHCP Snooping Binding Table
Por
t MAC IP
1/
1 AA 10.4.10.10
1
/2 DD 10.4.10.20
1
/24 EE 10.4.200.10
DAI uses the data generated by the DHCP snooping feature and intercepts and validates the IP-to-MAC address
relationship of all ARP packets on untrusted interfaces. ARP packets that are received on trusted interfaces are
not validated and invalid packets on untrusted interfaces are discarded.
IP Source Guard is a means of preventing a packet from using an incorrect source IP address to obscure its
true source, also known as IP spoofing. IP Source Guard uses information from DHCP snooping to dynamically
configure a port access control list (PACL) on the interface that denies any traffic from IP addresses that are not
in the DHCP binding table.
Common Design Method to Simplify Installation and Operation
To provide consistent access capabilities and simplify network deployment and operation, the design uses a
common deployment method for all access layer devices, whether they are located in the headquarters or
at a remote site. To reduce complexity, the access layer is designed so that you can use a single interface
configuration to accommodate a variety of device connectivity, such as for a standalone computer, an IP phone,
an IP phone with an attached computer, or a wireless access point.
The LAN access layer provides high-bandwidth connections to devices via 10/100/1000 Ethernet with both
Gigabit and 10-Gigabit uplink connectivity options. The 10 Gigabit uplinks also support Gigabit connectivity to
provide flexibility and help business continuity during a transition to 10 Gigabit Ethernet. The LAN access layer
is configured as a Layer 2 switch, with all Layer 3 services being provided either by the directly-connected
distribution layer or router.
Figure 9 - Access layer overview
2091
Access
Switch
Distribution
Switch
OR
Remote
Router
Wireless
Access Point
IP Phone
User
Features to Support Voice and Video Deployment
Voice and video are enabled in the access layer via network services such as Power over Ethernet (PoE), QoS,
multicast support, and Cisco Discovery Protocol (CDP) with the voice VLAN.
PoE enables devices such as IP phones, wireless access points, virtual desktops, and security cameras to be
powered by the access layer device. This removes the expense of installing or modifying building power to
support devices in difficult to reach locations and allows for the consolidation of back-up power supplies and
Uninterruptable Power Supplies (UPSs) to the access closet.