Manualshelf

Design Guide

ManualsBrandsCisco ManualsSwitchesCisco Catalyst 3750-48PS Switch
11121314151617181920
11
LAN Baseline Architecture Overview—Branch Office Network
OL-11333-01
Multilayered Branch Architecture
Figure 7 Data and Voice VLAN on a Switch Port
The first VLAN, called the data VLAN, is sent and received untagged. The second VLAN, called the
voice VLAN, is sent tagged with a dot1q header and a voice VLAN to which it belongs. However, the
switch port is not a trunk port. The tagged packet comes from the IP phone. The data device that is
connected to the IP phone receives and transmits only untagged packets and belongs to the native VLAN.
Security
Security is one of the most important considerations while designing the network. Malicious users can
use tools available freely on the Internet to launch an attack if the access switches and ports are not
secured; the attacker must simply gain physical access to these unsecured ports, and the entire network
is wide open for an attack. This emphasizes the need to protect the internal ports against possible attacks.
In addition to protection from attacks, additional layers of security can be added to authenticate and
authorize users trying to get access to the port, as well as enforcing policies on the edge of the network
to ensure that users meet the policy requirements before accessing the network.
The following layers of security services can be deployed at the access layer:
Layer 2 security
IBNS and 802.1x
Network Admission Control
Layer 2 security and user authentication are described in the following sections. Network Admission
Control will be added in the future.
Layer 2 Security
Protecting against snooping and denial of service (DoS) attacks can be achieved simply by turning on
the security features embedded in the Cisco switches. Layer 2 security plays an important role in the
branch office to mitigate internal threats. The possibility of lack of tight physical security and monitoring
in a branch office is a compelling reason to incorporate some of these security features into the design.
Cisco Catalyst switches implement Cisco Integrated Security Features (CISFs), a family of security
features that together provide protection against a wide range of Layer 2 security threats. CISFs include
features such as private VLANs, Port Security, DHCP snooping, IP Source Guard, secure ARP detection,
and dynamic ARP inspection.
180060
1: IP Phone + Standard Desktop
2: Access Point
3: Uplink to router
Switch Port Role
Voice VLAN
Data VLAN
IP
1
3
2