Manualshelf

Design Guide

ManualsBrandsCisco ManualsSwitchesCisco Catalyst 3750-48PS Switch
11121314151617181920
14
LAN Baseline Architecture Overview—Branch Office Network
OL-11333-01
Multilayered Branch Architecture
signature set prior to gaining access to the network. If the client requires a signature update, NAC directs
it to the appropriate resources to complete the update. One example in which NAC accomplishes this is
through placing the client into a quarantined network segment until disinfection is completed. More
details will be documented in a future document.
QoS
During congestion in the network, traffic is delivered on a best effort basis. The switches and routers in
the network do not differentiate between packets. With the converged network, it is important that traffic
be prioritized so that packets that belong to certain applications get preferential treatment. A lot has been
discussed and written about QoS. This document takes the QoS recommendations and applies them to
the Branch infrastructure.
Note See References, page 19 for QoS reference pointers.
As per the QoS design principles provided in End-to-End QoS Network Design, following are some of
the design considerations:
Voice, video, and data applications should be classified and marked as close to their sources as
possible.
Unwanted traffic should be policed as close to its source as possible and dropped.
QoS should be done in hardware; the complexity of the QoS policies to be deployed close to the
source dictates the hardware requirements.
End points are capable of marking class of service (CoS) and Differentiated Services Code Point (DSCP)
values. However, it is a matter of policy whether these end points can be trusted. Trusting the device
means accepting the markings by these end devices and prioritizing traffic based on those values. If the
end devices cannot be trusted, the device closest to the end point can be used to mark the CoS and DSCP
values, and also police and rate limit traffic. This closest trusted device that marks the CoS and DSCP
values creates a trusted boundary. All these functions require significant CPU time if done in software.
Performing these tasks in hardware by ASICs relieves the CPU to do other tasks. As such, the granularity
of policing and rate limiting might dictate the use of specific hardware.
By defining a trust boundary in the network, the device at the boundary can permit or remark the QoS
values. In addition to trusted devices, there are devices that are partially trusted or conditionally trusted.
Devices such as Cisco IP phones provide Ethernet ports to connect additional devices. The Cisco IP
phone in this scenario is a partially trusted device because it provides connectivity to other devices as
well. In such a case, the traffic originating from the Cisco IP phone can be permitted, and the rest of the
traffic can be marked at the trust boundary. The access layer is the closest layer to the end points, and
the QoS policies can be defined at the access layer. The access switches then forms the trust boundary.
At this trust boundary, the traffic is marked or remarked depending on the trust worthiness of the device.
It is good practice to let traffic on voice VLANs through without remarking if it is being originated from
a Cisco IP phone (Cisco Discovery Protocol running on the access switches determines whether the
device is a Cisco IP phone). All other traffic has to be marked or remarked at the access switch or the
trusted boundary.
The Cisco press book discusses the various models in depth. The trust boundary is shown in Figure 9 for
convenience. For more information about the trust models, trusted/untrusted/conditionally-trusted
endpoints, see the Cisco press book.