Design Guide
18
LAN Baseline Architecture Overview—Branch Office Network
OL-11333-01
Conclusion
LAN ports available on the edge router. The Ethernet interfaces embedded in the ISR do not support
switched virtual interfaces (SVIs). In addition, EtherChannels, LACP, and PAgP are not supported on
the embedded Ethernet interfaces on the ISR. EtherChanneling and SVIs are supported only on network
module-based Ethernet switches, which plug into ISRs to provide Catalyst switch features.
Incorporating high availability in the design means sacrificing scalability and sacrificing a network
module slot. In the event that a network module-based Ethernet switch is used with the ISR, scalability
is limited to the number of LAN ports available on the network module Ethernet switch
Additional Services
Because of the inherent Layer 2 and Layer 3 services within the switch, the distribution layer can be used
to deploy additional services. The distribution layer can also help customers to migrate to use advanced
services without having to redesign the entire branch office network. It is also possible to deploy
appliance devices at the distribution layer if required, and to migrate towards an architecture where these
advanced services are integrated into the distribution switch software images. The distribution layer
provides great flexibility without compromising high availability and scalability.
Some of the areas that can benefit are the security and WLAN. Specifically, the following are some of
the services that can be deployed on the distribution switches:
• VRF on the distribution layer switches
• Policy-based routing
• DHCP for IP address management
• Firewall services for the DMZ servers
• DMZ services, including Wide Area File System
• Intrusion detection/prevention
• Wireless LAN management using mini WLSE
• Cisco WLAN Controller
Conclusion
The next generation branch office should be able to add services as the branch office grows. Providing
advanced services requires a baseline architecture onto which these advanced services can be added
without having to re-architect the network. Keeping this in mind, the various architectures discussed in
this document take into consideration the growth, high availability, security, and deployment of
advanced services without having to redesign the network.
In this document, Layer 2 at the access layer is recommended. It is difficult to meet all the requirements
with one single box. The layered architecture provides the required flexibility to meet all the
requirements of the next generation branch office. In some cases, this layered architecture might be
housed in a single box but still provides the required high availability and scalability to meet the branch
office requirements. At the same time, the layered architecture must be easily deployable. With that in
mind, either a topology with no Layer 2 loops can be deployed, or if more control over traffic paths and
failover times is desirable, other architectures can be deployed. With either a loop-free or looped
topology, a layered architecture with Layer 2 at the access provides more flexibility for adding services.
From a security perspective, providing layered security in the branch office is desirable. For example,
Layer 2 security is supported in all Cisco access layer switches, and provides a strong obstacle against
some denial of service attacks. Also, users are authenticated and authorized before logging on to the