Most of the access control policy will be implemented at the distribution layer. This layer is also responsible for ensuring that data stays in the switch block unless that data is specifically permitted outside of the switch block. This layer is also responsible for sending the correct routing and service information to the core.
A good policy at the distribution layer ensures that the core block or the WAN blocks are not burdened with traffic that has not been explicitly permitted. A distribution layer policy also protects the core and the other switch blocks from receiving incorrect information, such as incorrect routes, that may harm the rest of the network.
Access control at the distribution layer falls into three different categories:
• Defining which user traffic makes it between VLANs and thus ultimately to the core. This control can be done in the form of an access list applied to an interface to permit only certain data to pass through.
• Defining which routes are seen by the core block and the switch block. This control can be done through the use of distribution lists to prevent routes from being advertised to the core.
• Defining which services the switch block will advertise out to the rest of the network. Service control could also be used to define how the network finds the server-aggregation block in order to get services like Dynamic Host Control Protocol (DHCP) and Domain Name System (DNS).
Was this article helpful?