Routers allow administrators to introduce policies that
control the flow of traffic in the network. Access lists control traffic
flow and provide varied degrees of policy granularity. Through the
implementation of access lists, you can prevent a specific user from
communicating with another user or network, or you can prevent an entire
network from accessing a user or network. You might exercise these
capabilities for security reasons, or you may elect to prevent traffic
from flowing through a segment to protect local bandwidth.
In any case, the management of access lists can be
quite cumbersome. You must develop the access list based on your
company's business and security needs.
In the network example shown in the Figure, filters in the routers
attached to the engineering segment can include access lists allowing
the accounting traffic to pass through the engineering segment, but
never talk to any engineering devices. That does not prevent engineers
from monitoring the traffic, but does prevent direct communication
between the engineering and accounting devices. Accounting will not see
the engineering traffic, but engineering can see all the accounting
transit traffic.
VLANs can simplify the network in some cases by
allowing you to keep all accounting users in one VLAN. Then their
traffic does not need to pass through a router to get to peers within
the VLAN. This can simplify your access-list design because you can
treat networks as groups with similar or equal access requirements.