| 10.3 |
|
|||
| 10.3.2 | Policy in the distribution layer |
|
Most of the access control policy will
be implemented at the distribution layer. This layer is also
responsible for ensuring that data stays in the switch block unless
that data is specifically permitted outside of the switch block.
This layer is also responsible for sending the correct routing and
service information to the core.
A good policy at the distribution layer ensures that the core block or the WAN blocks are not burdened with traffic that has not been explicitly permitted. A distribution-layer policy also protects the core and the other switch blocks from receiving incorrect information, such as incorrect routes, that may harm the rest of the network. Access control at the distribution layer falls into several different categories:
Many of the access-control methods used at the distribution layer rely on the creation of an access control list. As you should know by now, the two types of access lists are standard and extended. Each type of access list is a series of permits and denies based on a set of test criteria. The standard access list allows for a test criterion based on the source address. The extended access list allows for a greater degree of control by checking the source and destination addresses as well as the protocol type and the port number or application type of the packet. A standard access list is easier for the router to process, but an extended access list provides a greater degree of control. Access lists are created for a variety of applications. Access lists can be used for controlling access in the campus network by applying them in various contexts. These include the following:
|