10.3
Policy Configuration
10.3.2 Policy in the distribution layer
Most of the access control policy will be implemented at the distribution layer. This layer is also responsible for ensuring that data stays in the switch block unless that data is specifically permitted outside of the switch block. This layer is also responsible for sending the correct routing and service information to the core.

A good policy at the distribution layer ensures that the core block or the WAN blocks are not burdened with traffic that has not been explicitly permitted. A distribution-layer policy also protects the core and the other switch blocks from receiving incorrect information, such as incorrect routes, that may harm the rest of the network.

Access control at the distribution layer falls into several different categories:

  • Defining which user traffic makes it between VLANs and thus ultimately to the core - This control can be done in the form of an access list applied to an interface to permit only certain data to pass through.
  • Defining which routes are seen by the core block and ultimately by the switch block - This control can be done through the use of distribution lists to prevent routes from being advertised to the core.
  • Define which services the switch block will advertise out to the rest of the network - Service control could also be used to define how the network accesses the server-aggregation block in order to get services such as Dynamic Host Control Protocol (DHCP) and Domain Name System (DNS).

Many of the access-control methods used at the distribution layer rely on the creation of an access control list. As you should know by now, the two types of access lists are standard and extended. Each type of access list is a series of permits and denies based on a set of test criteria. The standard access list allows for a test criterion based on the source address. The extended access list allows for a greater degree of control by checking the source and destination addresses as well as the protocol type and the port number or application type of the packet. A standard access list is easier for the router to process, but an extended access list provides a greater degree of control.

Access lists are created for a variety of applications. Access lists can be used for controlling access in the campus network by applying them in various contexts. These include the following:

  • Applying the access list to the interface for traffic management purposes through the use of the protocol access-group command, where protocol is the Layer 3 protocol that is being managed.
  • Applying the access list to a line for security purposes through the use of the access-class command. This determines the users of a specific line. In this course, the focus is on virtual terminal lines.
  • Managing routing update information through the use of the distribution-list command. This access list determines which routes are learned by the router and which routes are advertised by the router.