Section 12.4: Distribution Layer Policy
Most of the access control policy would be implemented at the distribution layer. This layer is also responsible for ensuring that data stays in the switch block unless that data is specifically permitted outside of the switch block, and sending the correct routing and service information to the core. Policy at the distribution layer ensures that the core block or the WAN blocks are not burdened with traffic that has not been explicitly permitted. A distribution layer policy also protects the core and the other switch blocks from receiving incorrect information, such as incorrect routes, that may harm the rest of the network. Access control at the distribution layer falls into three different categories: defining which user traffic passes between VLANs and ultimately to the core; defining which routes are seen by the core block and the switch block; and defining which services the switch block will advertise out to the rest of the network.
12.4.1: Filtering Traffic at the Distribution Layer
Many of the access control methods used at the distribution layer rely on the creation of an access control list. Two types of IP access lists are available: standard and extended. Both types of access list are a series of permission based on a set of test criteria. However, the standard access list allows for a test criteria of only the source address while the extended access list allows for greater degree of control by checking the source and destination addresses as well as the protocol type and the port number or application type of the packet. A standard access list is easier for the router to process; an extended access list, however, provides a greater degree of control.
Access lists are created for a variety of applications and can be used for controlling access in the campus network by applying them in different capacities. These include: applying the access list to the interface for traffic management purposes through the use of the protocol access-group command; applying the access list to a line for security purposes through the use of the access-class command; managing routing update information through the use of the distribution-list command; and managing services update information in order to determine which services are advertised.
12.4.2: Controlling Routing Update Traffic
Controlling the routing table of the core block has the advantage of reducing the size of the routing table at the core block, allowing it to process packets faster; preventing users from getting to networks that have not been advertised, unless they have a static or default route to get there; and preventing incorrect information from propagating through the core block.
There are two methods available for controlling the routing information that is sent to the core block:
• Route summarization. Depending on which routing protocol is used, a summarized entry of all the available routes of the switch block can be sent from the distribution layer to the core.
• Distribution lists. A distribution list can be used to indicate what routes the distribution layer can advertise to the core, or conversely, what the core can accept from the switch block.
12.4.3: Configuring Route Filtering
The basic method for configuring route filtering is by using the distribute-iist command. This method is used in large routed networks but can also be used by Route Switch modules (RSMs) in a large switched network. The syntax for configuring route filtering for inbound routing updates is:
Rl(config-router)# distribute-list access_list_number | name in [ type number ]
Similarly, the syntax for configuring route filtering for outbound routing updates is
Rl(config-router)# distribute-list access_list_number | name out [ interface-name ] Routing_process | autonomous_system_number
The arguments for this command are:
• access_iist_number, which specifies the number of the previously created standard access list.
• in | out, which defines the filtering on either incoming routing updates or outgoing routing updates.
• interface_name, which specifies the name of the interface.