Distribution Layer Policy
447
Distribution Layer Policy
T
he distribution layer is the place to implement most of your policies
for the network. Here, you can exercise considerable flexibility in defining
network operation. There are several items that generally should be taken
care of at the distribution layer:
Implementation of tools such as access lists, packet filtering, and
queuing
Implementation of security and network policies, including address
translation and firewalls
Redistribution between routing protocols, including static routing
Routing between VLANs and other workgroup support functions
Broadcast and multicast domain definition
Things to avoid at the distribution layer are limited to those functions that
exclusively belong to one of the other layers. The best access polices assure
that the distribution layer does not send excessive data to the core layers or
other switch blocks. Access control at the distribution layer falls into several
different categories:
Filtering traffic between VLANs and to the core layer. Typically, this
is provided by an access list.
Filtering routing protocol updates to the core block. This is provided
by distribution lists, which are another form of access lists but are spe-
cific for routing protocols.
Access Lists
Most of the access policies are implemented at the distribution layer with
some type of access list. Access lists are essentially lists of conditions that
control access. They're powerful tools that control access both to and from
network segments. They can filter unwanted packets and be used to imple-
ment security policies. With the right combination of access lists, network
managers will be armed with the power to enforce nearly any access policy
they can invent.
Copyright ©2000 SYBEX , Inc., Alameda, CA
www.sybex.com