Core Layer Policies; Distribution Layer Policies - Cisco RJ-45-to-AUX Brochure

Figure 13.1: A short list of various switches overlapping into different areas of the policy layers.

Core Layer Policies

By implementing security policies at the Core layer, also known as the backbone, you increase the elapsed
amount of time between when a device requests access to a network and when it is allowed to transmit
because of the amount of processing that is done on the switch. The job of the Core layer is to pass traffic as
quickly as possible. Policies should be applied at the Access and Distribution layers before the data reaches
this level. The Core layer should rely on the other two layers to provide filtering and security policies.
Note According to Cisco, the only policies at the Core layer should relate to Quality of Service
(QoS)—features that allow for lower processing on the switch processor. This allows for a guarantee of
a particular level of service for a given connection. Limiting policies this way will aid in congestion
management and congestion avoidance.

Distribution Layer Policies

The Distribution layer is the primary layer for implementing security access policies. Implementation at this
layer can be as simple as applying policy blocking to workgroups, or as complex as defining which paths
different types of data should take through the network. The Distribution layer is also responsible for
advertising correct routes, blocking identified traffic, and limiting the amount of data sent to the Core layer.
Note When you configure route summarization and distribution lists at the Distribution layer, they may have
an adverse affect on the Core layer—mainly in the form of increased latency. Be sure you have a firm
understanding of what you want to accomplish when configuring these policies.
As the demarcation point between the Access and Core layers, the Distribution layer is the perfect location in
the network to administer most of your policies. At this layer, you will define which resources and routes are
to be sent to the Core layer, as well as what traffic should be allowed in or out of a switch block.
A good policy at this layer ensures that no unnecessary traffic or incorrect routes will be advertised to the
Core layer. A good Distribution layer policy should define the following:
User traffic that can span different VLANs—This policy can be defined by applying access lists to
identified interfaces to permit or deny certain data traffic.
Routes that should be seen by the core switch block—These can be defined by applying distribution
lists, which are another form of access lists.
Services that will ultimately be advertised to the rest of the network—These services include the
Domain Name Service (DNS) and Dynamic Host Configuration Protocol (DHCP).
In this section, we will cover the following issues relating to the Distribution layer of the network:
Access lists
Managing virtual terminal access
255