On Tue, 2011-09-27 at 03:54 -0700, Derick Winkworth wrote: > We have to deal with many different audit/compliance agencies each > with their own guidelines. One of their guidelines is that security > zones should reside on physically separate switches. However, in an > MPLS based on environment they allow for VRF/VSI separation on the > same physical device. The reason is that each instance has its own > RIB and its own FIB structures. At least, this is what I've heard now > from multiple auditors over the last 6 or 7 years while working for > different companies.
For what it's worth we once saw (several times) a bug in Cisco 3550 switches running VRF Lite where traffic would cross VRFs, and sometimes end up in global routing. I can't remember the specific bug, be I think it was on 12.2(25)SEEx of some kind. IMO compliance testing should stay away from focusing on some specific implementation, and instead concentrate on whether the technology is doing what it's supposed to do. So MPLS is okay, what about SDH/TDM? What about VLANs? I can see why they want to assess each and every new technology when they're paid for exactly that of course... -- Peter _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
