[c-nsp] general question on VRFs and FIBs...
Peter Rathlev
peter at rathlev.dk
Tue Sep 27 07:26:35 EDT 2011
On Tue, 2011-09-27 at 03:54 -0700, Derick Winkworth wrote:
> We have to deal with many different audit/compliance agencies each
> with their own guidelines. One of their guidelines is that security
> zones should reside on physically separate switches. However, in an
> MPLS based on environment they allow for VRF/VSI separation on the
> same physical device. The reason is that each instance has its own
> RIB and its own FIB structures. At least, this is what I've heard now
> from multiple auditors over the last 6 or 7 years while working for
> different companies.
For what it's worth we once saw (several times) a bug in Cisco 3550
switches running VRF Lite where traffic would cross VRFs, and sometimes
end up in global routing. I can't remember the specific bug, be I think
it was on 12.2(25)SEEx of some kind.
IMO compliance testing should stay away from focusing on some specific
implementation, and instead concentrate on whether the technology is
doing what it's supposed to do. So MPLS is okay, what about SDH/TDM?
What about VLANs?
I can see why they want to assess each and every new technology when
they're paid for exactly that of course...
--
Peter
More information about the cisco-nsp
mailing list