Hello,
I have a project where we need to add an "external" (outside) and very compliant zone to a fabric.
If possible I simply want to use SPB to interconnect with the existing network, as constructing a redundant interconnect using the overlay is more complicated.
When using all fabric, there is a compliance problem where you would e.g. be able to just add an i-sid from the inside zone to the outside zone. How would I be able to prevent that?
Is it possible to
1) Whitelist (on the outside nodes themselves) what i-sids are allowed to be used on what nodes of the external zone (alternatively a blacklist)?
2) Whitelist what i-sids are allowed to be used on certain NNIs of the inside zone (notably those connecting to the outside zone), so no matter what is configured in the outside zone, only allowed i-sids would have connectivity.
The main worries are
1) Configuration mistakes,
2) Hacking. However I realize this is purely theoretical: even if things like VLAN hopping were an issue, the fabric approach (like using Flex-Uni) would prevent it as it would not be able to work across I-SID boundaries.
Thanks.
