I have a typical dual FW-pair DMZ, with dual-homed servers on different Pvlans.
Now, when I want to send traffic to the inside FW (a 6509-FWSM), we use two 4948's with static routes pointing to the FWSM virtual DMZ interface. The 4948 have L3-interface uplinks connected to L2 links on the 720. However, if one 4948 link goes down, it has no alternate route to the FWSM, because the static route stays up in certain up/down situations. Now, to remedy this, we utilized HSRP object tracking, to force all the servers to the other 4948 if one loses its uplink. However, I was trying to setup something more efficient and hopefully more reliable, with load-balancing.
So, I'm trying to setup a L3 DMZ without having the FWSM run OSPF (I could do that, but I want to exhuast all other possible options first... as I want to segregate the routing and security). That leaves me with static routes (and the problem I described above -- unless there is someway to use floating static routes to link the 4948... like the possibility to use EOT to monitor static routes) or with a dynamic routing protocol between the Sup720 and the 4948s (which will soon be upgraded to 4506s Suv Vs, and hence the redesign).
Now if I run EIGRP/OSPF between the 720 and the 4506, all DMZ traffic destined to the inside will bypass the FWSM, because of the global routing table.
I was reading about VRF... and while most of what I read is about GRE tunnels and path segregation via VRF, it sounds possible that I could do the following.
Have a VRF instance on the 720 to peer with the 4506 vlan interface / physical interfaces. This will allow me to load balance traffic to the FWSMs easily. And then, is there a way I can add a static route in that VRF instance that points to the FWSM?
Is this possible at all? To put it simply, I want to just separate the routing table on the 720, one global one, and one teeny one that will only forward traffic to the FWSM. After that, the traffic will exit a different FWSM virtual interface, and be part of the global routing table again, correct?
Either way, possible or not, I appreciate the help... even me if its getting me back on track!
Thanks so much!