Below a rather lengthy description of my VRF issue on the 6500 platform. The background is needed to make the situation (and the problem) clear.
I have 2 * 6509 chassis, interconnected with a 10Gbps backbone. In both chassis is an FWSM. The FWSMs are configured in Failover (Active-Active). Some contexts are routed, some are transparent.
The outside interface of a context is connected to both routers (sup720 in 6500). I use HSRP, because the FWSMs do not support OSPF (not good enough, anyway).
For failover, all interfaces on the context is connected to both FWSMs. For this, 1Gbps links are used.
This setup works, but has a big disadvantage.
Assume the Left FWSM is active, and HSRP is active on the Left sup720 (same chassis). Traffic will flow from the customer, to the left FWSM, to the left sup720, and is routed to the destination. So far, so good.
If the destination is reachable through the left sup720, the packet is delivered, and the response will travel the same path in the opposite direction.
If the destination is reachable over the Right sup720, the packet is forwarder over the 10Gbps link, and delivered.
The response will return to the Right sup720, but the OUTside interface of the firewall (the Left FWSM is active!) is directly connected to the Right sup720 too! The packet will use this link (which is 1Gbps) to reach the Left FWSM.
Not only is this asymmetric routing (more difficult to troubleshoot), but there is also a bandwidth issue.
Unlike static routes, directly connected routes cannot be made 'floating'. The trick is to change the directly connected link into a static route. This can be done with a VRF.
In the lab, I used 2*4506 to test this.
The relevant config would be:
ip vrf FO312
description *** Connected to customer ***
ip vrf forwarding FO312
ip address aa.bb.cc.dd 255.255.255.0
standby version 2
standby 312 ip
description *** Anchorpoint for VRF ***
ip vrf select source
ip vrf receive FO312
ip address 10.3.3.3 255.255.255.0
ip route vrf FO312 0.0.0.0 0.0.0.0 10.3.3.3
ip route aa.bb.cc.dd 255.255.255.0 Gig1/1 200
router ospf 1
This works as expected on the 4500 platform. In the global routing table, the customer network is a floating static. When the Left router works as expected, the customer network is in OSPF, and will override the static. All traffic to the customer will go through the Left router, and is forwarded to the Left firewall and reaches is destination.
When the Left Firewall or router fails or link to the customer fails, the route disappears from OSPF, and the static will become visible. Traffic is now routed over the Right router and firewall (Firewall switches over through FailOver).
On the 6500 platform, with Sup720 with IOS 12.2(18)SXF10, the interface-commands:
ip vrf select source
ip vrf receive [VRFname]
are not available.
I can isolate the interface from the global routing table, but I cannot re-establish an IP connection within the same device.
ip route vrf FO312 0.0.0.0 0.0.0.0 10.3.3.3 global
but it is refused because the IP-address is not a next hop (it's this router). Without the 'global' keyword it is accepted, but the target is not in the VRF's routing table, and thus unreachable.
I cannot route to an interface, because VRF routes can only point to point-to-point interfaces or next-hop IP-addresses.
I considered a Tunnel interface, but this solution should be implemented for multiple contexts, and makes the setup quite complicated.
The other router as next-hop is also a bad choice, because this hop will disappear when the other router fails, and this is all about redundancy.
As you can read, I tried different approaches, but I'm a bit stuck here.
Can anyone help?