Hi - Please can anyone confirm if the following MPLS scenario is feasible.
I wish to have a number of sites (each in a different VRF) managed via a Firewall at a central site.
The proposal is for the central site CE to have each VRF passed to it via subinterfaces from the PE (no Multi-VRF CE implementation available). Each VRF is then offloaded to a second LAN interface where an external Firewall is attached which will restrict which remote sites can see who.
If the above scenario is possible are there any documents/design guidelines anywhere which show how the VRF's can be mapped to the Firewall i.e. dot1q trunk from the CE.
Thanks in advance.