I am currently doing some research on a setup for a datacenter. I am attaching what I have in mind for clarity. Basically we will have two ISPs using fiber connectivity and we will use BGP on the ISR to perform dynamic routing between the two ISP connections.
The firewall (ASA) will be terminating multiple IPSec site-to-site VPN tunnels going to multiple clients who will probably have either an ISR router or a small ASA firewall. Till now I think it makes sense.
The issue is that I would like to terminate the VPN tunnels from the various clients to different vlans which will then go over a trunk to the inside interface of the ASA. I was reading about VRF-Lite and it seems that it is the feature that should be used in such cases, however I found out that the ASA does not support VRF-Lite.
What are you suggestions on this aspect? Should I trash the ASA idea and terminate the VPNs on the ISR router, using a VRF routing table per client and mapping it to a VLAN? I wanted to use the ASA for VPNs as it is faster than the ISR and is able to support more tunnels at higher throughput.
Is there a better way of implementing this setup perhaps using other devices such as the ASR?
Your help would be greatly appreciated.