I’ve attached a simple network diagram of my WAN network. We have branch offices that came into our Headquarters using VPN tunnels over the public Internet and then we have a handful of offices that are connected to our headquarters via a private MPLS network. All of this traffic is routed into our Cisco ASA 5510s that we currently use for firewall and core network routing and VPN termination. All branch offices have VPN tunnels to our Cisco ASA.

The Cisco ASA isn’t necessarily designed for core routing even though it was worked decent for us. We’d like to move the core routing off of the Cisco ASA and just use it as an Internet security/DMZ device like it is designed. Hopefully this will help with performance. With that said, we were hoping to purchase one pair (for failover) of the Cisco ISR router to perform our core routing and VPN termination.

So my questions/issues are:

1. Can we eliminate the Cisco 2621 Internet router and use a single, beefy router to handle the Cox MPLS traffic and the Internet traffic on the same router?
   
2. If we had one ISR doing these duties, where would the router sit in our topology?
   
3. Is it safe to bring our Internet Circuit and MPLS circuit into the same router? How about with VRF?
   
4. Do the Cisco ISR 2900/3900 support VRF and can I do VPN tunnels if I do the VRF?
   
5. Is there a more simple way/better way to accomplish what I am wanting?
   

Thanks for all your suggestions!

Lucas