We are about to implement vrf-lite on our 6509 switch. Currently 6509 switch connect to several branches via atm oc3 link. We want to separate each brach office traffic with vrf-lite function. Additionaly each branch office will be subject to different firewall policy. We thought about attach an external firewall to 6509 with dot1q encapsulation. Is this solution working? Appreciate any help.Thanks.
why not use a firewall service module in the 6500? its a high performance firewall and providing you purchase the correct number of context license for the number of virtual firewalls (offices?) you intend to have it will work nicely. You can create a separate virtual firewall for each office. The virtual firewall is a pix with in a pix. There is one admin context used to define the vlans associated with each firewall instance.
On each vlan layer 3 interface "behind" the firewall you can define the vrf. I think this will allow you to avoid an external firewall and provide top-notch security.
