I am deploying a partner connectivity model in Equinix using their 'Network Edge' all virtualized offering. I expect to use this as my primary WAN connectivity to multiple partners/providers. I need each partner to be able to talk to my internal resources, but not each other. Reminds me a bit of a Service Provider model. The problem I'm running into is how to get traffic through the 8000v router (their only autonomous offering) to our Checkpoint firewall. I would use the firewall to terminate WAN circuits, but it doesn't have enough interfaces.
Partner connection > Cisco 8000v router > Checkpoint firewall > Cisco 8000v router (same router) > on-prem (internal)
The only option I have currently is to terminate each partner into a vrf, then send it into the firewall on a dot1q tagged sub-interface. Checkpoint is not vrf-aware, so the only thing stopping partner to partner traffic is policy. So if you look at the global routing table, you'll see all vrf routes pointing to the 'internal' interface of the firewall.
I would prefer a way to get L2 from the partner circuit to the firewall. I've tried simply encapsulating the router ports with dot1q tags as a passthrough and having the circuit's L3 peer be the firewall. But I can't get that to work...L2 doesn't pass through the router. I've considered something like a GRE tunnel, but not sure that would be worth the additional complexity.
Open to suggestions here.