We manage a campus MPLS network comprised of Cisco 76xx routers as my "P" devices. Attached to the MPLS core are several PE devices (Cisco 6509 VSS pairs). I have a single VRF named "students" that exists across all my PE devices. Across this "students" VRF I have some addresses that are public and some that are private. When any "students" VRF traffic hits my enterprise edge PE device, I need to policy route this traffic to either (A) the firewall for NAT'ing the private addresses or (B) for public addresses just route directly to the Internet (around the firewalls). My challenge is that this traffic enters the enterprise edge PE via an MPLS interface. Can I put a policy on an MPLS interface for this? This is a production environment so I can't just throw it on and see if it works. I also can't really find any definitive documentation on exactly how to do this.
I appreciate any help with this matter.
can you perform the NAT at the Edge 6509 PE instead of the firewall ? if yes, you can use in this case VRF-aware NAT
below is a simple example
you can use ACL/route map to match the source addresses to be NAT ( which is the private in your case )
hope this help
Unfortunately NAT is not an option on our Edge-PE devices. Corp policy dictates the use of the firewalls for NAT in this case. Besides, we really do not wish to perform NAT on our PE devices.