I have a design question. Suppose I have two VRFs in my MX routing core. Servers connect to one VRF (South) and the clients connect to the other VRF (North). I have a Layer2 security packet scrubbing box for inspecting traffic between my servers and clients. See the enclosed attached diagram.
Here are my restrictions:
a. I need to interconnect the North and South VRFs with the Layer2 security box physically at one of my two core routers (MX East). I am limited on fiber between my two core routers, so I need to stick to hanging the box off of one of my routers.
b. I also need to have a redundant path, preferably passing through the other core router (MX West). In the event that the Layer2 box dies and/or if the MX East core router dies, unfortunately traffic will not get inspected but I will still have connectivity between the North and South VRFs via the MX West core router.
c. Traffic is forced through the Layer2 box using dynamic routing protocols (I'd like to stay away from statics if I can). I would like to stick with IS-IS, but I could use BGP if needed for filtering purposes. I need to be careful not to introduce a routing loop between the two VRFs. The redundant link on MX West needs to be properly weighted such that it is completely passive except in the event that there is a failure at MX East and/or the Layer2 box.
d. I have an MPLS infrastructure available in the core, so I could build a VPLS, L2 VPN, or L3 VPN if it would help. But I do want to keep things as simple as I can.
How would you put together such a design? How would you implement the routing protocols between the VRFs? Would you use a logical tunnel at MX West to form the backup connection between the two VRFs? If you use vrf-import and vrf-export of routes (with auto-export) between the VRFs instead of a logical tunnel, how would you properly weight the routing information?