I have a question, I am trying to setup a MPLS redundancy using VPN as the failover mechanism through the use of checkpoint firewalls. ISP agreed to let use 2 internal network interfaces, one that goes into internal core switch and the other one that goes into firewall. I am trying to brainstorm an idea of how to do the VPN failover. The problem is the ISP doesn't allow any dynamic routing protocols between our internal core switch and the router. The best that they can do is add a floating static with higher administrative distance pointing to the firewall interface, that way if let's say one of the remote MPLS routers die, the floating static would kick in and travel across the firewall vpn. The only thing that I am not so sure of is how will the traffic from remote site where the MPLS router failed know that the traffic will need to be forwarded to the firewall rather then through the MPLS router? Note, on each core switch I have 2 static routes pointing to remote site respective subnets with the next hop of the MPLS router. So if let's say the MPLS router that is serving for example 10.148.1.x/24 subnet fails, even though the remote routers will know about it's failure and will instantly start sending traffic through their firewall due to the fact that BGP router will disappear and floating static will kick in, yet the core switch will continue sending traffic to the failed MPLS router instead of the firewall!! Is there a feature or a mechanism that would prevent such behavior from happenning. in our scenario we r using checkpoint, but if checkpoint firewall doesn't have such functionality we might have to go towards juniper netscreen firewalls. Any suggestions anyone what can be done to allow redundant failover through the VPN when one of the routers die with in mind that no dynamic protocols are allowed between MPLS router and the core switch other then the floating static pointing to the firewall?
Maybe I am missing the concept here but what If i add a default route pointing to the firewall and since the static routes to remote sites are already present on the core switch then when the mpls router dies, the static routes that are pointing to the faulty mpls router will not take precedence and the default route will kick in? Or maybe I should use some sort of tracking mechanism on the core switch, note this is the 6500 series switch at each site.
I have attached a file showing the diagram to show you my design so you know what I am referring to.