We are currently upgrading our Data Center and in the process I would like to implement some form of traffic isolation for this multi-tenant environment. It is a small-medium cloud based environment that currently "lacks" for better words proper traffic isolation for each customer vlan. The design is very simple and straightforward from a high level. Two 6509's with sup7203b that then feed out to 4948's at the access layer. There are also a few seperate routers that peer with carriers to bring customers in via mpls as well. The two 6509's will be tied together with a 20gig port-channel at layer 2 with routing passing over that via an SVI.

I know there is the option of acl's on each vlan interface but that can really be an administrative nightmare in my eyes. VRF-lite seems to be the perfect answer for something like this since it is only going to be one hop from 6500 to 6500. HSRP is also implemented at the 6500's with the active of course being the root for STP. With all of that being said is VRF-lite the way to go? Would it be as simple as just configuring the vrf's and letting them ride across the trunk without the need for subinterfaces? I partially tested this is GNS3 but am looking for some real world experience on a scenario like this. Thanks in advance!