Sorry didnt get it

I want 10.20.100.0/24 (Site B) subnet behind the firewall in SIte A which is a routed link. clear?

will the attached work using VRF on the switches?

basically I am using a link from FW to Switch A (VRF-1) and from Switch A - Switch B (same VRF) and creating the SVI on Switch B for 10.20.100.x/24 (VRF-1) and addin static route "ip route VRF-1 0.0.0.0 0.0.0.0 10.10.253.2 (IP address of FW) - will this work?

Your first post vs new post not really matched as per requirement you mentioned earlier.

VRF, is seperate instance of routing, as long as the Routing and rechability available there is no reason i see failing here.

until i misunderstood your requirement.

ok let me be clear in requirement

Site A which has Switch A and FW - these are in 10.10.0.0/16 subnet

Site B which has Switch B - this site is in 10.20.0.0/16 subnet. however I want 10.20.100.0/x subnet ALONE behind the firewall due to security restrictions in my organization. so the vrf method which i posted above will work?

The physical users are located in Site B where their laptop should have 10.20.100.0/24. these will need access back to 10.10.0.0/16 but will need to go through firewall 

if I have it behind the firewall how will I extend the plan over the routed link to Site B? hence vrf configuration to bring it back

that is what I suggested. if the users are behind FW, they can reach to 10.10.0.0/16 network below method of the network path.

users-10.20.100.0/24---FW----SWTA --SWB -- your destination IP.

or you can also have different segment directly connected to SwitchB with L2 / L3 extension.(if you do not like to have SWITCH A intervention in the network)

yes you can use below path with routed link as mentioned other post. below path.

users-10.20.100.0/24---FW----SWTA --SWB -- your destination IP.

Hello
Below is a working topology for hosts in the vrf subnet on swB to reach hosts in the same vrf  on swA>
As for accessing host in the global network 10.20.0.0/16 on swB  A vrf host will  traverse the vrf link to SwA and then it routed out of it own vrf into the global rib back to swB over the non vrf link.

THB you wouldn't really require any vrf with just two subnets  if you then it leaked back to the global route table. access control can be accomplished just by access-lists.

Anyway below I have used sub-interfaces i dont have any l3 switch but the L3 addressing and routing would be the same, also I have applied a RACL to allow only established tcp traffic and deny certain udp traffic (if any) from the global subnet into the vrf.

Switch A
interface FastEthernet0/1
description link to SwB
ip address 10.10.254.1 255.255.0.0

interface FastEthernet2/0
description VRF link to SwB
ip vrf forwarding stan
ip address 10.10.253.6 255.255.255.252

router eigrp 10
network 10.10.254.1 0.0.0.0
no auto-summary

router eigrp 100
no auto-summary
address-family ipv4 vrf stan
network 10.10.253.6 0.0.0.0
redistribute static <---------------redistributes global subnet to SwB vrf rib
no auto-summary
autonomous-system 100
exit-address-family

ip route 10.10.253.4 255.255.255.252 FastEthernet2/0 <---------makes global rib awre of vrf
ip route vrf stan 10.20.0.0 255.255.0.0 10.10.254.2 global <----add global subnet into vrf

Switch B
interface FastEthernet0/1
description link to SwA
ip address 10.10.254.2 255.255.0.0

interface FastEthernet0/0.10
description Global subnet
encapsulation dot1Q 10
ip address 10.20.0.2 255.255.255.0

interface FastEthernet0/0.100
description vrf subnet
encapsulation dot1Q 100
ip vrf forwarding stan
ip address 10.20.100.2 255.255.255.0
ip access-group 100 out

router eigrp 10
network 10.10.254.2 0.0.0.0
network 10.20.0.2 0.0.0.0
no auto-summary

router eigrp 100
no auto-summary
address-family ipv4 vrf stan
network 10.10.100.2 0.0.0.0
network 10.10.253.5 0.0.0.0
no auto-summary
autonomous-system 100

ip route 10.20.100.0 255.255.255.0 FastEthernet0/0.100 <---------makes global rib aware of vrf

access-list 100 permit icmp 10.20.0.0 0.0.255.255 any echo-reply
access-list 100 deny icmp 10.20.0.0 0.0.255.255 any
access-list 100 permit udp 10.20.0.0 0.0.255.255 any range bootps bootpc
access-list 100 permit udp 10.20.0.0 0.0.255.255 any eq domain
access-list 100 deny udp 10.20.0.0 0.0.255.255 any
access-list 100 permit udp any any
access-list 100 permit tcp 10.20.0.0 0.0.255.255 any established
access-list 100 deny tcp 10.20.0.0 0.0.255.255 any
access-list 100 permit ip any any

had a link again but cant we route the 10.20.100.x subnet along through the firewall?

can you please tell me if this will work? 

Switch B (10.10.254.2) -> (10.10.254.1) Switch A ( 10.10.255.1) -> FW (10.10.255.2) - all running eigrp

Switch B (10.10.253.5/30 - VRFXX) -> (10.10.253.6/30- VRFXX) Switch A (10.10.253.1/30-VRFXX) -> (10.10.253.2/30) FW 

the FW will have an ip route saying "ip route 10.20.100.0/24 go through 10.10.253.5 (switch b)

on Switch B, I have the SVI for 10.20.100.0/24 

This means

- from Switch B to Internet for traffic 10.20.100.0/24 as source traffic will flow through Switch A VRFXX and then go through firewall

- From switch B (10.20.100.x) to other subnet traffic in Switch A will go through vrfxx and then to firewall and firewall will then pass this through 10.10.255.x subnet to switch A. since it goes through firewall, it will be ACL

will the above work?