Just want to mention' I think you need also VRF route leaking in Core to interconnect vrf (if needed).

Firewall is connected to the core router to apply security policies/routing between different domanins. 

Thanks a lot for the prompt response. May I know if this kind of a setup is usually implemented in production environment of a large campus networks ? or Is this only for a setup for lab simulation ?

The separation done in 

L2 via VLAN' this easy to achieve and apply to 90% data center network 

L3 via VRF this hard to config and I see it only in few data center that connect to MPLS and the label is extended from MPLS SP to customer DC. 

Thanks a lot for getting back . I have some followup questions for your replies.

1. If we have 10 distribution switches in the network and  multiple vlans for one domain terminating in different Distribution switches (i.e. vlan 200 - 230 for voice vlans) then a default route won't work to have inter communication between vlans right ?

2. from Access to Distribution layer, do we have to configure a trunk port (for the uplink) in the Access switch side and sub interfaces in the Distribution switch side ( and assign sub interefaces to the each vrf)

appreciate your feedback

1. If we have 10 distribution switches in the network and multiple vlans for one domain terminating in different Distribution switches (i.e. vlan 200 - 230 for voice vlans) then a default route won't work to have inter communication between vlans right ?

  Communication between vlan will have on the Distribution switch. You dont need route for that.

The default route I mentioned would be for traffic coming from end devices toward the Core/Firewall.

2. from Access to Distribution layer, do we have to configure a trunk port (for the uplink) in the Access switch side and sub interfaces in the Distribution switch side ( and assign sub interefaces to the each vrf)

If you are going to have more than one Vlan at the Access switch, then you need Trunk. 

You dont need subinterface as each Access switch will have its own interface on the Distribution. Subinterface only make sense in a "Router on a Stick" topology.

I believe you topology would look like more or less like this

Thank you for getting back, 

But I still have a confusion, say on Distribution switch 1 voice vlan 200 is terminated, But as of the customers requirement vlan 200 should only communicate with voice vlans. Therefore on distribution switch1 , I have to terminate vlan 200 on a interface in a Voice VRF, or else vlan 200 will be able to communicate with any other vlans (like Data or CCTV). So If I configure the Access switch uplink as a normal trunk port, how are we going to assign the vlan 200 traffic only to the voice VRF in the distribution switch side without having a sub interface ?

can you elaborate more on this point ?

Thanks a lot.

Based on this:

"3. There are multiple services with different domains ( PC Data, Voice, Wireless, CCTV, Door Access Control) which are speerated by different VLANS."

 I understand that Domain will be represented by one VRF. Under this VRF  you will have PC Data, Voice, Wireless, CCTV, Door Access Control, etc.

 If you intend to put each of this service in one VRF and then make them communication afterward by creating leaking between VRF, stop thinking about VRF right now.

 People who creates VRF in order to leak traffic after that, dont need VRF at all.  Use the global routing table and save yourself a lot of time and trouble.

Thank you for the clairfication. appreiciate your time.