My mistake, yes I am routing between sites.

What devices terminate the connection?

Would the requirement be that users at Site B need to be on the same subnet as Site A? Or could you designate a finance VLAN at Site B and just make sure they are able to route between sites? 

At site A i have a Cisco 7204VXR, at Site B i have an HP Procurve 3500yl with standard licensing. I just discovered that I need Premium licensing to run QinQ on that device. So that is not an option.

Originally, I wanted them on the same subnet if possible. However, it's not mandatory and I could just route between sites.

I think you just answered your own question then. Now you can determine if static or dynamic routing is the best approach for this. 

I'm going to make some assumptions about the HP switch as I have no knowledge of it.

If you need them on the same subnet you could use sub interfaces on the 7204. You can have VLAN 10 extend to Site B this way. Site B would have the HP switch and a trunk (or access depending on other requirements) to the L2 MPLS. The users at Site B would basically use Site A as the gateway.

Thank you for talking through this. So, I setup the following and when I trace route it loops at the remote site.

Site A

• VLAN 10 - 172.16.100.0/24
• Firewall (Gateway) - 172.16.100.1
• Client 1 - 172.16.100.2

Site B

• VLAN 10 - 172.16.121.0/24
• Router VLAN 10 IP - 172.16.121.1

I have a route on the firewall to the core router at Site A 172.16.121.0/24 to 10.0.0.1. Note: Core Router WAN interface is 172.16.200.1

On the core router I have a route to Site B 172.16.121.0/24 to 172.16.200.21 

On the Router at Site B I created a VLAN (id 10) with an IP of 172.16.121.1

Note: Router at Site B WAN interface is 172.16.200.21

Trace Route results
  1    <1 ms    <1 ms    <1 ms  172.16.100.1
  2    <1 ms    <1 ms    <1 ms  10.0.0.1
  3     9 ms     8 ms     8 ms  172.16.200.21
  4     1 ms     1 ms     1 ms  172.16.200.1
  5     5 ms     6 ms     4 ms  172.16.200.21
  6     2 ms     2 ms     2 ms  172.16.200.1
  7     6 ms     6 ms     6 ms  172.16.200.21

The information would be easier understood if you could provide a diagram with interfaces and what is routing where.

So VLAN10 is on the firewall. You have a route for VLAN10 to go to the router. On the router you should have a route to the VLAN 10 subnet at Site B. You will also need return routes. Or you could bypass this with OSPF if your L3 switch supports it.

Ok, so the routing works as I described above. One interesting note is that the loop occurs if no device is attached. Once I connected a laptop to that subnet the loop did not occur. Learn something new every day. 

At this point my routing is good. Now I need to figure out how to secure the VLAN at Site B as it is not behind a firewall. I'm thinking an ACL will do the trick?

Also, my L3 switches (HP Pro) do not support OSPF without the premium license. 

Since I'm controlling access at Site A via a Firewall, I think what I need is to control access to VLAN 10 at Site B. 

What I want ultimately is to deny all subnets with the exception of 172.16.1xx.0 at all sites. This is my first site that I am setting this up, I will have several others.

Thank you for your help on this. I think I knew this in theory and just needed someone to walk through it with me. I now have an ACL on the VLAN 10 interface at Site B that permits 172.16.100.0 0.0.0.255. Implicit deny on everything else. 

Works.