How to allow two (or multiple) IP Subnets over a single Layer2 Link without using VLANs?

Hi Experts!

We've got two sites, each having two (maybe more in the future) IP subnets:
Subnet 1: 10.1.x.x DMZ
Subnet 2: 10.2.x.x LAN

Site A has the IP feed and the firewall connecting the IP feed, LAN, DMZ together
Site B has only the two subnets LAN and DMZ

Site A: ISP, Firewall, Subnet 1, Subnet 2
Site B: Subnet 1, Subnet 2

At each site each subnet has its own cabling and switches. They are only interconnected by the firewall.

We need to extend both subnets across both sites.
I belive the most straigthforward answer would be to use the existing 100Mbit Layer 2 Link that connects both sites together with VLANs.
However the link connecting the two sites we have received from our ISP already is using VLANs on the ISP side.
According to my knowledge it is not possible that we use VLANs on top of this.
Q1: Is my assumption correct, that it is not possible to have VLANs inside VLANs
Q2: What would be a possible solution to extend both subnets across both sites in 'the most secure' manner, e.g. ensuring that for servers connected to the DMZ subnet no LAN traffic could be sniffed of the wire?

Should you require further information I'll be glad to provide it.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

The provider should be able to stack VLANs using "Q-in-Q".

If they can't, you might want to move the firewall to site 2.  Bridging will be a real challenge.

If that doesn't work, you could add an incredible amount of complexity by tossing in two routers and doing Ethernet over MPLS, but I doubt you'd want to go that route.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
My advice is to make site 'B' a stand alone system (have it's own ISP). Then use routing, IPSEC, and PPTP, to access between the sites. That would make it easier to administrate, and have more security options...Hope this helps...Booda2us
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.