VLANs over Geographical Boundaries

AKA "Is this stupid from a security standpoint"?

I know the mantra: "Don't use VLAN's for security". But I'm having
trouble understanding whether it applies to this particular design. I
proposed an alternate solution the problem I'm trying to solve in
another newsgroup, and I was told, "You should be using VLAN's".

The basics: We just added a second facility and want to increase our
redundancy. We have two hosts that are considered the end-all-be-all
of our business, without these, we're down. We have a nice high
availability configuration in place that requires they be on the same
lan segment. We have also have a nice high speed ethernet link between
the two facilities that accomplishes this goal, but it's caused a
number of issues as far as adding further redundancy to our network.

So, I have the following solution in mind. The advantages are
plentiful as far as saving money and easing expansion, but we have a
major concern about it: It somewhat relies on VLAN's to separate
traffic before it enters the firewall.

A diagram would probably help, and ASCII is insufficient, so I threw
this together:

Let me point out a couple things:
(1) The top left and top right areas are two distinct physical
locations. The gigabit ethernet line between the two is all we have to
work with (Well, other than a VPN backup, but that's not in the
(2) The colored lines indicate vlan separation. Over the gigabit
connection, this would be a trunk, but the other links would likely be
individual fastethernet connections in a 'switchport mode access' type
of setup either to other links or the firewalls.
(3) This isn't everything on our network, though it shows the important
stuff. We like to control access as much as we can at the firewalls.
(4) The firewalls are checkpoints and would share state over a
dedicated sync vlan which isn't pictured. They'd be in a cluster

The scariest part of this diagram is that the Internet traffic coming
in on one vlan would enter the same switch as the traffic we're trying
most to protect. That is, physically that traffic hits the same switch
before it is inspected by the firewall. Logically, though, it has to
go through a firewall, but is that enough? Additionally, my company is
of the opinion that you can't really trust your lan's, and they would
also hit the switches first. So if VLAN hopping is a realistic
problem, both Internet and LAN traffic could conceivably bypass the
firewalls through some evildoer chicanery.

If it vlan hopping can be mitigated to the point of "no known attacks",
then the advantages are many. There are cost savings, and really easy
ways to add further redundancy. It scales pretty well, and our single
points of failure actually go down compared to most alternate

Is this a bad idea from a security standpoint? Any obvious problems
I'm overlooking? Is this sound from a security, stability, and
scalability point of view?

Any input would be appreciated.