firewall nic (sub interface) -> switch (vlan xxx) -> IVE external port + IVE internal port -> switch (vlan yyy) -> firewall nic (sub interface) -> internal net
The use of the switches also lends itself to clustering.
Mark - there is no need for the 2nd port / vlan connection, if you can config using a one-armed approach. Inbound and outbound traffic would still be firewalled. The benefit of the one-armed approach is that you can keep your dmz-based devices physically and logically seperate from your internal devices. The only devices with interfaces on the clean and dirty/semi-dirty (ie dmz) segments of your network would be your firewalls. This is beneficial in many ways.