Goal: To create a ring-protected network like SONet networks, but using Ethernet switches to lower cost. EX switches here with either 1-gig or 10-gig uplink modules can be used to build the ring, and OSPF with BFD can help to route around any failures. For increased fault tolerance, two EX-4200 switches per site would add redundant routing-engines to each site, and would allow a site to stay online (with doubly-connected downstream resources anyways) during a single switch failure as well. One problem with traditional designs like this is the requirement for many ACLs on each node of the ring to prevent traffic from one VLAN from accessing another VLAN. By putting the interfaces into different routing-instances, we can isolate the traffic from each other, and by virtualizing the uplinks into multiple logical interfaces, we can isolate the uplinks as well. Routes can be injected down into multiple different routing instances from firewalls, etc. attached at any node.
Please feel free to comment, and note that the configurations have been somewhat sanitized, so please forgive any errors that you may find.