In this post, we will configure FAUCET to use tagged and untagged ports in the same VLAN (via a trunk), to offload processing to a Linux host (in this case, FAUCET runs on the same host, but it does not have to). The following diagram shows two hosts, each in their own untagged VLAN. The NFV host has a dataplane connection as well, that is in both VLANs, with a tag (so that the host knows which packets belong to what port - potentially, you could have one VLAN per port).
On the NFV host (assuming eth0 is the trunk port), you bridge eth0.2001, eth.2002, et al to containers. Within the containers you run the iptables rules or network services appropriate to that VLAN's policy. If you use OVS as the bridge (rather than plain Linux bridging), and you have a NIC that supports DPDK, it may be possible to offload some firewall rules to hardware on the host as OpenFlow flows.
1: acl_in: 99 acls: 99: - rule: dl_src: 11:22:33:44:55:66 actions: allow: 0 - rule: actions: allow: 1
Would drop on input, any packet from a certain MAC address. This can prevent a machine on a port spoofing the MAC address of the NFV host, for example.